CN-122027368-A - Active defense and access control method for deep learning model

Abstract

S1, generating a scalar license sequence based on a secret key parameter, dividing a training round into a plurality of stages, enabling the stage indexes to be consistent and reading license values of corresponding indexes in the license sequence; S2, constructing an authorized channel set by combining channel static importance evaluation and channel chaos scores to generate an authorized mask and an unauthorized mask, S3, respectively calculating authorized task loss and unauthorized confusion loss and jointly optimizing, and simultaneously resetting and gradient freezing corresponding parameters of the authorized channel set at the beginning of a training stage, S4, when a model is deployed and inferred, an authorized end reconstructs a license sequence according to a shared secret key and generates the authorized mask for reasoning, and an unauthorized end degrades output performance. The invention improves the robustness to self-adaptive attack and maintains the difference between the authorized performance and the unauthorized performance.

Inventors

• LI CHENGQING
• Zheng Lingxin
• LIU QIANG
• SUN YUHUA

Assignees

• 湘潭大学

Dates

Publication Date

20260512

Application Date

20260414

Claims (5)

1. 1. An active defense and access control method for a deep learning model, comprising the steps of: s1, generating a deterministic scalar license sequence through Chebyshev chaotic mapping based on a private key parameter, dividing a training round into a plurality of phases according to a preset phase length, keeping phase indexes consistent in the same phase, and reading license values of corresponding indexes in the license sequence; S2, constructing a stage-related authorized channel set according to channel static importance evaluation results and channel chaos scores obtained by index mapping of license sequences, and generating an authorized mask and an unauthorized mask based on the authorized channel set so as to modulate a characteristic propagation path; S3, respectively calculating authorized task loss and unauthorized confusion loss on the same batch of data, performing joint optimization, and simultaneously resetting and gradient freezing corresponding parameters of an authorized channel set at the beginning of a training stage to bind the effective functions of the model with license conditions to obtain a protected model; and S4, when the protected model deployment reasoning is performed, the authorized end reconstructs the license sequence according to the shared secret key and generates an authorized mask to perform reasoning, and the unauthorized end cannot generate an effective mask consistent with the stage to cause the degradation of output performance.
2. 2. The method for active defense and access control for deep learning models according to claim 1, wherein in step S1, the method specifically comprises the steps of: S1.1, setting a private key, namely selecting a private key parameter by a model provider, wherein the private key parameter is shared to an authorized party under an authorized condition and is used for reproducing the same license sequence at a deployment end, and the private key parameter comprises a chaos order n and an initial state x 0 , wherein n is an integer more than or equal to 2, and x 0 epsilon < -1,1 >; S1.2, performing chaos iteration and transformation, namely performing iteration according to an iteration relation x t+1 =T n (x t )=cos(n·arccos(x t of Chebyshev chaos mapping), wherein x t is a chaos state before iteration, x t ∈[-1,1],x t+1 is a chaos state after iteration, and x t+1 epsilon < -1,1 >; generating an original chaotic mapping sequence { x t }, wherein t=1, 2, & gt, L, L is a preset sequence length, mapping the original chaotic mapping sequence { x t } to a preset numerical range [ a, b ] through affine transformation c t =a+(x t +1) (b-a)/2 to form a license sequence { c t }, wherein a < b is a preset mapping boundary; S1.3, deterministic reading of a license sequence, wherein the license sequence { c t } is stored as an indexable data structure with the length of L, and random access of O (1) time complexity is supported so as to ensure that a deployment end and a training end can reproduce the same license value based on the same secret key and index t; S1.4, stage synchronization, namely, the training process is recorded in segments according to a fixed span k, each segment is recorded as a stage, and the stage index is recorded as Wherein E is the total training round, and is taken from the license sequence { c t } at the beginning of each phase License value of (2) And remain unchanged throughout all training periods of the phase, within which phase may be indexed based on the same license sequence { c t } Mapping functions by deterministic index as seed index Calculation layer Reading index corresponding to channel c and taking license value of the index As a channel chaos score For building a set of phase-dependent grant channels.
