Fingerprinting Multi-exit Deep Neural Network Models via Inference Time

The increasing performance of DL tasks today brings an increasing number of layers in most of the state-of-the-art DNN models. However, such increasing complex models generate excessively complex representations which lead to the overthinking issue. On the one hand, forcing canonical samples to inference all layers of a DNN model definitely brings a waste of energy and time (Huang et al., 2018). On the other hand, Kaya et al. (2019) pointed out that a further computation on a simple sample at the deeper layers will lead to misclassification. Moreover, since many DNN models are supposed to be deployed on resource-aware or resource-constrained scenarios such as the Internet of Things (IoT), complex DNN models are inefficient or impractical to be used.

One promising approach to solve these issues is to introduce the input-adaptive DNNs. There are two main types of input-adaptive DNNs: adaptive neural networks (AdNNs) (Wang et al., 2018; Figurnov et al., 2017) which are only applicable for ResNet-like models; the multi-exit DNNs (Teerapittayanon et al., 2016; Huang et al., 2018; Kaya et al., 2019) that are more generic and widely used. Specifically, a multi-exit DNN introduces multiple exit points on a vanilla DNN to allow the inference to preemptively finish at one of the exit points when the network is sufficiently confident with a pre-defined stop criteria. By letting most of the input samples exit at an earlier layer of a complex DNN model, such multi-exit structures are found much more efficient compared with previous works like DNN split learning task (Hauswald et al., 2014; Kang et al., 2017; Eshratifar et al., 2019; He et al., 2019; 2020) which every sample has to go through all the distributed layers for prediction. Early multi-exit structures are designed specifically such as MSDNets (Huang et al., 2018) which cannot leverage the off-the-shelf DNN models. Later on, shallow-deep network (SDN) (Kaya et al., 2019) was proposed as a generic structure to transform any off-the-shelf model into a multi-exit model which is more effective and efficient. Note that in this paper we only experiment with SDN structure and the other multi-exit structures can be experimented in a similar way.

Training large DNN models are becoming more and more costly. For instance, training a state-of-the-art GPT-3 model with 175 billion parameters requires millions of dollars (Li, 2020). Therefore, DNN models are becoming valuable and important intellectual property (IP). However, recent research has shown that the IP of DNN models is vulnerable to illegal copy, redistribution, abuse (Xue et al., 2021) or model stealing attacks (Zhu et al., 2021). Specifically, an attacker may get a stolen or illegally copied DNN model and deploy it on its own server for illegal profit. This brings a new challenge for the model owners to verify the ownership of suspicious models in a black-box scenario. The early approach to solve this challenge is to watermark a DNN model relying on using out-of-distribution features (Adi et al., 2018; Zhang et al., 2018) or handcrafted parameters (Tang et al., 2020). This watermarked model will behave normally on benign samples but output specific labels for watermarked samples to verify the model’s IP. The limitations of this watermarking approach are clear. First, the watermarking approach will decrease the model accuracy which is unacceptable in critical applications (Cao et al., 2021). Second, watermarking procedures are mostly combined with the training phase which cannot be used for off-the-shelf models. Third, once the watermark of one DNN model is leaked, the adversary can easily bypass this verification adaptively but it will be too costly for the model owner to rebuild another model with a different watermark.

The more promising approach to verify the model ownership was proposed as the DNN fingerprinting. The general idea of the DNN fingerprinting method is to verify the model ownership via its unique and robust feature. However, existing DNN fingerprinting methods (Cao et al., 2021; Lukas et al., 2021; Wang et al., 2021; Wang & Chang, 2021) mainly rely on the inference output of special samples generated in a similar way as AEs (Goodfellow et al., 2014). For instance, they generate fingerprint samples to mislead model prediction to certain labels for IP verification by releasing the perturbation bounds (Cao et al., 2021) or limiting the transferability (Lukas et al., 2021). The first limitation of these AE-based fingerprinting is that they are vulnerable to model robustness enhancement such as adversarial training (see the example we reproduced in Figure 1, experimentation details in Appendix B). The second limitation to use them for fingerprinting the multi-exit model is that the prediction accuracy for both benign and fingerprint samples is easily manipulated by the tunable early-exit criteria of multi-exit models (decrease exit criteria will lead to lower model performance but faster inference on average). Therefore, we argue that the existing DNN fingerprinting methods for multi-exit models are impractical since the adversary can manipulate the prediction results by (1) retraining the backbone DNN model via adversarial training or (2) significantly changing the multi-exit structure to decrease the overall accuracy.

