Search

US-12626133-B2 - Structural obfuscation for protecting deep learning models on edge devices

US12626133B2US 12626133 B2US12626133 B2US 12626133B2US-12626133-B2

Abstract

A method for obfuscating deep learning (DL) models includes the step of training a DL model to obtain weights of operation (OP) layers in the trained DL model. The DL model includes an interface to a public application programming interface (API) that provides access to a compiler of an artificial intelligence (AI) processor. The method further includes the steps of obfuscating the DL model by changing a structure of the OP layers to produce an obfuscated DL model, and publishing the obfuscated DL model for access by devices. The obfuscated DL model is executable by the AI processor after compilation by the compiler on an edge device.

Inventors

  • Bor-Yeh Shen

Assignees

  • MEDIATEK INC.

Dates

Publication Date
20260512
Application Date
20221222

Claims (20)

  1. 1 . A method for obfuscating deep learning (DL) models, comprising: training, by a computing system, a DL model to obtain weights of operation (OP) layers in the trained DL model; obfuscating, by the computing system, the DL model by changing a structure of the OP layers to produce an obfuscated DL model, wherein a structural change includes, at least in part, a plurality of reshape layers added between adjacent ones of the OP layers with each reshape layer changing input dimensions to different output dimensions, and wherein the obfuscated DL model includes an interface to a public application programming interface (API) that provides access to a compiler of an artificial intelligence (AI) processor; and publishing the obfuscated DL model for download by an edge device over a public network, wherein the edge device includes the public API and the compiler to compile the obfuscated DL model for execution by the AI processor on the edge device.
  2. 2 . The method of claim 1 , wherein obfuscating the DL model further comprises: re-ordering an execution sequence of the OP layers.
  3. 3 . The method of claim 1 , wherein obfuscating the DL model further comprises: adding redundant OP layers to the DL model.
  4. 4 . The method of claim 1 , wherein obfuscating the DL model further comprises: adding redundant weights to the OP layers in the DL model.
  5. 5 . The method of claim 1 , wherein obfuscating the DL model further comprises: changing connections among the OP layers in the DL model.
  6. 6 . The method of claim 1 , wherein obfuscating the DL model further comprises: changing one or more operations in the OP layers in the DL model.
  7. 7 . The method of claim 1 , wherein obfuscating the DL model further comprises: changing the structure of the DL model without re-training the DL model.
  8. 8 . The method of claim 1 , wherein the DL model and the obfuscated DL model are in a same model language and produce inference results with substantially the same accuracy.
  9. 9 . A system operative to obfuscate deep learning (DL) models, comprising: an edge device, which includes an artificial intelligence (AI) processor and stores a compiler of the AI processor and a public application programming interface (API) that provides access to the compiler; and a computing system coupled to the edge device via a public network, the computing system including: processing hardware; and memory to store an obfuscator and a DL model that includes a plurality of operation (OP) layers, wherein the processing hardware is operative to: train the DL model to obtain weights of the OP layers, the DL model including an interface to the public API; obfuscate the DL model using the obfuscator by changing a structure of the OP layers to produce an obfuscated DL model, wherein a structural change includes, at least in part, a plurality of reshape layers added between adjacent ones of the OP layers with each reshape layer changing input dimensions to different output dimensions; and publish the obfuscated DL model for access by devices, and wherein the edge device is further operative to: download the obfuscated DL model over the public network; and compile the obfuscated DL model using the compiler through the public API to generate executable code for the AI processor.
  10. 10 . The system of claim 9 , wherein the processing hardware is further operative to: obfuscate the DL model by re-ordering an execution sequence of the OP layers.
  11. 11 . The system of claim 9 , wherein the processing hardware is further operative to: obfuscate the DL model by adding redundant OP layers to the DL model.
  12. 12 . The system of claim 9 , wherein the processing hardware is further operative to: obfuscate the DL model by adding redundant weights to the OP layers in the DL model.
  13. 13 . The system of claim 9 , wherein the processing hardware is further operative to: obfuscate the DL model by changing connections among the OP layers in the DL model.
  14. 14 . The system of claim 9 , wherein the processing hardware is further operative to: obfuscate the DL model by changing one or more operations in the OP layers in the DL model.
  15. 15 . The system of claim 9 , wherein the processing hardware is further operative to: change the structure of the DL model without re-training the DL model.
  16. 16 . The system of claim 9 , wherein the DL model and the obfuscated DL model are in a same model language and produce inference results with substantially the same accuracy.
