AuthNet: Neural Network with Integrated Authentication Logic
Yuling Cai, Fan Xiang, Guozhu Meng, Yinzhi Cao, Kai Chen
TL;DR
AuthNet introduces a native authentication mechanism that embeddedly protects CNNs by reusing low-activation gate-layer neurons as authentication bits and splitting the model into head and tail with a secret input key. Authentication is achieved via a mask inversion step to generate a key and a tail-model fine-tuning trained on a mix of legitimate and illegitimate inputs, resulting in near-original performance for authorized users while forcing unauthorized inputs into substantially worse outcomes. The paper provides a theoretical framework around distinguishability, key sensitivity, and transparency, and demonstrates effectiveness across six models with low overhead, along with robustness to fine-tuning and pruning and resilience to adaptive attacks. This approach offers an active, architecture-agnostic defense against model exfiltration and misuse, delivering practical protection for deployed models without requiring extra inference cost or external authentication layers.
Abstract
Model stealing, i.e., unauthorized access and exfiltration of deep learning models, has become one of the major threats. Proprietary models may be protected by access controls and encryption. However, in reality, these measures can be compromised due to system breaches, query-based model extraction or a disgruntled insider. Security hardening of neural networks is also suffering from limits, for example, model watermarking is passive, cannot prevent the occurrence of piracy and not robust against transformations. To this end, we propose a native authentication mechanism, called AuthNet, which integrates authentication logic as part of the model without any additional structures. Our key insight is to reuse redundant neurons with low activation and embed authentication bits in an intermediate layer, called a gate layer. Then, AuthNet fine-tunes the layers after the gate layer to embed authentication logic so that only inputs with special secret key can trigger the correct logic of AuthNet. It exhibits two intuitive advantages. It provides the last line of defense, i.e., even being exfiltrated, the model is not usable as the adversary cannot generate valid inputs without the key. Moreover, the authentication logic is difficult to inspect and identify given millions or billions of neurons in the model. We theoretically demonstrate the high sensitivity of AuthNet to the secret key and its high confusion for unauthorized samples. AuthNet is compatible with any convolutional neural network, where our extensive evaluations show that AuthNet successfully achieves the goal in rejecting unauthenticated users (whose average accuracy drops to 22.03%) with a trivial accuracy decrease (1.18% on average) for legitimate users, and is robust against model transformation and adaptive attacks.