3. 3. The method for active defense and access control for deep learning models according to claim 1, wherein in step S2, the method specifically comprises the steps of: s2.1, target layer and static evaluation, selecting one or more target layers in the pre-training model for use Representing layer index for each target layer Calculating a static importance score based on absolute value statistics of pre-training weights of each target layer The absolute value statistic is one of L1 norm, L2 norm or mean value, and Normalizing to obtain To eliminate scale differences between different layers; S2.2, constructing an authorized channel set, namely setting the first The total number of layer channels is Setting the channel selection coefficient gamma and the stage locking proportion Determining the number of authorized channels: wherein Is a preset constant or a preset scheduling value, and authorizes a channel set By core collections And dynamic expansion set The method comprises the following steps of jointly forming, wherein a core set is determined based on static importance, and a dynamic expansion set is determined based on channel chaos scores; S2.3, constructing chaos scores of dynamic expansion sets, namely constructing channel chaos scores based on license sequences { c t } In the process of excluding core sets In the rest channels, channel chaos score is based Top-K selection or deterministic sampling is carried out to form a dynamic expansion set To ensure that the set of authorized channels is license sensitive and reproducible; S2.4, mask generation and modulation based on the grant channel set Generating an authorization mask Unauthorized masking The mask is the vector with the same dimension as the feature map channel, and the mask is authorized To the belong to The channel of (a) is assigned a first modulation value, for not belonging to A channel of (a) is given a second modulation value, an unauthorized mask The method comprises the steps of providing a channel with a third preset value, superposing disturbance, modulating the characteristic according to channel-level element multiplication in forward propagation, and multiplying the mask and a layer output characteristic graph according to the channel element by element in forward propagation to realize the modulation of the characteristic propagation path.
4. 4. The method for active defense and access control for deep learning models of claim 3 wherein the target layer is a convolutional layer or a fully-connected layer; When the target layer is a full-connection layer, the full-connection layer calculates the static importance score by outputting the absolute value statistic of the weight vector corresponding to the neuron; Core aggregation Taking the front with the highest static importance The channels, beta is the core duty ratio of importance, beta epsilon [0,1] Is to exclude Thereafter, selecting from the remaining channels based on the deterministic chaos score The channels are formed so as to satisfy 。
5. 5. The method for active defense and access control for deep learning models according to claim 1, wherein in step S3, the method specifically comprises the steps of: S3.1, training by using a target task data set, and setting a total training round E, a stage length k, a channel selection coefficient gamma and a stage locking proportion The importance core duty ratio beta, the loss weight w auth and the balance coefficient alpha (e), wherein alpha (e) is a preset constant or a scheduling value which changes along with training rounds; S3.2, determining the stage and the authorized channel set when the training round e enters the stage In the time-course of which the first and second contact surfaces, Determining a phase index And reads the index from the license sequence { c t }, the index is read from the license sequence License value of (2) Simultaneously constructing each protected layer according to step S2 With an authorized mask/unauthorized mask; s3.3, structure-sensitive gradient freezing, namely starting at each training stage, and performing the process of channel aggregation Parameter subset of (2) Performing locking, wherein Represent the first Layer and grant channel set Weight parameters associated with corresponding output channels Reset to pre-trained baseline weights And superimpose micro random disturbance Formation of lock initialization, pairing during back propagation Applying gradient freezing to force the gradient to be zero or multiplying the gradient by a gradient mask, so that the set parameters are kept not updated in a locking period; S3.4, training in a two-state mode, namely, executing an authorized forward branch and an unauthorized forward branch for each batch of training data (x, y) firstly, and then carrying out joint optimization: s3.4.1 grant forward branch at grant mask Forward propagation under conditions Calculating authorized task loss ; S3.4.2 unauthorized forward branching at unauthorized masking Forward propagation under conditions Placing the model in an evaluation mode during the calculation of the unauthorized forward branch to avoid the pollution of the batch normalization layer statistics by the unauthorized forward branch, and calculating the confusion loss Wherein u is uniformly distributed; S3.4.3, joint optimization, constructing total loss L total =w auth ·L lic +α(e)·L un , performing back propagation and parameter updating, wherein frozen Keep not updated; Obtaining protected model parameters after training 。

