NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation

TL;DR

NNSplitter is an active DNN model protection method that splits the model into obfuscated and secret parts, effectively preventing abuse while maintaining stealth and resilience against attacks.

Contribution

It introduces a novel active protection scheme that splits DNN models into obfuscated and secret parts, enhancing security beyond passive watermarking techniques.

Findings

Effective protection with minimal weight modification (0.002%)

Significant accuracy drop to 10% on CIFAR-10 for obfuscated models

Resilient against norm clipping and fine-tuning attacks

Abstract

As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: https://github.com/Tongzhou0101/NNSplitter.