ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints

The intellectual properties (IP) protection of deep neural networks (DNN) models has raised many concerns in recent years. To date, most of the existing works use DNN watermarking to protect the IP of DNN models. However, the DNN watermarking methods can only passively verify the copyright of the model after the DNN model has been pirated, which cannot prevent piracy in the first place. In this paper, an active DNN IP protection technique against DNN piracy, called ActiveGuard, is proposed. ActiveGuard can provide active authorisation control, users' identities management, and ownership verification for DNN models. Specifically, for the first time, ActiveGuard exploits well-crafted rare and specific adversarial examples with specific classes and confidences as users' fingerprints to distinguish authorised users from unauthorised ones. Authorised users can input their fingerprints to the DNN model for identity authentication and then obtain normal usage, while unauthorised users will obtain a very poor model performance. In addition, ActiveGuard enables the model owner to embed a watermark into the weights of the DNN model for ownership verification. Compared to the few existing active DNN IP protection works, ActiveGuard can support both users' identities identification and active authorisation control. Besides, ActiveGuard introduces lower overhead than these existing active protection works. Experimental results show that, for authorised users, the test accuracy of LeNet-5 and Wide Residual Network (WRN) models are 99.15% and 91.46%, respectively, while for unauthorised users, the test accuracy of LeNet-5 and WRN models are only 8.92% and 10%, respectively. Besides, each authorised user can pass the fingerprint authentication with a high success rate (up to 100%). For ownership verification, the embedded watermark can be successfully extracted, while the normal performance of DNN models will not be affected. Furthermore, it is demonstrated that ActiveGuard is robust against model fine-tuning attack, pruning attack, and three types of fingerprint forgery attacks.