Passport-aware Normalization for Deep Model Protection
Authors: Jie Zhang, Dongdong Chen, Jing Liao, Weiming Zhang, Gang Hua, Nenghai Yu
NeurIPS 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Through extensive experiments, we verify its effectiveness in both image and 3D point recognition models. It is demonstrated to be robust not only to common attack techniques like fine-tuning and model compression, but also to ambiguity attacks. To demonstrate the effectiveness and superiority of our method, we apply the proposed passport-aware normalization on two representative tasks: image classification on the CIFAR10 and CIFAR100 [22] dataset, and 3D point recognition on the Model Net [23] and Shape Net [24] dataset. |
| Researcher Affiliation | Collaboration | Jie Zhang1 zjzac@mail.ustc.edu.cn Dongdong Chen2 cddlyf@gmail.com Jing Liao3 jingliao@cityu.edu.hk Weiming Zhang1 zhangwm@ustc.edu.cn Gang Hua4 ganghua@gmail.com Nenghai Yu1 ynh@ustc.edu.cn 1University of Science and Technology of China 2Microsoft Cloud AI 3City University of Hong Kong 4 Wormpex AI Research |
| Pseudocode | No | The paper describes the proposed method mathematically and verbally, but does not include any pseudocode or clearly labeled algorithm blocks. |
| Open Source Code | No | The paper does not provide a specific link or explicit statement indicating the release of open-source code for the described methodology. |
| Open Datasets | Yes | To demonstrate the effectiveness and superiority of our method, we apply the proposed passport-aware normalization on two representative tasks: image classification on the CIFAR10 and CIFAR100 [22] dataset, and 3D point recognition on the Model Net [23] and Shape Net [24] dataset. |
| Dataset Splits | No | The paper mentions a 'train-val convergence curve,' implying the use of a validation set, but it does not provide specific details on the dataset splits (e.g., percentages or exact counts) for training, validation, and testing. |
| Hardware Specification | No | The paper does not provide any specific details about the hardware (e.g., GPU models, CPU types, or cloud computing resources) used to run the experiments. |
| Software Dependencies | No | The paper discusses different network architectures and normalization layers, but it does not specify any software dependencies with version numbers (e.g., specific versions of deep learning frameworks or libraries). |
| Experiment Setup | Yes | The objective loss function of our method mainly consists of three different parts: the task-related loss for the original target model, optional trigger-set based IP protection loss and passport signature regularization loss. {Xs,Ys} L(M(x), y)+λ1 X {Xt,Yt} L(M(x), y)+λ2 x γ,β max(α0 bgt,l px,i wpl x,i, 0), (6) where L is the task-related loss function like the cross-entropy loss used in classification. bgt,l px,i { 1, 1} is ith bit of the pre-defined ground truth passport signature at layer l and α0 is a small positive constant that encourages wpl x,i to be larger than α0. As for trigger-set, we adopt a similar setting mentioned in [10]. That is, we use about 100 images/points not belonging to the target dataset as the trigger set for all tasks. Though the passport-aware and passport-free branch are trained alternatively by default, experimental results show that they can also be trained simultaneously with similar performance. For the training cost, it indeed depends on the ratio of the passport-aware branch activated in every training epoch. We further replace the default ratio 50% by a lower ratio 10%. |