  17. 17 . A device, comprising: processing hardware including an artificial intelligence (AI) processor; memory to store a compiler of the AI processor and a public application programming interface (API) that provides access to the compiler; and a network interface to download an obfuscated DL model from a computer system over a public network, wherein the processing hardware is operative to: compile the obfuscated DL model using the compiler through the public API to generate executable code, wherein the obfuscated DL model has been obfuscated from a trained DL model by a structural change in operation (OP) layers, the structural change including, at least in part, a plurality of reshape layers added between adjacent ones of the OP layers with each reshape layer changing input dimensions to different output dimensions; and execute the executable code by the AI processor.
  18. 18 . The device of claim 17 , further comprising: a compilation cache to store the compiled obfuscated DL model generated by the compiler.
  19. 19 . The device of claim 17 , wherein the structural change including, at least in part, additions of redundant OP layers or redundant weights to the OP layers.
  20. 20 . The device of claim 17 , wherein the processing hardware is further operative to: optimize compilation of the obfuscated DL model for execution on the AI processor based on proprietary information regarding obfuscation.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Application No. 63/296,899 filed on Jan. 6, 2022, the entirety of which is incorporated by reference herein. TECHNICAL FIELD Embodiments of the invention relate to the use of obfuscation to protect deep learning models. BACKGROUND Designing and training a well-performing deep learning (DL) model is generally expensive and time-consuming. Malicious users can easily acquire DL models on edge devices, especially on mobile phones, if the models use public formats or public application programming interfaces (APIs). Typically, the manufacturer of an artificial intelligence (AI) processor provides a software development kit (SDK) to the developers of AI applications that include DL models. The developers use the SDK to convert the AI applications to a proprietary format or native machine instructions, which are non-portable to different AI processors. The developers may want the AI applications to run on different AI processors while protecting the intellectual property in the DL models. Thus, there is a need for protecting trained DL models against piracy on edge devices without sacrificing the accuracy of the DL models. SUMMARY In one embodiment, a method is provided for obfuscating deep learning (DL) models. The method comprises training a DL model to obtain weights of operation (OP) layers in the trained DL model. The DL model includes an interface to a public application programming interface (API) that provides access to a compiler of an artificial intelligence (AI) processor. The method further comprises obfuscating the DL model by changing a structure of the OP layers to produce an obfuscated DL model, and publishing the obfuscated DL model for access by devices. The obfuscated DL model is executable by the AI processor after compilation by the compiler on an edge device. In another embodiment, a system is provided to obfuscate DL models. The system comprises processing hardware; and memory to store an obfuscator and a DL model that includes OP layers. The processing hardware is operative to train the DL model to obtain weights of the OP layers. The DL model includes an interface to a public API that provides access to a compiler of an AI processor. The processing hardware is further operative to obfuscate the DL model using the obfuscator by changing a structure of the OP layers to produce an obfuscated DL model, and publish the obfuscated DL model for access by devices. The obfuscated DL model is executable by the AI processor after compilation by the compiler on an edge device. Other aspects and features will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments in conjunction with the accompanying figures. BRIEF DESCRIPTION OF THE DRAWINGS The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like references indicate similar elements. It should be noted that different references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean at least one. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. FIG. 1 is a block diagram illustrating an environment in which DL model obfuscation may be practiced according to one embodiment. FIG. 2 illustrates an example of adding redundant operation (OP) layers according to one embodiment. FIG. 3 illustrates an example of adding redundant OP layers and weights according to one embodiment. FIG. 4 illustrates an example of changing the execution order of a DL model according to one embodiment. FIG. 5 illustrates an example of the DL model in FIG. 4. FIG. 6 is a flow diagram illustrating a method for performing DL model obfuscation according to one embodiment. FIG. 7 is a flow diagram illustrating a method for executing an obfuscated DL model according to one embodiment. FIG. 8 is a block diagram illustrating a system performing DL model obfuscation and a device executing the obfuscated DL model according to one embodiment. DETAILED DESCRIPTION In the following description, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In other instances, well-known circuits, structures, and techniques have not been shown in detail in order not to obscure the understanding of this description. It will be appreciated, however, by one skilled in the art, that the invention may be practiced without such specific details. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate func