Detecting Generative Model Inversion Attacks for Protecting Intellectual Property of Deep Neural Networks

Abstract

Recently, protecting the Intellectual Property (IP) of deep neural networks (DNNs) has attracted attention from researchers. This is because training DNN models can be costly especially when acquiring and labeling training data require domain expertise. DNN watermarking and fingerprinting are two techniques proposed to prevent DNN IP infringement. Although these two techniques achieve high performance on defending against previously proposed DNN stealing attacks, researchers recently show that both of them are ineffective against generative model inversion attacks. Specifically, an adversary inverts training data from well-trained DNNs and uses the inverted data to train DNNs from scratch such that DNN watermarking and fingerprinting are both bypassed. This novel model stealing strategy shows that data inverted from victim models can be effectively exploited by adversaries, which poses a new threat to the IP protection of DNNs. To combat this new threat, one potential solution is to enable defenders to prove ownership on data inverted from models being protected. If the training data of a suspected model, which can be disclosed via the judicial process, are proven to be data inverted from victim models, then IP infringement is detected. This research direction is currently underexplored. In this paper, we fill the gap in the literature to investigate countermeasures against this emerging threat. We propose a simple but effective method, called InverseDataInspector (IDI), to detect whether data are inverted from victim models. Specifically, our method first extracts features from both the inverted data and victim models. These features are then combined and used for training classifiers. Experimental results demonstrate that our method achieves high performance on detecting inverted data and also generalizes to new generative model inversion methods that are not seen when training classifiers.