Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A PUF-Based Approach for Copy Protection of Intellectual Property in Neural Network Models

Daniel Dorfmeister, Flavio Ferrarotti, Bernhard Fischer, Martin Schwandtner, Hannes Sochor

Abstract

More and more companies' Intellectual Property (IP) is being integrated into Neural Network (NN) models. This IP has considerable value for companies and, therefore, requires adequate protection. For example, an attacker might replicate a production machines' hardware and subsequently simply copy associated software and NN models onto the cloned hardware. To make copying NN models onto cloned hardware infeasible, we present an approach to bind NN models - and thus also the IP contained within them - to their underlying hardware. For this purpose, we link an NN model's weights, which are crucial for its operation, to unique and unclonable hardware properties by leveraging Physically Unclonable Functions (PUFs). By doing so, sufficient accuracy can only be achieved using the target hardware to restore the original weights, rendering proper execution of the NN model on cloned hardware impossible. We demonstrate that our approach accomplishes the desired degradation of accuracy on various NN models and outline possible future improvements.

A PUF-Based Approach for Copy Protection of Intellectual Property in Neural Network Models

Abstract

More and more companies' Intellectual Property (IP) is being integrated into Neural Network (NN) models. This IP has considerable value for companies and, therefore, requires adequate protection. For example, an attacker might replicate a production machines' hardware and subsequently simply copy associated software and NN models onto the cloned hardware. To make copying NN models onto cloned hardware infeasible, we present an approach to bind NN models - and thus also the IP contained within them - to their underlying hardware. For this purpose, we link an NN model's weights, which are crucial for its operation, to unique and unclonable hardware properties by leveraging Physically Unclonable Functions (PUFs). By doing so, sufficient accuracy can only be achieved using the target hardware to restore the original weights, rendering proper execution of the NN model on cloned hardware impossible. We demonstrate that our approach accomplishes the desired degradation of accuracy on various NN models and outline possible future improvements.
Paper Structure (15 sections, 4 figures, 1 table)

This paper contains 15 sections, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Neural Networks
  4. Physically Unclonable Functions
  5. Threat Model
  6. Static Analysis
  7. Dynamic Analysis
  8. Copy Protection Method
  9. Proof of Concept
  10. Evaluation
  11. Accuracy
  12. Size Impact
  13. Discussion
  14. Related Work
  15. Conclusion

Figures (4)

  • Figure 1: Copy Protection: A NN model tied to a target machine.
  • Figure 2: Behaviour of copy protected NN model in target vs. cloned machines.
  • Figure 3: Mean accuracy drop (and standard deviation) for the models described in \ref{['tab:experiments']} depending on percentage of encrypted weights for 10 randomly chosen sets of weights each. For comparison, the black horizontal lines represent random classifiers.
  • Figure 4: Comparison of the accuracy of the image classifier from \ref{['fig:subfig1']} at different levels of encryption when leaving it encrypted and decrypting it on various machines, i.e., the target machine and two cloned machines. The black horizontal line represents a random classifier.