Research On Neural Network IP Protection Method Based On Software Hardware Cooperation

High-quality datasets,a large number of training resources,and proficient parameter tuning skills are all prerequisites for training a high-performing deep model.However,many high-quality datasets are not publicly available for free,superior hardware resources are expensive,and a long model training cycle requires the deep involvement of parameter tuning personnel,which greatly increases the cost of model training.Therefore,the trained model can be used as intellectual property(Intellectual Property,IP for short),and the model supplier can recover the model training cost and obtain benefits by selling the right to use the model.However,malicious users may illegally copy,forward even tamper with the model,which will harm the interests of model suppliers and end-users.Therefore,it is necessary to design a safe and effective IP protection scheme for neural network models.The current mainstream methods of IP protection of neural network models are watermarking technology and parameter encryption technology.However,the watermarking technique is passively protecting the IP of the neural network model.When a model is stolen by an attacker,the model IP owner can use watermarking technology to detect infringement and initiate rights protection,but this will result in higher rights protection costs.In addition,there are many methods for forging watermarks,and the effectiveness of watermarking technology is greatly challenged.The parameter encryption technology can provide active protection for the IP of the neural network model,and the capital cost of protection is low.However,there is relatively little research on parameter encryption technology at present.At the same time,several effective parameter encryption technologies already exist that have problems such as low security and high hardware and software overhead.Therefore,this paper proposes a software-hardware cooperative neural network IP protection method.The main work includes the following points:(1)Aiming at the low security and complex implementation of the current parameter encryption technology,this paper uses the model weight pruning technology to analyze the importance of the model parameters.A fine-grained Convolutional Neural Network(CNN)partial parameter encryption method based on Physical Unclonable Function(PUF)is proposed.(2)Furthermore,in view of the large hardware overhead caused by encrypting all model parameters,this paper uses the channel-based model pruning technology to perform a coarse-grained importance analysis of the model parameters.A PUF-based encryption method for partial parameters of coarse-grained CNN is proposed.Through the two neural network model IP protection methods proposed in this paper,the pruning threshold selection analysis,encryption effectiveness analysis,and security analysis are carried out.Experimental results show that they can achieve lower overhead and higher security protection than existing methods.