InFIP: An Explainable DNN Intellectual Property Protection Method based on Intrinsic Features

TL;DR

This paper introduces an explainable, non-intrusive method for DNN intellectual property protection that uses intrinsic features derived from model interpretability techniques, ensuring ownership verification without modifying the original model.

Contribution

It proposes a novel IP protection approach based on intrinsic features extracted via Deep Taylor Decomposition, providing interpretability and robustness against various attacks.

Findings

Successfully verifies model ownership using intrinsic fingerprints.

Maintains model accuracy after applying the protection method.

Demonstrates robustness against fine-tuning, pruning, and overwriting attacks.

Abstract

Intellectual property (IP) protection for Deep Neural Networks (DNNs) has raised serious concerns in recent years. Most existing works embed watermarks in the DNN model for IP protection, which need to modify the model and lack of interpretability. In this paper, for the first time, we propose an interpretable intellectual property protection method for DNN based on explainable artificial intelligence. Compared with existing works, the proposed method does not modify the DNN model, and the decision of the ownership verification is interpretable. We extract the intrinsic features of the DNN model by using Deep Taylor Decomposition. Since the intrinsic feature is composed of unique interpretation of the model's decision, the intrinsic feature can be regarded as fingerprint of the model. If the fingerprint of a suspected model is the same as the original model, the suspected model is considered as a pirated model. Experimental results demonstrate that the fingerprints can be successfully used to verify the ownership of the model and the test accuracy of the model is not affected. Furthermore, the proposed method is robust to fine-tuning attack, pruning attack, watermark overwriting attack, and adaptive attack.