ProDiF: Protecting Domain-Invariant Features to Secure Pre-Trained Models Against Extraction
This work addresses security threats for owners of pre-trained models, offering robust protection against unauthorized extraction and transfer, with a novel approach that is incremental in applying weight space manipulation to model security.
The paper tackles the problem of model extraction attacks on pre-trained models by introducing ProDiF, a framework that manipulates weight spaces to protect domain-invariant features, reducing source-domain accuracy to near-random levels and cross-domain transferability by 74.65%.
Pre-trained models are valuable intellectual property, capturing both domain-specific and domain-invariant features within their weight spaces. However, model extraction attacks threaten these assets by enabling unauthorized source-domain inference and facilitating cross-domain transfer via the exploitation of domain-invariant features. In this work, we introduce **ProDiF**, a novel framework that leverages targeted weight space manipulation to secure pre-trained models against extraction attacks. **ProDiF** quantifies the transferability of filters and perturbs the weights of critical filters in unsecured memory, while preserving actual critical weights in a Trusted Execution Environment (TEE) for authorized users. A bi-level optimization further ensures resilience against adaptive fine-tuning attacks. Experimental results show that **ProDiF** reduces source-domain accuracy to near-random levels and decreases cross-domain transferability by 74.65\%, providing robust protection for pre-trained models. This work offers comprehensive protection for pre-trained DNN models and highlights the potential of weight space manipulation as a novel approach to model security.