The adversary’s goal is to deploy an illegal copy or stolen multi-exit model in a resource-constrained scenario for illegal profit and disable the model ownership verification. Note that if the adversary wishes to use only the trained backbone model, there is no need to steal a multi-exit model and extract the backbone model only.

The adversary’s knowledge is that the target multi-exit model and a partial training dataset is known to the adversary. Specifically, the adversary knows all the model details including the backbone model’s structure, parameters, and the ICs. Also, we argue the necessity to consider that an adversary may also have a partial training dataset (at lease the dataset of the same distribution) as well.

The adversary’s capability is that the adversary has the capability to modify the model but cannot train a new model. We assume that the attacker will try to modify the target model to avoid the IP verification but try to keep the model performance. The practical modification includes modifications on the backbone model (e.g. finetuning, compression, pruning, or adversarial training) or modification of the multi-exit structure (e.g. removing, modifying, adding ICs, or changing early exit criteria).

The idea of our methodology is to verify the fingerprint samples via inference but do not rely on their predicted labels. Practically, for the multi-exit models, we verify the IP of the target model by comparing the inference time of specialized fingerprint samples with a pre-defined threshold. Since the initial motivation and later designs of the multi-exit model is to encourage as many samples as possible to exit earlier to avoid overthinking and to improve efficiency, our fingerprint samples are designed to behave significantly differently in this exit scenario. Our fingerprint samples will be dedicated to exit as late as possible which will consume a significantly longer time for inference than benign samples on average. This special inference time is the natural feature of this particular model for us to verify the IP. On the one hand, since our method does not care about the predicted labels for the fingerprint samples, those modifications on manipulating accuracy or model enhancement are not effective to mitigate our fingerprint samples. This can achieve the robustness of our method. On the other hand, since our fingerprint samples are significantly related to the target model’s parameters, we can effectively distinguish our target model from the independent models which are trained with different initial parameters. Thus, our method can achieve uniqueness.

Notations. Let $n$ denote the number of exits (including exits of internal classifiers (IC) and the last-layer exit point) of the SDN model and $\theta_{i}$ denote the model parameters up to the $i$-th exit, where $1\leq i\leq n$ and $\theta_{1}\subset\dots\subset\theta_{i}\subset\theta_{i+1}\dots\subset\theta_{n}$. We denote the softmax probability output (i.e. confidence vector) $f_{\theta_{i}}(x)$ given the input $x$ at the $i$-th exit as $f_{i}(x)$. For setting the early exit criteria, let $T_{c}$ denote a confidence-based exit threshold, such that the inference of input $x$ stops at the $i$-th exit iff $\max(f_{i}(x))\geq T_{c}$ and $\forall j<i,\max(f_{j}(x))<T_{c}$.

Fingerprint generation. Given a benign input sample $x$, we aim to craft a perturbation $\delta_{x}$ to manipulate the modified input sample $x+\delta_{x}$ to not exit at any early exit point. Note that this generation process is not related to any specific or expected predicted label of the modified sample which is significantly different from the idea of adversarial attacks. Then, we can use the inference time of a set of such modified samples to fingerprint the target model. Formally, we define the following optimization loss to craft $\delta_{x}$ for $x$:

$$L_{f}(x)=\sum\limits_{i=1}^{n-1}D_{\mathrm{KL}}(f_{i}(x),u)-D_{\mathrm{KL}}(f_{n}(x),u)$$

(1)

where $D_{\mathrm{KL}}$ is the Kullback-Leibler (KL) divergence which can be seen as the distance between two distributions and $u$ is the uniform vector of the same length as the confidence vector, i.e. $u=[\frac{1}{n_{y}}]_{1\leq i\leq n_{y}}$.

The first term of the summation in Equation (1) pushes the confidence vectors of internal exits towards a uniform distribution On the contrary, the last term pushes the confidence vector of the final layer away from the uniform distribution. Such that the confidence scores of the ICs will be lower than the exit threshold $T_{c}$ and will not exit. As a result, these fingerprint samples will not be able to exit at any early exit point and the inference time of them will be significantly longer than benign samples on average. Particularly, since our fingerprint generation does not rely on the samples’ predicated labels, those model enhancement methods that mitigate perturbations for misleading (e.g. adversarial training) are not effective anymore. Thus, we claim the fingerprinting robustness is improved compared with existing fingerprinting methods (see experimentation in Section 4.3).

