FMLock: Preventing Unauthorized Use of Large Foundation Models

Download PDF

Yupei Liu, Jinyuan Jia, Neil Zhenqiang Gong

15 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: Foundation models, security and privacy, semi-supervised learning
Abstract: Foundation models--such as CLIP, GPT, and Stable Diffusion--are neural networks pre-trained on a large amount of unlabeled data and can be used to build various downstream intelligent applications. However, these foundation models may be leaked to and/or misused by unauthorized parties, leading to severe consequences such as the generation and propagation of disinformation and sensitive, not safe for work content. To address this issue, in this work, we propose FMLock, the first framework that can transform a foundation model to a locked one. Our locked foundation model aims to achieve two goals: 1) it produces a high-quality output for an input embedded with a particular secret key sampled from a large key space, but 2) it produces a low-quality output for an input without the secret key. An authorized party has access to the secret key, while an unauthorized party does not, preventing it from leveraging the foundation model even if it has access to the model parameters. Our empirical evaluation results show that FMLock achieves the two goals. Moreover, we show that our FMLock is robust against adaptive attacks, in which an unauthorized party uses a randomly guessed secret key or reverse engineers the secret key. In particular, we theoretically show that, with a high probability, a locked foundation model produces low-quality outputs for inputs embedded with a secret key sampled from the key space uniformly at random.
Supplementary Material: pdf
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 323