DNNobfus:一种基于混淆的端侧模型保护框架技术研究

DNNobfus:a study on obfuscation-based edge-side model protection framework

宋飞扬 ¹赵鑫淼 ¹严飞 ¹程斌林 ²张立强 ¹杨小林 ³王洋⁴

扫码查看

作者信息

1. 武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,湖北武汉 430072
2. 山东大学网络空间安全学院,山东青岛 266237
3. 浪潮智慧科技有限公司,山东济南 250101
4. 山东浪潮科学研究院有限公司,山东济南 250101
折叠

摘要

人工智能模型自广泛使用以来,面临诸多安全风险.随着深度学习模型大规模在端侧设备上的部署,端侧模型面临新的安全挑战.由于深度神经网络具有相似的结构特征,攻击者得以运用反编译技术以获取模型的结构信息及其参数,从而重建模型.此过程会损害模型的知识产权并使模型面临白盒攻击的风险.针对模型反编译器对模型算子的定位与识别、参数获取、网络拓扑解析过程,提出了一种基于模型编译过程的混淆框架以防御模型提取攻击;在深度学习编译器的前端优化过程中设计并实现了算子混淆、参数混淆和网络拓扑混淆3种混淆手段;采用构造不透明谓词,插入虚假控制流,添加冗余内存访问等手段,干扰模型反编译器对模型的逆向工程.实验结果表明,提出的混淆框架DNNobfus能有效降低前沿的模型反编译工具对模型算子类型及网络连接识别的准确率,分别下降至21.63%和48.24%.此外,该框架平均时间效率为67.93%,平均空间效率为88.37%,均优于混淆工具Obfuscator-LLVM.

Abstract

The proliferation of artificial intelligence models has rendered them vulnerable to a myriad of security threats.The extensive integration of deep learning models into edge devices has introduced novel security challenges.Given the analogous structural characteristics of deep neural networks,adversaries can employ decompilation tactics to extract model structural details and parameters,facilitating the reconstruction of these models.Such actions can compromise the intellectual property rights of the model and increase the risk of white-box attacks.To mitigate the capability of model decompilers to locate and identify model operators,acquire parameters,and parse network topologies,an obfuscation framework was proposed.This framework was embedded within the model compilation process to safeguard against model extraction attacks.During the frontend optimization phase of deep learning compilers,three obfuscation techniques were developed and integrated:operator obfuscation,parameter obfuscation,and network topology obfuscation.The framework introduced opaque predicates,incorporated fake control flows,and embedded redundant memory access to thwart the reverse engineering efforts of model decompilers.The experimental findings demonstrate that the obfuscation framework,named DNNobfus,significantly diminishes the accuracy of state-of-the-art model decompilation tools in identifying model operator types and network connections to 21.63%and 48.24%,respectively.Additionally,DNNobfus achieves an average time efficiency of 67.93%and an average space efficiency of 88.37%,surpassing the performance of the obfuscation tool Obfuscator-LLVM in both respects.

关键词

人工智能安全/代码混淆/逆向工程/模型保护

Key words

artificial intelligence safety/code obfuscation/reverse engineering/model protection

引用本文复制引用

基金项目

湖北省重大研究计划(2023BAA027)

国家自然科学基金(62172144)

国家重点研发计划(2022YFB3103804)

出版年

2024

网络与信息安全学报

人民邮电出版社

网络与信息安全学报

CSTPCD

ISSN：2096-109X

参考文献量27

段落导航