Defending against model extraction attacks via watermark-based method with knowledge distillation

Abstract

Developing deep neural network (DNN) models often requires significant investment in computational resources, expertise, and vast amount of data. The increasing popularity of Machine Learning as a Service (MLaaS) offers convenient access to these powerful models, but it also raises concerns about Intellectual Property (IP) protection. Model extraction attacks pose a significant threat, allowing unauthorized parties to steal a model's functionality and potentially exploit it for their own gain. Traditional passive watermarking methods often prove inadequate against determined adversaries.

This project presents a novel Intellectual Property Protection (IPP) method for deep neural network (DNN) models. The approach leverages watermarking techniques, a Mixture-of-Experts (MoE) architecture, and knowledge distillation to enhance model security while preserving its core functionality. Authorized users can unlock the full potential of the model by embedding a specific watermark into their input images. Crucially, this solution facilitates robust ownership verification, even in black-box scenarios where model extraction attempts occur. Experimental results demonstrate the effective implementation of this method with minimal impact on the model's primary task. This work contributes to strengthening IP protection within Machine Learning as a Service (MLaaS) environments.