VerIDeep: Verifying Integrity of Deep Neural Networks through Sensitive-Sample Fingerprinting
This addresses the security concern for cloud customers who need to ensure their deployed models are untampered, offering a practical solution with incremental improvements over existing verification techniques.
The authors tackled the problem of verifying the integrity of deep neural networks deployed in the cloud against tampering attacks, proposing a method that detects arbitrary changes with high accuracy (>99%) and low overhead (<10 black-box accesses).
Deep learning has become popular, and numerous cloud-based services are provided to help customers develop and deploy deep learning applications. Meanwhile, various attack techniques have also been discovered to stealthily compromise the model's integrity. When a cloud customer deploys a deep learning model in the cloud and serves it to end-users, it is important for him to be able to verify that the deployed model has not been tampered with, and the model's integrity is protected. We propose a new low-cost and self-served methodology for customers to verify that the model deployed in the cloud is intact, while having only black-box access (e.g., via APIs) to the deployed model. Customers can detect arbitrary changes to their deep learning models. Specifically, we define \texttt{Sensitive-Sample} fingerprints, which are a small set of transformed inputs that make the model outputs sensitive to the model's parameters. Even small weight changes can be clearly reflected in the model outputs, and observed by the customer. Our experiments on different types of model integrity attacks show that we can detect model integrity breaches with high accuracy ($>$99\%) and low overhead ($<$10 black-box model accesses).