Attacks on Recent DNN IP Protection Techniques and Their Mitigation

With the rapid increase in the development of deep learning methodologies, deep neural networks (DNNs) are now being commonly deployed in smart systems (e.g., autonomous vehicles) and high-end security applications (e.g., face recognition, biometric authentication, etc.). The training of such DNN models often requires exclusive valuable training datasets, enormous computational resources, and expert fine-tuning skills. Hence, a trained DNN model can be regarded as valuable proprietary intellectual property (IP). Piracy of such DNN IPs has emerged as a major concern, with increasing trends of illegal copying and redistribution. A number of mitigation approaches targeting DNN IP protection have been proposed in recent years. In this work, we target two recently proposed DNN IP protection schemes: 1) chaotic map theory-based encryption of the weight parameters and 2) traditional block cipher-based encryption of the weights. We demonstrate attacks on two recent DNN IP protection techniques, with one technique each belonging to the above-mentioned schemes, under a pragmatic attack model. We also propose a novel DNN IP protection technique based on selective encryption of the weight parameters, termed limited encryption of weights for IP protection (LEWIP) to mitigate the exposed weaknesses, while having low implementation and performance overheads. Finally, we demonstrate the effectiveness of the LEWIP technique against state-of-the-art DNN implementations.