We adopt the $L_{2}$-based CW optimization technique to improve the fingerprinting uniqueness by reducing the fingerprints’ transferability to independent models. Typically, suppose the selected benign sample is $x$ and the fingerprint to craft is $x^{\prime}$. Then the final loss is

$$L(x^{\prime})=\left\lVert x-x^{\prime}\right\rVert_{2}+cL_{f}(x^{\prime}),$$

(2)

where $c$ is a parameter used to balance the stealthiness and the effectiveness of $x^{\prime}$. A larger $c$ leads to better fingerprinting uniqueness, at the expense of fingerprints’ visual similarity to the original samples. Note that our method does not set any perturbation bounds on such fingerprint sample generation. However, the experimentation results indicate that with our chosen parameter $c$, the visual similarity of our fingerprint samples is very similar to AEs which are also human imperceptible (see statistical results in Section 4.4 and visual results in Appendix C).

Fingerprint Verification. The model owner first generates $N$ fingerprint samples using the method described above. Then, the model owner feeds the $N$ fingerprint samples to the suspicious model for inference and records the inference time of these samples. Note that a longer inference time indicates a deeper exit layer. Practically, in order to get a stable inference time, we calculate the inference time by averaging the time of each sample for 10 times.

In order to get a more reliable fingerprinting verification, we use an EEC AUC score rather than directly using the inference time for calculation. The definition is explained with an example as follows. First, to quantify the suspicious model’s inference time on $N$ fingerprint samples, we modified the early-exit capacity (EEC) curve (Hong et al., 2020) to measure the inference time costs for these $N$ fingerprint samples. An EEC used in (Hong et al., 2020) describes how a set of samples exit a multi-exit model by calculating the ratio of samples exiting at each point. Here we modify the EEC by measuring the exit situation by inference time. For instance, we feed 10 groups of 100 benign samples to a multi-exit model and record the inference time. All inference time is normalized within [0,1] by comparing with the longest inference time. Here we assume the longest inference time as the maximum inference time of these benign samples since there will always be benign samples exit at the last layer. The results of the 10 groups and their average value are in Figure 2. For benign samples, 60% of them can exit within 0.8 of the longest inference time. However, if we use 100 fingerprint samples, 100% of them will pass all the layers so the EEC is significantly different.

Second, we use the area under the curve (AUC) of the EEC of the generated $N$ fingerprint samples to determine whether an IP verification is successful or not. Specifically, we denote the AUC of the EEC for $N$ samples as $T_{N}$. For fingerprint samples, the corresponding $T_{N}$ is significantly lower than the benign samples. Thus, for the IP verification, we compared $T_{N}$ of the fingerprint samples inference by the suspicious model with a pre-defined threshold $T_{f}$. If $T_{N}<T_{f}$, we claim the ownership verification is a success and the suspicious model compromises the IP of the target model. Otherwise, the suspicious model is an independent model.

Datasets & Model Structure. We use the image classification datasets CIFAR-10/100 (Krizhevsky & Hinton, 2009), noted as “C10” and “C100” respectively and 200-class Tiny-ImageNet¹¹1https://www.kaggle.com/c/tiny-imagenet noted as “TI”. For the model structure, we choose three structures including ResNet-56 (He et al., 2016), VGG-16 (Simonyan & Zisserman, 2014), and MobileNet (Howard et al., 2017). For each structure, we train models on C10 and C100 for 50 epochs and on TI for 100 epochs. For the multi-exit model structure, we use the SDN structure (Kaya et al., 2019) and other structures can be fingerprinted in a similar way. We transform the trained models into SDN models by adding ICs at some hidden layers and train the ICs for 25 epochs. In the end, we have the multi-exit ResNet-56 model with 27 ICs, the multi-exit VGG-16 model with 14 ICs, and the multi-exit MobileNet model with 14 ICs.

Independent Model Training. For evaluating the uniqueness, we train independent models for fingerprinting verification. The independent models refer to the models that use the exact same training dataset, structure, hyper-parameters but only with different initial parameters. These independent models are similar to the target model but should be excluded from IP verification.

For each dataset and each architecture, we train 100 models from scratch with different initialization and random seeds and transform them into SDNs as independent models. Thus, in this paper, we trained 900 models in total from 3 different datasets and 3 different model structures²²2Note here the training for these 900 independent models takes about 1,600 GPU hours.. Before experimenting with fingerprinting on one target model, we report the averaged EEC AUC scores on 100 benign samples across the 100 models for each structure and each dataset in Table 8 of Appendix C (the standard deviations are less than 0.02). Remark that the ResNet-56 model trained on CIFAR-10 has the lowest clean EEC AUC score, because $T_{c}$ for RAD-5 is close to 1 (i.e., 0.95), and there will be fewer early exits during the inference. Training details can be found in Appendix A.

