Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DynaMO: Protecting Mobile DL Models through Coupling Obfuscated DL Operators

Mingyi Zhou, Xiang Gao, Xiao Chen, Chunyang Chen, John Grundy, Li Li

TL;DR

DynaMO, a Dynamic Model Obfuscation strategy similar to Homomorphic Encryption, is proposed, which can dramatically improve model security compared with the existing obfuscation strategies, with only negligible overheads for on-device models.

Abstract

Deploying DL models on mobile Apps has become ever-more popular. However, existing studies show attackers can easily reverse-engineer mobile DL models in Apps to steal intellectual property or generate effective attacks. A recent approach, Model Obfuscation, has been proposed to defend against such reverse engineering by obfuscating DL model representations, such as weights and computational graphs, without affecting model performance. These existing model obfuscation methods use static methods to obfuscate the model representation, or they use half-dynamic methods but require users to restore the model information through additional input arguments. However, these static methods or half-dynamic methods cannot provide enough protection for on-device DL models. Attackers can use dynamic analysis to mine the sensitive information in the inference codes as the correct model information and intermediate results must be recovered at runtime for static and half-dynamic obfuscation methods. We assess the vulnerability of the existing obfuscation strategies using an instrumentation method and tool, DLModelExplorer, that dynamically extracts correct sensitive model information at runtime. Experiments show it achieves very high attack performance. To defend against such attacks based on dynamic instrumentation, we propose DynaMO, a Dynamic Model Obfuscation strategy similar to Homomorphic Encryption. The obfuscation and recovery process can be done through simple linear transformation for the weights of randomly coupled eligible operators, which is a fully dynamic obfuscation strategy. Experiments show that our proposed strategy can dramatically improve model security compared with the existing obfuscation strategies, with only negligible overheads for on-device models.

DynaMO: Protecting Mobile DL Models through Coupling Obfuscated DL Operators

TL;DR

DynaMO, a Dynamic Model Obfuscation strategy similar to Homomorphic Encryption, is proposed, which can dramatically improve model security compared with the existing obfuscation strategies, with only negligible overheads for on-device models.

Abstract

Deploying DL models on mobile Apps has become ever-more popular. However, existing studies show attackers can easily reverse-engineer mobile DL models in Apps to steal intellectual property or generate effective attacks. A recent approach, Model Obfuscation, has been proposed to defend against such reverse engineering by obfuscating DL model representations, such as weights and computational graphs, without affecting model performance. These existing model obfuscation methods use static methods to obfuscate the model representation, or they use half-dynamic methods but require users to restore the model information through additional input arguments. However, these static methods or half-dynamic methods cannot provide enough protection for on-device DL models. Attackers can use dynamic analysis to mine the sensitive information in the inference codes as the correct model information and intermediate results must be recovered at runtime for static and half-dynamic obfuscation methods. We assess the vulnerability of the existing obfuscation strategies using an instrumentation method and tool, DLModelExplorer, that dynamically extracts correct sensitive model information at runtime. Experiments show it achieves very high attack performance. To defend against such attacks based on dynamic instrumentation, we propose DynaMO, a Dynamic Model Obfuscation strategy similar to Homomorphic Encryption. The obfuscation and recovery process can be done through simple linear transformation for the weights of randomly coupled eligible operators, which is a fully dynamic obfuscation strategy. Experiments show that our proposed strategy can dramatically improve model security compared with the existing obfuscation strategies, with only negligible overheads for on-device models.

Paper Structure

This paper contains 42 sections, 2 theorems, 4 equations, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Terminology
  4. DL Frameworks
  5. Deep Learning (DL) Frameworks:
  6. On-device DL Frameworks
  7. On-device DL Frameworks:
  8. DL Model Attacks
  9. Code Obfuscation
  10. Model Obfuscation
  11. Motivation for Our Work
  12. Research Questions
  13. RQ1: Model Deobfuscation
  14. Threat Model
  15. DLModelExplorer
  16. ...and 27 more sections

Key Result

Lemma 4.1

(Coupled Weight Transformation on linear model): A sub-network $f$ consists of multiple linear layers $\{L_1, L_2, \cdots, L_n\}$ and the $i$-th layer is $L_i: X_{i} = W_{i-1}^\top X_{i-1} + b_{i-1}$ where $i\in [1, n]$. The output of the sub-network $f$ w.r.t. to the input $X_0$ would be $f(X_0)$.

Figures (4)

  • Figure 1: Demonstration of existing model obfuscations zhou2023modelobfuscator. Here, existing model obfuscation hides the weights of conv2d operator, renames the original operator name to random strings (conv2d$\rightarrow$wripyx), and injects an extra obfuscating operator (i.e.,mjzdmh). The customised DL API library is generated to execute the inference of the obfuscated model. The function {OP_NAME}::eval is the code implementation of the operator's forward inference. The extra operator mjzdmh only has an obfuscating function obfuscate_func to copy the input value to the output.
  • Figure 2: Overview of our proposed model deobfuscation method DLModelExplorer. The mjzdmh operator with a red dotted block is an extra obfuscating operator.
  • Figure 3: Overview of our proposed DynaMO. The dotted block denotes the extra obfuscating operator. The green block denotes the selected operator in weight transformation obfuscation. The red block (both dotted and solid) denotes the eligible coupled operators that can be used to recover the correct results. Note that we do not obfuscate the names of valid operators to demonstrate the process clearly.
  • Figure 4: Meta-model our method.

Theorems & Definitions (2)

  • Lemma 4.1
  • Theorem 4.2