We propose a novel method for protecting trained models with a secret key so that unauthorized users without the correct key cannot get the correct inference. By taking advantage of transfer learning, the proposed method enables us to train a large protected model like a model trained with ImageNet by using a small subset of a training dataset. It utilizes a learnable encryption step with a secret key to generate learnable transformed images. Models with pre-trained weights are fine-tuned by using such transformed images. In experiments with the ImageNet dataset, it is shown that the performance of a protected model was close to that of a non-protected model when the correct key was given, while the accuracy tremendously dropped when an incorrect key was used. The protected model was also demonstrated to be robust against key estimation attacks.

翻译：我们提议了一种保护经过训练的带有秘密密钥的模型的新颖方法,这样,没有正确密钥的未经授权的用户就不能得到正确的推断。 通过利用转移学习,拟议方法使我们能够培训一个大型保护模式,例如通过使用一个培训数据集的小子集与图像网络培训的模型。它使用一个带有秘密密钥的可学习加密步骤来生成可学习的变形图像。使用这种经过训练的图像,对具有预先训练的重量的模型进行微调。在与图像网络数据集的实验中,显示在提供正确的密钥时,受保护模式的性能接近于非保护模式的性能,而使用不正确的密钥时的准确性则大大降低。还证明,有预训练的重量的模型对关键估计攻击非常有力。