Adversarial Modifications. For proving robustness, we consider comprehensive model modifications that an adversary can make with two categories. The first one is to modify the multi-exit model structure by manipulating the ICs. Since training ICs requires significantly less resources than training DNNs from scratch, it is reasonable for an adversary to modify ICs to avoid IP verification. The adversary may (1) remove ICs or add ICs to change the total number of exit points which will influence samples’ overall prediction accuracy. Since our fingerprint samples suppose to exit at the last layer of the model, removing or adding ICs can not affect our verification. Also, they can (2) retrain only the ICs to influence the prediction accuracy. Moreover, they can (3) change the early exit criteria for decreasing inference accuracy to compromise the fingerprint samples’ prediction labels. For instance, the early-exit criteria for a multi-exit model could refer to a confidence threshold $T_{c}$. A lower $T_{c}$ encourages more samples to exit at earlier layers to speed up the inference but decreases prediction accuracy noted as of relative accuracy drop (RAD). Note that a significant decrease in prediction accuracy may disable fingerprinting but makes no sense since such a model is useless. We assume the maximum RAD that can be accepted is 15% so we choose two thresholds (RAD as 5% and 15%) for our experimentation which are denoted as RAD=5 and RAD=15 respectively.

The second kind of adversarial modification is on the extracted backbone DNN model. Here we consider a comprehensive scenario that includes compression, pruning, finetuning, and adversarial training. We perform the model pruning with rates of 0.1, 0.2, 0.3, and 0.4 to get pruned models and compress with 8-bit to get quantized models. We apply finetuning for 16 epochs for all target models. For adversarial training, we retrain 6 epochs for C10 and 10 epochs for C100 and TI. We save the modified model every 2 epochs. To avoid randomness during finetuning, we finetune the model 10 times independently under the same setting. In total, there are 80 finetuned models for each target model, 30 adversarial trained models for each target model on C10, and 50 adversarial trained models for each target model on C100 and TI respectively. We then transform them back into SDN multi-exit models. Experiment details of finetuning and adversarial training are in Appendix A.

Metrics. We use three metrics to evaluate the effectiveness of our method. The first is $T_{N}$ (EEC AUC score) for the $N$ fingerprint samples on a suspicious model. Since $T_{N}$ is directly used for the IP verification by comparing with the pre-defined threshold $T_{f}$, a value of $T_{N}$ smaller than $T_{f}$ for a suspicious model refers to a success of IP verification. For evaluating fingerprinting of multiple suspicious models, we calculate the IP verified rate as our second metric to indicate the ratio of models verified as stolen models.

The third metric is the receiver operating characteristic (ROC) with AUC (Lukas et al., 2021) to compare our method with the baseline. The ROC curve consists of multiple pairs of the false positive rate (FPR) and the true positive rate (TPR) computed for various detection thresholds. Since IP verification is a bi-class problem (IP verified or not), we use the AUC score of ROC for a straightforward comparison. For instance, if a classifier is perfect, the ROC AUC should be equal to 1.

Baseline. We choose a state-of-the-art AE-based fingerprinting (Lukas et al., 2021) as the baseline. Specifically, we generate fingerprint samples by reproducing their method to craft fingerprint samples and set the expected prediction labels. When verifying the IP, the model owner sends the crafted fingerprint samples to the suspicious model and gets the returned labels. Then, the model owner calculates the proportion of how many returned labels are the same as his expected labels, and if it is higher than a threshold, the model owner can claim the IP is compromised.

Threshold Setting. To compare $T_{N}$ (EEC AUC score) for the $N$ fingerprint samples with a pre-defined threshold $T_{f}$, a proper $T_{f}$ must be set. Since the $T_{N}$ of fingerprint samples (normally close to 0) is significantly less than benign samples, a higher $T_{f}$ leads to more success rate of IP verification. However, increasing the $T_{f}$ will lead to potential false positives on misclassifying independent models. Based on such a trade-off, we list the pre-defined $T_{f}$ in Table 1 for our experimentation in this paper. Also, an ablation study on setting $T_{f}$ is in Section 4.4, Table 7.

To prove the uniqueness of our method, we show two kinds of experimentation results. The first is to prove that our method can accurately detect our model from various independent models. The second is to compare our method with the baseline on the same detection task.

