school

UM E-Theses Collection (澳門大學電子學位論文庫)

check Full Text
Title

Access control of deep neural networks

English Abstract

Deep Neural Networks (DNN) have been widely used in fields of entertainment, medicine, transportation, etc. The construction of a successful CNN model is not a trivial task, which usually requires substantial investments in expertise, time, and resources. To encourage healthy business investment and competitions, it is crucial to protect the intellectual property (IP) of CNN models by preventing the model from unauthorized accesses. On the other hand, although DNNs have achieved the state-of-the-art performance on a wide range of tasks including image classification, speech recognition, etc., their security is significantly challenged by malicious accesses using adversarial examples (AEs). These examples are manipulated normal inputs (such as natural images or speech signals) with the imperceptible noise while being able to cause severe model output errors. Clearly, the two types of access problems considerably hinder the healthily commercial application and the security of DNNs. This motivates us to design a framework to control the access of DNNs. For the first line of defenses, this thesis proposes a selective encryption (SE) al- gorithm to protect CNN models from unauthorized access, with a unique feature of providing hierarchical services to users. The proposed algorithm firstly selects important model parameters via the proposed Probabilistic Selection Strategy (PSS). It then encrypts the most important parameters with the designed encryption method called Distribution Preserving Random Mask (DPRM), so as to maximize the performance degradation by encrypting only a very small portion of model parameters. This work also designs a set of access permissions, using which different amount of most important model parameters can be decrypted. Hence, different levels of model performance can be naturally provided for users. Even if a user has been authorized to access the DNNs, he/she possibly is a malicious user who attempts to attack the DNNs by utilizing AEs. Therefore, this thesis also proposes the Sensitivity Inconsistency Detector (SID) to construct the second line of defenses. This detector is derived from an important observation that normal examples (NEs) are insensitive to the fluctuations occurring at the highly-curved region of the decision boundary, while AEs typically designed over one single domain (mostly spatial domain) exhibit exorbitant sensitivity on such fluctuations. Along this line, we design another classifier (called dual classifier) with transformed decision boundary, which can be collaboratively used with the original classifier (called primal classifier) to detect AEs, by virtue of the sensitivity inconsistency. After the adversarial detector captures the AEs of malicious users, we further analyze those AEs so as to guide the design of a robust DNN in the future. Indeed, we observed that existing malicious users generally produce AEs from a continuous perspective. The produced AEs are continuous examples that conflict with some real scenarios. For example, adversarial images should be digital images in the discrete domain. Thus, continuous AEs typically have to be discretized, which inevitably will degrade their attack capability. According to our analysis, such a degradation caused by the discretization is attributed to the obvious difference between continuous AEs and their discrete counterparts. To overcome this limitation, we propose a novel adversarial attack called Discrete Attack (DATK) to produce continuous AEs tightly close to the discrete versions. Owning the negligible distance between them, the expected discrete AEs perform with the same powerful attack capability as the continuous AEs without an extra distortion overhead. More precisely, the proposed DATK generates AEs from a novel perspective by directly modeling adversarial perturbations (APs) as discrete random variables. The AE generation problem thus reduces to the estimation of the distribution of discrete APs. Since this problem typically is non-differential, we relax it with the proposed reparameterizing tricks and obtain an approximated continuous distribution of discrete APs. By virtue of the powerful AEs conforming with real scenarios, we can potentially improve adversarial training techniques for constructing robust DNNs because the existing techniques generally are based on continuous AEs.

Issue date

2022.

Author

Tian, Jin Yu

Faculty

Faculty of Science and Technology

Department

Department of Computer and Information Science

Degree

Ph.D.

Subject

Artificial intelligence

Optical pattern recognition

Intellectual property

Supervisor

Zhou, Jian Tao

Files In This Item

Full-text (Intranet only)

Location
1/F Zone C
Library URL
991010069818106306