Probe-Me-Not: Protecting Pre-trained Encoders from Malicious Probing

TL;DR

This paper introduces EncoderLock, a method to protect pre-trained encoders from malicious probing by restricting their use on prohibited domains while maintaining utility on authorized tasks, enhancing responsible AI practices.

Contribution

EncoderLock is a novel applicability authorization technique that employs domain-aware weight selection and a self-challenging training scheme to defend against malicious probing of pre-trained encoders.

Findings

EncoderLock effectively restricts encoder use on prohibited domains.

It maintains high performance on authorized domains.

Proven on a real-world Vision Transformer (ViT) encoder.

Abstract

Adapting pre-trained deep learning models to customized tasks has become a popular choice for developers to cope with limited computational resources and data volume. More specifically, probing--training a downstream head on a pre-trained encoder--has been widely adopted in transfer learning, which helps to prevent overfitting and catastrophic forgetting. However, such generalizability of pre-trained encoders raises concerns about the potential misuse of probing for harmful intentions, such as discriminatory speculation and warfare applications. In this work, we introduce EncoderLock, a novel applicability authorization method designed to protect pre-trained encoders from malicious probing, i.e., yielding poor performance on specified prohibited domains while maintaining their utility in authorized ones. Achieving this balance is challenging because of the opposite optimization objectives and the variety of downstream heads that adversaries can utilize adaptively. To address these challenges, EncoderLock employs two techniques: domain-aware weight selection and updating to restrict applications on prohibited domains/tasks, and self-challenging training scheme that iteratively strengthens resistance against any potential downstream classifiers that adversaries may apply. Moreover, recognizing the potential lack of data from prohibited domains in practical scenarios, we introduce three EncoderLock variants with different levels of data accessibility: supervised (prohibited domain data with labels), unsupervised (prohibited domain data without labels), and zero-shot (no data or labels available). We verify EncoderLock's effectiveness and practicality with a real-world pre-trained Vision Transformer (ViT) encoder from Facebook. These results underscore the valuable contributions EncoderLock brings to the development of responsible AI.