Proteus: Preserving Model Confidentiality during Graph Optimizations
Yubo Gao, Maryam Haghifam, Christina Giannoula, Renbo Tu, Gennady Pekhimenko, Nandita Vijaykumar
TL;DR
Proteus addresses the critical challenge of preserving DL model architectural confidentiality during graph-level optimizations by partitioning the protected computation graph into subgraphs and embedding each within sentinel subgraphs. This obfuscation, combined with sentinel generation via GraphRNN-like topologies and randomized partitioning, allows an optimizer to operate on obfuscated subgraphs with preserved optimization opportunities while preventing reconstruction of the original architecture. Empirical results across CNNs and language-model-like networks show Proteus maintains near-maximum speedups with modest overhead, and a learning-based adversary or expert inspection struggles to differentiate sentinels from real subgraphs. The work demonstrates robustness through statistical analyses, adversarial testing, and user surveys, and provides open-source artifacts to enable direct replication and integration with DL compilers such as ONNXRuntime and Hidet.
Abstract
Deep learning (DL) models have revolutionized numerous domains, yet optimizing them for computational efficiency remains a challenging endeavor. Development of new DL models typically involves two parties: the model developers and performance optimizers. The collaboration between the parties often necessitates the model developers exposing the model architecture and computational graph to the optimizers. However, this exposure is undesirable since the model architecture is an important intellectual property, and its innovations require significant investments and expertise. During the exchange, the model is also vulnerable to adversarial attacks via model stealing. This paper presents Proteus, a novel mechanism that enables model optimization by an independent party while preserving the confidentiality of the model architecture. Proteus obfuscates the protected model by partitioning its computational graph into subgraphs and concealing each subgraph within a large pool of generated realistic subgraphs that cannot be easily distinguished from the original. We evaluate Proteus on a range of DNNs, demonstrating its efficacy in preserving confidentiality without compromising performance optimization opportunities. Proteus effectively hides the model as one alternative among up to $10^{32}$ possible model architectures, and is resilient against attacks with a learning-based adversary. We also demonstrate that heuristic based and manual approaches are ineffective in identifying the protected model. To our knowledge, Proteus is the first work that tackles the challenge of model confidentiality during performance optimization. Proteus will be open-sourced for direct use and experimentation, with easy integration with compilers such as ONNXRuntime.