Towards Stricter Black-box Integrity Verification of Deep Neural Network Models
Abstract: Cloud-based machine learning services are attractive but expose a cloud-deployed DNN model to the risk of tampering.
Black-box integrity verification (BIV) enables the owner or end-users to ascertain whether a cloud-deployed DNN model has been tampered with via returned responses of only top-1 labels.
Fingerprinting generates fingerprint samples to query the model to achieve BIV of the model with no impact on the model's accuracy.
In this paper, we introduce BIVBench, the first benchmark for BIV of DNN models, encompassing 16 types of practical modifications covering typical tampering scenarios. We reveal that existing fingerprinting methods, which focus on a limited range of tampering types, lack sensitivity in detecting subtle, yet common and potentially severe, tampering effectively.
To fill this gap, we propose MiSentry (Model integrity Sentry), a novel fingerprinting method that strategically incorporates only a few crucial subtly tampered models into a model zoo, leverages meta-learning, and maximizes the divergence of the output predictions between the untampered targeted model and those models in the model zoo to generate highly sensitive, generalizable, and effective fingerprint samples.
Extensive evaluations using BIVBench demonstrate that MiSentry substantially outperforms existing state-of-the-art fingerprinting methods, particularly in detecting subtle tampering.
Primary Subject Area: [Experience] Multimedia Applications
Secondary Subject Area: [Content] Vision and Language
Relevance To Conference: Integrity protection in multimedia applications is of utmost importance. In modern multimedia application scenarios, deep learning models are often utilized, and protecting the integrity of these models ensures they are not unauthorizedly modified or tampered with, thus safeguarding the legitimate rights and interests of creators and users. This is particularly crucial for multimedia applications involving personal privacy, corporate secrets, and security. Many countries and regions have strict laws and regulations concerning data protection and privacy. By ensuring the integrity of deep learning models, multimedia technologies can develop and innovate more securely. For instance, the application of model fingerprinting technology can enhance the protection of model integrity without compromising the user experience. Therefore, the protection of model integrity in multimedia applications is indispensable. It not only concerns the direct interests of individuals and businesses but also plays a crucial role in maintaining a healthy network environment and promoting technological progress.
Supplementary Material: zip
Submission Number: 5640
Loading