Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MAP: MAsk-Pruning for Source-Free Model Intellectual Property Protection

Boyang Peng, Sanqing Qu, Yong Wu, Tianpei Zou, Lianghua He, Alois Knoll, Guang Chen, changjun jiang

TL;DR

This work tackles the practical problem of protecting pretrained model IP without access to the original training data by introducing MAsk Pruning (MAP). Grounded in the Inverse Transfer Parameter Hypothesis, MAP prunes target-domain–related parameters via a Learnable Binary Mask, constraining the model's generalization to unauthorized domains while preserving authorized-domain performance. It extends to two more capable variants, SF-MAP and DF-MAP, which synthesize pseudo-source data and diverse neighbor domains to guide pruning in source-free and data-free settings, respectively, and introduces the ST-D metric to balance source and target degradation. Across multiple benchmarks, MAP achieves state-of-the-art IP protection in source-available, source-free, and data-free scenarios, with practical implications for decentralized data privacy and ownership verification via watermarking.

Abstract

Deep learning has achieved remarkable progress in various applications, heightening the importance of safeguarding the intellectual property (IP) of well-trained models. It entails not only authorizing usage but also ensuring the deployment of models in authorized data domains, i.e., making models exclusive to certain target domains. Previous methods necessitate concurrent access to source training data and target unauthorized data when performing IP protection, making them risky and inefficient for decentralized private data. In this paper, we target a practical setting where only a well-trained source model is available and investigate how we can realize IP protection. To achieve this, we propose a novel MAsk Pruning (MAP) framework. MAP stems from an intuitive hypothesis, i.e., there are target-related parameters in a well-trained model, locating and pruning them is the key to IP protection. Technically, MAP freezes the source model and learns a target-specific binary mask to prevent unauthorized data usage while minimizing performance degradation on authorized data. Moreover, we introduce a new metric aimed at achieving a better balance between source and target performance degradation. To verify the effectiveness and versatility, we have evaluated MAP in a variety of scenarios, including vanilla source-available, practical source-free, and challenging data-free. Extensive experiments indicate that MAP yields new state-of-the-art performance.

MAP: MAsk-Pruning for Source-Free Model Intellectual Property Protection

TL;DR

This work tackles the practical problem of protecting pretrained model IP without access to the original training data by introducing MAsk Pruning (MAP). Grounded in the Inverse Transfer Parameter Hypothesis, MAP prunes target-domain–related parameters via a Learnable Binary Mask, constraining the model's generalization to unauthorized domains while preserving authorized-domain performance. It extends to two more capable variants, SF-MAP and DF-MAP, which synthesize pseudo-source data and diverse neighbor domains to guide pruning in source-free and data-free settings, respectively, and introduces the ST-D metric to balance source and target degradation. Across multiple benchmarks, MAP achieves state-of-the-art IP protection in source-available, source-free, and data-free scenarios, with practical implications for decentralized data privacy and ownership verification via watermarking.

Abstract

Deep learning has achieved remarkable progress in various applications, heightening the importance of safeguarding the intellectual property (IP) of well-trained models. It entails not only authorizing usage but also ensuring the deployment of models in authorized data domains, i.e., making models exclusive to certain target domains. Previous methods necessitate concurrent access to source training data and target unauthorized data when performing IP protection, making them risky and inefficient for decentralized private data. In this paper, we target a practical setting where only a well-trained source model is available and investigate how we can realize IP protection. To achieve this, we propose a novel MAsk Pruning (MAP) framework. MAP stems from an intuitive hypothesis, i.e., there are target-related parameters in a well-trained model, locating and pruning them is the key to IP protection. Technically, MAP freezes the source model and learns a target-specific binary mask to prevent unauthorized data usage while minimizing performance degradation on authorized data. Moreover, we introduce a new metric aimed at achieving a better balance between source and target performance degradation. To verify the effectiveness and versatility, we have evaluated MAP in a variety of scenarios, including vanilla source-available, practical source-free, and challenging data-free. Extensive experiments indicate that MAP yields new state-of-the-art performance.
Paper Structure (25 sections, 2 theorems, 9 equations, 9 figures, 6 tables, 3 algorithms)

This paper contains 25 sections, 2 theorems, 9 equations, 9 figures, 6 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Problem Definition
  5. Source-Avaliable Model IP Protection
  6. Source-Free Model IP Protection
  7. Data-Free Model IP Protection
  8. Experiments
  9. Implementation Details
  10. Result of MAP in Source-Available Situation
  11. Result of MAP in Source-Free Situation
  12. Result of MAP in Data-Free Situation
  13. Result of Ownership Verification
  14. Ablation Study
  15. Conclusion
  16. ...and 10 more sections

Key Result

Proposition 1

Let $n$ be a nuisance for input $x$. Let $z$ be a representation of $x$, and the label is $y$. The Shannon Mutual Information (SMI) is presented as $I(\cdot)$. For the information flow in representation learning, we have

Figures (9)

  • Figure 1: An illustration of model IP protection in source-free and data-free situations. (a) The original model is well-trained in the authorized (source) domain, with a wide generalization area that allows illegal access to the model through unauthorized (target) domains. (b) Two methods are shown: (1) Source-free IP protection, which removes an unauthorized domain from the generalization area without using source datasets; and (2) Data-Free IP protection, which cannot access any datasets but reduces the generalization area, preventing illegal knowledge transfer.
  • Figure 2: Overall architecture of MAP. Please note that this architecture presents the complete DF-MAP, from which SA-MAP and SF-MAP are derived. (a) The Generation Module, displayed in the left part, consists of three generators. The Diversity Generator ($G_d$) synthesizes auxiliary samples to generate neighbor domains with multiple style features. The Fresh Generator ($G_f$) generates synthetic novel featured samples, while Memory Generator ($G_m$) replays samples with features from previous images. In SF-MAP, the Diversity Generator ($G_d$) is removed, and existing target domain data is utilized for training. In SA-MAP, the entire Generation Module is eliminated, and existing source domain data is further leveraged, as detailed in the supplementary material. (b) The right part illustrates the mask-pruning process. A well-trained original source network $f_s$ distills knowledge into the target network $f_t$, which shares the same architecture. We initialize and fix them with the same checkpoint, then update a Learnable Binary Mask ($M$) with consistency loss calculated from synthetic samples. The MAP limits a target domain generalization region while retaining source domain performance, leading to a beneficial outcome.
  • Figure 3: The accuracy of SL, NTL, CUTI, and SA-MAP on CIFAR10$\rightarrow$STL10, and VisDA-2017 (T$\rightarrow$V). The '$\rightarrow$' represents the source domain transfer to the target domain. And the green bar, orange bar and red line present the accuracy of the corresponding methods in the source domain, target domain, and relative degradation (Source Accuracy - Target Accuracy), respectively.
  • Figure 4: The accuracy of SL, NTL, CUTI, and SF-MAP on CIFAR10$\rightarrow$STL10, and VisDA-2017 (T$\rightarrow$V). The green bar, orange bar and red line presents the accuracy of the source domain, target domain, and relative degradation, respectively.
  • Figure 5: (a) (left) The accuracy (%) of origin SL and the SF-MAP model with different backbones on target of STL10 $\rightarrow$ CIFAR10 datasets. (b) (right) The accuracy (%) of SF-MAP with different losses on the target domain of MT $\rightarrow$ US, CIFAR10 $\rightarrow$ STL10, and VisDA-2017 (T $\rightarrow$ V).
  • ...and 4 more figures

Theorems & Definitions (2)

  • Proposition 1: wang2021non
  • Lemma 1: wang2021non