Skip to main content
Springer Nature Link
Log in

PUF-Based Intellectual Property Protection for CNN Model

  • Conference paper
  • First Online:
Knowledge Science, Engineering and Management (KSEM 2022)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 13370))

  • 2403 Accesses

Abstract

It usually takes a lot of time and resources to train a high-accurate Machine Learning model, so it is believed that the trainer owns the Intellectual Property (IP) of the model. With the help of various computing accelerators, a Machine Learning model can run on FPGAs, and model providers render services by selling FPGAs with models embedded. Unauthorized copying of the model infringes the owner’s copyrights, so there is an urgent need for the effective protection of model IP. In this paper, we propose a Physical Unclonable Function (PUF) based CNN model IP protection scheme. Before selling the model, the model providers confuse the parameters of the model with the response of a PUF, then embed the confused model into the FPGA where the PUF is. In this way, the protected model can get correct results only if running on the specific FPGA. Experimental results show that the performance difference between the confused model and the original model is negligible, and it is difficult for the adversary to get the correct parameters. Our approach effectively protects the IP of the model by restricting the model to only run on the specified FPGA and is easily extended to other models with convolutional layers and linear fully connected layers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Lu, Z., Wang, N., et al.: IoTDeM: an IoT big data-oriented MapReduce performance prediction extended model in multiple edge clouds. JPDC 118, 316–327 (2018)

    Google Scholar 

  2. Liu, M., Zhang, S., et al.: H infinite state estimation for discrete-time chaotic systems based on a unified model. IEEE Trans. SMC (B) 44, 155–168 (2012)

    Google Scholar 

  3. Ciregan, D., Meier, U., Schmidhuber, J.: Multi-column deep neural networks for image classification. In: IEEE CVPR, pp. 3642–3649 (2012)

    Google Scholar 

  4. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

    Google Scholar 

  5. Sharir, O., Peleg, B., Shoham, Y.: The cost of training NLP models: A concise overview. arXiv preprint arXiv:2004.08900 (2020)

  6. Chen, H., Rouhani, B.D., et al.: Performance comparison of contemporary DNN watermarking techniques. arXiv preprint arXiv:1811.03713 (2018)

  7. Darvish Rouhani, B., Chen, H., Koushanfar, F.: DeepSigns: an end-to-end watermarking framework for ownership protection of deep neural networks. In: 24th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 485–497 (2019)

    Google Scholar 

  8. Uchida, Y., Nagai, Y., et al.: Embedding watermarks into deep neural networks. In: ACM International Conference on Multimedia Retrieval, pp. 269–277 (2017)

    Google Scholar 

  9. Qiu, M., Gai, K., Xiong, Z.: Privacy-preserving wireless communications using bipartite matching in social big data. FGCS 87, 772–781 (2018)

    Article  Google Scholar 

  10. Shao, Z., Xue, C., et al.: Security protection and checking for embedded system integration against buffer overflow attacks via hardware/software. IEEE Trans. Comput. 55(4), 443–453 (2006)

    Article  Google Scholar 

  11. Zhang, J., Gu, Z., et al.: Protecting intellectual property of deep neural networks with watermarking. In: Asia Conference on Computer and Communications Security, pp. 159–172 (2018)

    Google Scholar 

  12. Adi, Y., Baum, C., Cisse, M., et al.: Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 1615–1631 (2018)

    Google Scholar 

  13. Guo, J., Potkonjak, M.: Watermarking deep neural networks for embedded systems. In: IEEE/ACM ICCAD, pp. 1–8 (2018)

    Google Scholar 

  14. Wu, H., Liu, G., Yao, Y., Zhang, X.: Watermarking neural networks with watermarked images. IEEE Trans. Circuits Syst. Video Technol. 31(7), 2591–2601 (2020)

    Article  Google Scholar 

  15. Szyller, S., Atli, B.G., Marchal, S., Asokan, N.: DAWN: dynamic adversarial watermarking of neural networks. In: 29th ACM International Conference on Multimedia, pp. 4417–4425 (2021)

    Google Scholar 

  16. Chen, J., Wang, J., et al.: Copy, right? A testing framework for copyright protection of deep learning models. arXiv preprint arXiv:2112.05588 (2021)

  17. Li, Y., Zhu, L., et al.: Defending against model stealing via verifying embedded external features. arXiv preprint arXiv:2112.03476 (2021)

  18. Wang, C., Gong, L., et al.: DLAU: a scalable deep learning accelerator unit on FPGA. IEEE TCAD 36(3), 513–517 (2016)

    Google Scholar 

  19. Shawahna, A., Sait, S.M., El-Maleh, A.: FPGA-based accelerators of deep learning networks for learning and classification: a review. IEEE Access 7, 7823–7859 (2018)

    Article  Google Scholar 

  20. Chen, Y., Zhang, K., et al.: T-DLA: an open-source deep learning accelerator for ternarized DNN models on embedded FPGA. In: IEEE Symposium on VLSI (ISVLSI), pp. 13–18 (2019)

    Google Scholar 

  21. Sun, P., Cui, A.: A new pay-per-use scheme for the protection of FPGA IP. In: IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1–5 (2019)

