PUF-Based Intellectual Property Protection for CNN Model

It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner's copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.