AdvParams: An Active DNN Intellectual Property Protection Technique via Adversarial Perturbation based Parameter Encryption

A well-trained DNN model can be regarded as an intellectual property (IP) of the owner. To date, many IP protection methods have been proposed, but most them are watermarking based verification where owners only verify their ownership passively after copyright models has infringed. In this paper, we propose effective framework to actively protect from infringement. Specifically, encrypt model's parameters by perturbing with well-crafted adversarial perturbations. With encrypted parameters, accuracy drops significantly, which prevent malicious infringers using model. After encryption, positions and values added perturbations form a secret key. Authorized user use key decrypt Compared infringement occurs, proposed method in advance. Moreover, compared existing active methods, does not require additional training process model, introduces low computational overhead. Experimental results show that, test 80.65%, 81.16%, 87.91% on Fashion-MNIST, CIFAR-10, GTSRB, respectively. needs extremely number proportion all is 0.000205%. The experimental also indicate robust against fine-tuning attack pruning attack. for adaptive attackers know detailed steps method, demonstrated robust.