Description

Active defense and access control method for deep learning model Technical Field The invention belongs to the technical field of artificial intelligent security and model intellectual property protection, in particular relates to an active defense and access control method for a deep learning model, and particularly relates to an active defense and access control method for edge equipment/AIoT scene distribution deployment, which is used for limiting the reasoning capacity of the model under the condition that the model is obtained or copied in an unauthorized manner and keeping the model normally available under the authorized condition. Background With the deep fusion of artificial intelligence and the Internet of things, a deep learning model is widely deployed in scenes such as industrial control, intelligent driving, security monitoring and telemedicine. Unlike traditional cloud centralized reasoning, AIoT scenarios often require distributing compressed and optimized lightweight models to a large number of edge terminals for local reasoning to reduce latency and bandwidth overhead. However, the edge terminal is usually in a state that the physical contact or the running environment is not trusted, and the model parameters and the execution flow are more easily exposed to potential attackers, so that intellectual property risks such as model theft, illegal copying, secondary distribution and abuse are caused. After obtaining the model file, the attacker can further extract model weight or intermediate characteristics by means of dynamic debugging, memory dump, interface hijacking and the like, and can perform fine tuning, distillation or pruning on own data so as to bypass the existing protection logic and restore the availability of the model. For the above risks, existing model intellectual property protection and access control schemes can be broadly divided into the following categories: (1) Passive verification schemes such as watermarks, fingerprints, etc., implement post-hoc traceability by embedding verifiable information in model parameters or output behavior. Such schemes typically focus on "rights and evidence," but are difficult to block in real time as infringement occurs, and embedded information may be weakened or removed after trimming, pruning, or statistical elimination, etc. (2) Hardware isolation class scheme, which relies on trusted execution environment or special safety hardware to make model reasoning execute in protected area. The scheme has strong safety, but has high ecological dependence on terminal hardware and a system, has high cost and deployment threshold, and has limited expandability in heterogeneous large-scale AIoT environments. (3) And (3) a cryptography/encryption reasoning type scheme, namely protecting model parameters and input and output privacy through homomorphic encryption, encryption weights or encryption reasoning processes. The scheme generally introduces significant computing and energy consumption expenditure, and is difficult to meet the real-time reasoning requirement of the resource-limited edge equipment. (4) And (3) a model internal lock/structure binding scheme, namely, key related parameters, normalized branches or neuron path control are introduced into a network structure, so that the model keeps higher precision only when a specific key condition is met. The scheme has the advantages of independent special hardware and relatively light weight of structural modification, but when facing the self-adaptive attack of an attacker through low-cost fine adjustment (gradient coverage), pruning retraining or reverse engineering key deduction, the risk of 'authorized precision reduction' or 'unauthorized precision return' exists, so that the protection effect is unstable. Thus, there is a need for an active defense and access control method for deep learning models. Disclosure of Invention The invention aims to provide an active defense and access control method for a deep learning model, which is used for solving the problems that an unauthorized party can directly infer or recover availability through low-cost fine tuning/pruning after acquiring a model and is difficult to realize the blocking in advance, a part of protection schemes depend on special hardware or cryptology to cause high deployment threshold and high inference cost, and the existing lightweight model endogenous lock scheme is difficult to consider between authorization precision, unauthorized degradation degree and self-adaptive attack resistance. In order to achieve the above object, the present invention provides an active defense and access control method for a deep learning model, comprising the steps of: s1, generating a deterministic scalar license sequence through Chebyshev chaotic mapping based on a private key parameter, dividing a training round into a plurality of phases according to a preset phase length, keeping phase indexes consistent in the same phase, and reading lice