Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Non-transferable Pruning

Ruyi Ding, Lili Su, Aidong Adam Ding, Yunsi Fei

TL;DR

Non-Transferable Pruning (NTP) is proposed, a novel IP protection method that leverages model pruning to control a pretrained DNN's transferability to unauthorized data domains and a novel effective metric to measure the model non-transferability: Area Under the Sample-wise Learning Curve (SLC-AUC).

Abstract

Pretrained Deep Neural Networks (DNNs), developed from extensive datasets to integrate multifaceted knowledge, are increasingly recognized as valuable intellectual property (IP). To safeguard these models against IP infringement, strategies for ownership verification and usage authorization have emerged. Unlike most existing IP protection strategies that concentrate on restricting direct access to the model, our study addresses an extended DNN IP issue: applicability authorization, aiming to prevent the misuse of learned knowledge, particularly in unauthorized transfer learning scenarios. We propose Non-Transferable Pruning (NTP), a novel IP protection method that leverages model pruning to control a pretrained DNN's transferability to unauthorized data domains. Selective pruning can deliberately diminish a model's suitability on unauthorized domains, even with full fine-tuning. Specifically, our framework employs the alternating direction method of multipliers (ADMM) for optimizing both the model sparsity and an innovative non-transferable learning loss, augmented with Fisher space discriminative regularization, to constrain the model's generalizability to the target dataset. We also propose a novel effective metric to measure the model non-transferability: Area Under the Sample-wise Learning Curve (SLC-AUC). This metric facilitates consideration of full fine-tuning across various sample sizes. Experimental results demonstrate that NTP significantly surpasses the state-of-the-art non-transferable learning methods, with an average SLC-AUC at $-0.54$ across diverse pairs of source and target domains, indicating that models trained with NTP do not suit for transfer learning to unauthorized target domains. The efficacy of NTP is validated in both supervised and self-supervised learning contexts, confirming its applicability in real-world scenarios.

Non-transferable Pruning

TL;DR

Non-Transferable Pruning (NTP) is proposed, a novel IP protection method that leverages model pruning to control a pretrained DNN's transferability to unauthorized data domains and a novel effective metric to measure the model non-transferability: Area Under the Sample-wise Learning Curve (SLC-AUC).

Abstract

Pretrained Deep Neural Networks (DNNs), developed from extensive datasets to integrate multifaceted knowledge, are increasingly recognized as valuable intellectual property (IP). To safeguard these models against IP infringement, strategies for ownership verification and usage authorization have emerged. Unlike most existing IP protection strategies that concentrate on restricting direct access to the model, our study addresses an extended DNN IP issue: applicability authorization, aiming to prevent the misuse of learned knowledge, particularly in unauthorized transfer learning scenarios. We propose Non-Transferable Pruning (NTP), a novel IP protection method that leverages model pruning to control a pretrained DNN's transferability to unauthorized data domains. Selective pruning can deliberately diminish a model's suitability on unauthorized domains, even with full fine-tuning. Specifically, our framework employs the alternating direction method of multipliers (ADMM) for optimizing both the model sparsity and an innovative non-transferable learning loss, augmented with Fisher space discriminative regularization, to constrain the model's generalizability to the target dataset. We also propose a novel effective metric to measure the model non-transferability: Area Under the Sample-wise Learning Curve (SLC-AUC). This metric facilitates consideration of full fine-tuning across various sample sizes. Experimental results demonstrate that NTP significantly surpasses the state-of-the-art non-transferable learning methods, with an average SLC-AUC at across diverse pairs of source and target domains, indicating that models trained with NTP do not suit for transfer learning to unauthorized target domains. The efficacy of NTP is validated in both supervised and self-supervised learning contexts, confirming its applicability in real-world scenarios.

Paper Structure

This paper contains 23 sections, 1 theorem, 8 equations, 10 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Model IP Protection and Non-transferable Learning
  4. Weight Pruning
  5. Threat Model
  6. Model Non-transferable Pruning
  7. Model Non-transferability Metric
  8. Exploring DNN Model Sparsity for Transferability
  9. Formulating Non-transferable Pruning Objective
  10. Fisher Space Regularization:
  11. Integrating Model Pruning with NTP Objective
  12. Experiments
  13. Experiment Setup
  14. Evaluation on Supervised Learning
  15. Evaluation on Self-supervised Learning
  16. ...and 8 more sections

Key Result

theorem thmcountertheorem

Let $\mathcal{T}$ be a given target domain. Suppose that its label space $\mathcal{C}=\{0, 1\}$. Let $C_0 = \{(x_i, y_i): y_i=0\}$ and $C_1 = \{(x_i, y_i): y_i=1\}$. Suppose that $|C_0| = |C_1|$. Then there exists a neural network with a feature extractor $\Phi_{W_1}$ that minimizes Eq. eq: fisher r

Figures (10)

  • Figure 1: Adversarial Scenario: model vendor (Alice) built a DNN for face recognition (i.e., Face IDs) and distributed the smart camera (edge device) with this model onboard. The malicious user (Bob) bought the device and obtained full access to the victim model. He modified the model with transfer learning by fine-tuning with a target dataset to redirect the model for the malicious task (e.g., deepfake westerlund2019emergence).
  • Figure 2: An Overview of Non-transferable Pruning Procedure
  • Figure 3: Sample-wise Learning Curve and Area Under Curve: The target domain is MNIST-M ganin2016domain and the pretrained model is trained with network architecture ResNet18 he2016deep on datasets SYN ganin2015unsupervised, USPS hull1994database, and STL coates2011analysis, respectively.
  • Figure 4: Sparsity VS SLC-AUC
  • Figure 5: Feature spaces visualization
  • ...and 5 more figures

Theorems & Definitions (2)

  • definition thmcounterdefinition: SLC-AUC metric
  • theorem thmcountertheorem