We first randomly choose 100 models from the modified models (e.g. compression, pruning, finetune, adversarial training) as the stolen models. Then, we use the trained 100 independent models (only initial parameters are different) for evaluating our fingerprinting method. Results in Table 2 show that our method can effectively verify the IP of the plagiarized models (e.g. 0.98 for TI dataset, ResNet-56 with RAD=5) and keep a low misdetection ratio on independent models (almost 0 IP verified for most cases).

Second, we compare our method with the baseline (Lukas et al., 2021) in Table 2. Here we use the ROC AUC score to show the detection result. Note that if we see IP verification as a bi-class problem, a good classifier should have a ROC AUC score close to 1. Table 3 shows that our method has clearly better ROC AUC scores on almost all cases. For MobileNet on C10, the ROC AUC score of baseline drops from 0.97 to 0.64 when the RAD changes from 5 to 15, indicating that manipulating multi-exit model ACC can mitigate AE-based fingerprinting methods. In summary, we claim that our method achieves uniqueness and outperforms the baseline.

For proving the robustness, we first provide the results of our method for all adversarial modification cases³³3Using multiple model modification on one target model is unusual but possible, see results in Appendix C.. The metric we used here is to give the EEC AUC scores for our 100 fingerprint samples. Note they are all significantly less than the threshold $T_{f}$. Then, we compare our method with the baseline on adversarial training only since the baseline can achieve robustness for the other modifications.

Model IC retraining. We apply IC retraining to the owner’s multi-exit model (SDN structure). We then generate 100 stolen models with the same backbone DNN models but only differ in ICs. Note that our fingerprint samples are supposed to exit at the last layer so adding or removing ICs has no influence on our method. We list the EEC AUC scores for these 100 modified models. It can be observed that these scores are pretty close to the ideal value 0 and are significantly less than the threshold $T_{f}$. Thus, the IP of these 100 plagiarized models can all be successfully verified by our method.

Model compression. we plot the EEC AUC scores for detecting suspicious models that are generated by compressing the target models. We can see that the compression has little effect on the EEC AUC scores since most of them stay around 0. According to our threshold $T_{f}$, the IP of all these suspicious models can be successfully verified. Thus, we claim that the model compression has no influence on our fingerprinting method.

Model pruning. We set the pruning rate from 0.1 to 0.4 to get suspicious models. A large pruning rate introduces significant ACC loss (pruning rate of 0.4 decreases ACC by about 15%) so a larger pruning rate will make the model useless. The EEC AUC scores of the pruning case are in Figure 3. We find that different models have different sensitivity for pruning. But all EEC AUC scores stay lower than the threshold so still, all IP verification will succeed on these suspicious models.

Model finetuning. For evaluating the model finetuning case, we use benign samples for the finetuning. We calculate the EEC AUC score for the 80 finetuned models generated from each target model and list the average EEC AUC score in Figure 4 (with tiny standard deviations). It can be observed the model finetuning has little influence on the EEC AUC scores as well. The IP verification can succeed on all model finetuning cases by our fingerprinting method.

Model adversarial training. We compare our method with the baseline for the adversarial training case. Here we use the IP verified rate to evaluate both methods. Experiment details on adversarial training are in Appendix A. In Figure 5, we list the comparison results for RAD=5 (the left three columns) and for RAD=15 (the right three columns). Note that for RAD=15, the baseline directly fails for C10 MobileNet and C100 MobileNet since the prediction accuracy is decreased which also changes the fingerprint samples’ prediction labels. Our method is not sensitive to adversarial training in most cases while the baseline method fails in most cases after even a few epochs. The main reason is that our method is not verified according to the prediction labels by suspicious models such that enhancing model robustness by adversarial training has no effects.

We give the visual difference of our fingerprint samples and the results for different thresholds $T_{f}$.

Visual similarity. The L2 scores averaged over 100 samples of baseline and fingerprint samples are in Table 6. We can see that the similarity of our fingerprint samples to the original samples is at the same level as the baseline. Most of the L2 scores of our fingerprint samples are less than 0.05 which are visually imperceptible to human eyes according to the definition of AE (Carlini & Wagner, 2017). We refer readers to Appendix A for more details of generation fingerprint samples and Appendix C visual results.

Threshold $T_{f}$. Setting different thresholds $T_{f}$ for the fingerprint verification will either decrease the fingerprint accuracy for independent models or the shadow model. We tune the threshold $T_{f}$ and calculate the IP verified rate for the same task in Section 4.2 with the results in Table 7.