PUF-Based Intellectual Property Protection for CNN Model

Dawei Li; Yangkun Ren; Di Liu; Zhenyu Guan; Qianyun Zhang; Yanzhao Wang; Jianwei Liu

doi:10.1007/978-3-031-10989-8_57

PUF-Based Intellectual Property Protection for CNN Model

Dawei Li
, Yangkun Ren
, Di Liu
, Zhenyu Guan^*
, Qianyun Zhang
, Yanzhao Wang
, Jianwei Liu

^*Corresponding author for this work

School of Cyber Science and Technology

Beihang University
Ltd.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner’s copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.

Original language	English
Title of host publication	Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings
Editors	Gerard Memmi, Baijian Yang, Linghe Kong, Tianwei Zhang, Meikang Qiu
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	722-733
Number of pages	12
ISBN (Print)	9783031109881
DOIs	https://doi.org/10.1007/978-3-031-10989-8_57
State	Published - 2022
Event	15th International Conference on Knowledge Science, Engineering and Management, KSEM 2022 - Singapore, Singapore Duration: 6 Aug 2022 → 8 Aug 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13370 LNAI
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	15th International Conference on Knowledge Science, Engineering and Management, KSEM 2022
Country/Territory	Singapore
City	Singapore
Period	6/08/22 → 8/08/22

Keywords

CNN
FPGA
IP protection
Machine learning
PUF

Access to Document

10.1007/978-3-031-10989-8_57

Cite this

Li, D., Ren, Y., Liu, D., Guan, Z., Zhang, Q., Wang, Y., & Liu, J. (2022). PUF-Based Intellectual Property Protection for CNN Model. In G. Memmi, B. Yang, L. Kong, T. Zhang, & M. Qiu (Eds.), Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings (pp. 722-733). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13370 LNAI). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-10989-8_57

Li, Dawei ; Ren, Yangkun ; Liu, Di et al. / PUF-Based Intellectual Property Protection for CNN Model. Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings. editor / Gerard Memmi ; Baijian Yang ; Linghe Kong ; Tianwei Zhang ; Meikang Qiu. Springer Science and Business Media Deutschland GmbH, 2022. pp. 722-733 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{573341d10a244d25b5ee6a046cf74dbc,

title = "PUF-Based Intellectual Property Protection for CNN Model",

abstract = "It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner{\textquoteright}s copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.",

keywords = "CNN, FPGA, IP protection, Machine learning, PUF",

author = "Dawei Li and Yangkun Ren and Di Liu and Zhenyu Guan and Qianyun Zhang and Yanzhao Wang and Jianwei Liu",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 15th International Conference on Knowledge Science, Engineering and Management, KSEM 2022 ; Conference date: 06-08-2022 Through 08-08-2022",

year = "2022",

doi = "10.1007/978-3-031-10989-8\_57",

language = "英语",

isbn = "9783031109881",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "722--733",

editor = "Gerard Memmi and Baijian Yang and Linghe Kong and Tianwei Zhang and Meikang Qiu",

booktitle = "Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings",

address = "德国",

}

Li, D, Ren, Y, Liu, D, Guan, Z , Zhang, Q, Wang, Y & Liu, J 2022, PUF-Based Intellectual Property Protection for CNN Model. in G Memmi, B Yang, L Kong, T Zhang & M Qiu (eds), Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13370 LNAI, Springer Science and Business Media Deutschland GmbH, pp. 722-733, 15th International Conference on Knowledge Science, Engineering and Management, KSEM 2022, Singapore, Singapore, 6/08/22. https://doi.org/10.1007/978-3-031-10989-8_57

PUF-Based Intellectual Property Protection for CNN Model. / Li, Dawei; Ren, Yangkun; Liu, Di et al.
Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings. ed. / Gerard Memmi; Baijian Yang; Linghe Kong; Tianwei Zhang; Meikang Qiu. Springer Science and Business Media Deutschland GmbH, 2022. p. 722-733 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13370 LNAI).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PUF-Based Intellectual Property Protection for CNN Model

AU - Li, Dawei

AU - Ren, Yangkun

AU - Liu, Di

AU - Guan, Zhenyu

AU - Zhang, Qianyun

AU - Wang, Yanzhao

AU - Liu, Jianwei

PY - 2022

Y1 - 2022

N2 - It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner’s copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.

AB - It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner’s copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.

KW - CNN

KW - FPGA

KW - IP protection

KW - Machine learning

KW - PUF

UR - https://www.scopus.com/pages/publications/85135038361

U2 - 10.1007/978-3-031-10989-8_57

DO - 10.1007/978-3-031-10989-8_57

M3 - 会议稿件

AN - SCOPUS:85135038361

SN - 9783031109881

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 722

EP - 733

BT - Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings

A2 - Memmi, Gerard

A2 - Yang, Baijian

A2 - Kong, Linghe

A2 - Zhang, Tianwei

A2 - Qiu, Meikang

PB - Springer Science and Business Media Deutschland GmbH

T2 - 15th International Conference on Knowledge Science, Engineering and Management, KSEM 2022

Y2 - 6 August 2022 through 8 August 2022

ER -

Li D, Ren Y, Liu D, Guan Z , Zhang Q, Wang Y et al. PUF-Based Intellectual Property Protection for CNN Model. In Memmi G, Yang B, Kong L, Zhang T, Qiu M, editors, Knowledge Science, Engineering and Management - 15th International Conference, KSEM 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 722-733. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-10989-8_57