    Google Scholar 

  22. Khan, N., Nitzsche, S., López, O.: Utilizing and extending trusted execution environment in heterogeneous SoCs for a pay-per-device IP licensing scheme. IEEE TIFS 16, 2548–2563 (2021)

    Google Scholar 

  23. Guo, Q., Ye, J., et al.: PUF based pay-per-device scheme for IP protection of CNN model. In: IEEE 27th Asian Test Symposium (ATS), pp. 115–120 (2018)

    Google Scholar 

  24. Qiu, H., Qiu, M., Lu, R.: Secure V2X communication network based on intelligent PKI and edge computing. IEEE Network 34(42), 172–178 (2019)

    Google Scholar 

  25. Qiu, H., Zheng, Q., et al.: Deep residual learning-based enhanced jpeg compression in the internet of things. IEEE TII 17(3), 2124–2133 (2020)

    Google Scholar 

  26. Qiu, M., Zhang, L., et al.: Security-aware optimization for ubiquitous computing systems with seat graph approach. J. Comput. Syst. Sci. 79(5), 518–529 (2013)

    Article  MathSciNet  Google Scholar 

  27. Chakraborty, A., Mondai, A., Srivastava, A.: Hardware-assisted intellectual property protection of deep learning models. In: 57th ACM/IEEE DAC, pp. 1–6 (2020)

    Google Scholar 

  28. Li, Y., Song, Y., et al.: Intelligent fault diagnosis by fusing domain adversarial training and maximum mean discrepancy via ensemble learning. IEEE TII 17(4), 2833–2841 (2020)

    Google Scholar 

  29. Qiu, H., Qiu, M., Lu, Z.: Selective encryption on ECG data in body sensor network based on supervised machine learning. Inf. Fusion 55, 59–67 (2020)

    Article  Google Scholar 

  30. Pappu, R., Recht, B., Taylor, J., Gershenfeld, N.: Physical one-way functions. Science 297(5589), 2026–2030 (2002)

    Article  Google Scholar 

  31. Lee, J.W., Lim, D., Gassend, B., et al.: A technique to build a secret key in integrated circuits for identification and authentication applications. In: Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No. 04CH37525), pp. 176–179 (2004)

    Google Scholar 

  32. Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: 44th ACM/IEEE DAC Conference, pp. 9–14 (2007)

    Google Scholar 

  33. Holcomb, D.E., Burleson, W.P., et al.: Initial SRAM state as a fingerprint and source of true random numbers for RFID tags. In: Conference on RFID Security, vol. 7, p. 01 (2007)

    Google Scholar 

  34. Nguyen, P.H., Sahoo, D.P., et al.: The interpose PUF: secure PUF design against state-of-the-art machine learning attacks. Cryptology ePrint Archive (2018)

    Google Scholar 

  35. Wang, Y., Xi, X., Orshansky, M.: Lattice PUF: a strong physical unclonable function provably secure against machine learning attacks. In: IEEE HOST, pp. 273–283 (2020)

    Google Scholar 

  36. Ruhrmair, U., Solter, J.: PUF modeling attacks: an introduction and overview. In: 2014 DATE Conference (2014)

    Google Scholar 

  37. Berger, J.O.: Statistical Decision Theory and Bayesian Analysis. Springer Science & Business Media (2013)

    Google Scholar 

Download references

Acknowledgements

This work was supported by Beijing Natural Science Foundation: 4202037, the Natural Science Foundation of China through projects 62002006, 62172025, U21B2021, 61932011, 61932014, 61972018, 61972019, 617 72538, 32071775, and 91646203, the Defense Industrial Technology Development Program JCKY2021211B017.

Author information

Authors and Affiliations

  1. School of Cyber Science and Technology, Beihang University, Beijing, 100191, China

    Dawei Li, Yangkun Ren, Di Liu, Zhenyu Guan, Qianyun Zhang & Jianwei Liu

  2. Blockchain Lab, Chinabond Finance and Information Technology Co., Ltd., Beijing, 100044, China

    Yanzhao Wang

Authors
  1. Dawei Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yangkun Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Di Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhenyu Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Qianyun Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yanzhao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Jianwei Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhenyu Guan .

Editor information

Editors and Affiliations

  1. Télécom Paris, Paris, France

    Gerard Memmi

  2. Purdue University, West Lafayette, IN, USA

    Baijian Yang

  3. Shanghai Jiao Tong University, Shanghai, Shanghai, China

    Linghe Kong

  4. Nanyang Technological University, Singapore, Singapore

    Tianwei Zhang

  5. Texas A&M University – Commerce, Commerce, TX, USA

    Meikang Qiu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, D. et al. (2022). PUF-Based Intellectual Property Protection for CNN Model. In: Memmi, G., Yang, B., Kong, L., Zhang, T., Qiu, M. (eds) Knowledge Science, Engineering and Management. KSEM 2022. Lecture Notes in Computer Science(), vol 13370. Springer, Cham. https://doi.org/10.1007/978-3-031-10989-8_57

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10989-8_57

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10988-1

  • Online ISBN: 978-3-031-10989-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics