Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Re-Key-Free, Risky-Free: Adaptable Model Usage Control

Zihan Wang, Zhongkui Ma, Xinguo Feng, Chuan Yan, Dongge Liu, Ruoxi Sun, Derui Wang, Minhui Xue, Guangdong Bai

TL;DR

AdaLoc introduces adaptable usage control by locking a compact key composed of high-magnitude weights and restricting updates to this subset during continual model evolution. The approach unifies accessibility and adaptability through a formal framework, deriving layer-wise Lipschitz and sub-Gaussian bounds to guarantee that removing the key collapses outputs while updating only the key preserves near-full performance. Empirically, AdaLoc achieves accuracies matching full fine-tuning for authorized use across CNNs and transformers, while unauthorized use drops to near-random levels (e.g., 1.01% on CIFAR-100). Static usage control remains robust, with key removal yielding unusable models across datasets and architectures. The combination of theoretical guarantees and broad empirical validation demonstrates AdaLoc as a practical solution for secure, adaptable DNN deployments in dynamic real-world settings.

Abstract

Deep neural networks (DNNs) have become valuable intellectual property of model owners, due to the substantial resources required for their development. To protect these assets in the deployed environment, recent research has proposed model usage control mechanisms to ensure models cannot be used without proper authorization. These methods typically lock the utility of the model by embedding an access key into its parameters. However, they often assume static deployment, and largely fail to withstand continual post-deployment model updates, such as fine-tuning or task-specific adaptation. In this paper, we propose ADALOC, to endow key-based model usage control with adaptability during model evolution. It strategically selects a subset of weights as an intrinsic access key, which enables all model updates to be confined to this key throughout the evolution lifecycle. ADALOC enables using the access key to restore the keyed model to the latest authorized states without redistributing the entire network (i.e., adaptation), and frees the model owner from full re-keying after each model update (i.e., lock preservation). We establish a formal foundation to underpin ADALOC, providing crucial bounds such as the errors introduced by updates restricted to the access key. Experiments on standard benchmarks, such as CIFAR-100, Caltech-256, and Flowers-102, and modern architectures, including ResNet, DenseNet, and ConvNeXt, demonstrate that ADALOC achieves high accuracy under significant updates while retaining robust protections. Specifically, authorized usages consistently achieve strong task-specific performance, while unauthorized usage accuracy drops to near-random guessing levels (e.g., 1.01% on CIFAR-100), compared to up to 87.01% without ADALOC. This shows that ADALOC can offer a practical solution for adaptive and protected DNN deployment in evolving real-world scenarios.

Re-Key-Free, Risky-Free: Adaptable Model Usage Control

TL;DR

AdaLoc introduces adaptable usage control by locking a compact key composed of high-magnitude weights and restricting updates to this subset during continual model evolution. The approach unifies accessibility and adaptability through a formal framework, deriving layer-wise Lipschitz and sub-Gaussian bounds to guarantee that removing the key collapses outputs while updating only the key preserves near-full performance. Empirically, AdaLoc achieves accuracies matching full fine-tuning for authorized use across CNNs and transformers, while unauthorized use drops to near-random levels (e.g., 1.01% on CIFAR-100). Static usage control remains robust, with key removal yielding unusable models across datasets and architectures. The combination of theoretical guarantees and broad empirical validation demonstrates AdaLoc as a practical solution for secure, adaptable DNN deployments in dynamic real-world settings.

Abstract

Deep neural networks (DNNs) have become valuable intellectual property of model owners, due to the substantial resources required for their development. To protect these assets in the deployed environment, recent research has proposed model usage control mechanisms to ensure models cannot be used without proper authorization. These methods typically lock the utility of the model by embedding an access key into its parameters. However, they often assume static deployment, and largely fail to withstand continual post-deployment model updates, such as fine-tuning or task-specific adaptation. In this paper, we propose ADALOC, to endow key-based model usage control with adaptability during model evolution. It strategically selects a subset of weights as an intrinsic access key, which enables all model updates to be confined to this key throughout the evolution lifecycle. ADALOC enables using the access key to restore the keyed model to the latest authorized states without redistributing the entire network (i.e., adaptation), and frees the model owner from full re-keying after each model update (i.e., lock preservation). We establish a formal foundation to underpin ADALOC, providing crucial bounds such as the errors introduced by updates restricted to the access key. Experiments on standard benchmarks, such as CIFAR-100, Caltech-256, and Flowers-102, and modern architectures, including ResNet, DenseNet, and ConvNeXt, demonstrate that ADALOC achieves high accuracy under significant updates while retaining robust protections. Specifically, authorized usages consistently achieve strong task-specific performance, while unauthorized usage accuracy drops to near-random guessing levels (e.g., 1.01% on CIFAR-100), compared to up to 87.01% without ADALOC. This shows that ADALOC can offer a practical solution for adaptive and protected DNN deployment in evolving real-world scenarios.

Paper Structure

This paper contains 42 sections, 5 theorems, 35 equations, 8 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Our work
  3. Contributions
  4. Background
  5. Neural Networks
  6. Model Usage Control
  7. Key Localization
  8. Model Locking
  9. Model Unlocking
  10. Problem Formulation
  11. Threat Model
  12. Attacker capabilities
  13. Usage Control for Adaptive AI Systems
  14. Our Approach: AdaLoc
  15. Key Localization
  16. ...and 27 more sections

Key Result

Theorem 1

Let $f(\bm{x};\bm{\theta})$ be a fully connected neural network with For the $m$-th layer, where $m = 1, \ldots, L$, assume thatOur assumptions across this study are practical and commonly used in many theoretical works of neural networks (e.g., pruning qian2021probabilisticmalach2020proving). Then, for any deterministic input $\bm{x}\in\mathbb{R}^{N}$, $\mathrm{Var}(f(\bm{x} ; \bm{\theta}))$ is

Figures (8)

  • Figure 1: General model usage control (a).Locking: a pretrained network $f^{*}$ is converted to a locked model $f$ plus a securely stored key$\kappa$ (selected weight indices and values). Authorized inference returns normal outputs; unauthorized inference renders the model completely unusable (e.g., random-guess level for 10-class classification task). Update & failure: adapting the model to a new domain ($f \to f'$) invalidates the lock, restoring full access for attackers and forcing costly re-keying and model redistribution. Our approach (b). Instead of relying on any "external" locking mechanism, we designate a compact block of neurons themselves as $\kappa$, and restrict all updates to that block. Because the rest of the network never changes, the lock remains intact and $f^\prime$ is still unusable without the key.
  • Figure 2: Heuristic illustration. Updating only a few directions with the largest parameter changes, spanning a subspace $\tilde{\boldsymbol{\theta}}$, can often reach the same solution set as full fine-tuning $\hat{\boldsymbol{\theta}}$. These high-impact directions generally align with large-magnitude weights (see the histogram in Figure \ref{['fig:weight_gradient']}). Theorems \ref{['thm:model_performance']}-\ref{['thm:small_param_gradient_conv']} provide formal guarantees for both observations, and Section \ref{['sec:experiments']} empirically confirms them.
  • Figure 3: Visualization of feature maps (the top and bottom two) and corresponding filters (all 64 filters) from the first convolutional layer of a trained VGG model.
  • Figure 4: Layer-wise histograms of VGG-16 weights and their accumulated gradient updates during adaptation, where across all layers the vast majority of values sit at or near zero.
  • Figure 5: Accuracy drop versus slack ratio for VGG-16 and VGG-19 on MNIST, FashionMNIST, CIFAR-10, and CIFAR-100, showing empirical slack below 1 while accuracy stays close to full fine-tuning.
  • ...and 3 more figures

Theorems & Definitions (15)

  • Definition 1: Parameter Space
  • Definition 2: Model Training
  • Definition 3: Parameter Update
  • Definition 4: Model Functionality
  • Definition 5: Key
  • Theorem 1: Output variance bounded by parameter variance
  • proof
  • Theorem 2: Performance under bounded parameter distance
  • proof
  • Theorem 3: Performance under bounded standard deviation
  • ...and 5 more