As the deployment of deep learning models continues to expand across industries, the threat of malicious incursions aimed at gaining access to these deployed models is on the rise. Should an attacker gain access to a deployed model, whether through server breaches, insider attacks, or model inversion techniques, they can then construct white-box adversarial attacks to manipulate the model's classification outcomes, thereby posing significant risks to organizations that rely on these models for critical tasks. Model owners need mechanisms to protect themselves against such losses without the necessity of acquiring fresh training data - a process that typically demands substantial investments in time and capital. In this paper, we explore the feasibility of generating multiple versions of a model that possess different attack properties, without acquiring new training data or changing model architecture. The model owner can deploy one version at a time and replace a leaked version immediately with a new version. The newly deployed model version can resist adversarial attacks generated leveraging white-box access to one or all previously leaked versions. We show theoretically that this can be accomplished by incorporating parameterized hidden distributions into the model training data, forcing the model to learn task-irrelevant features uniquely defined by the chosen data. Additionally, optimal choices of hidden distributions can produce a sequence of model versions capable of resisting compound transferability attacks over time. Leveraging our analytical insights, we design and implement a practical model versioning method for DNN classifiers, which leads to significant robustness improvements over existing methods. We believe our work presents a promising direction for safeguarding DNN services beyond their initial deployment.

翻译：随着深度学习模型在各行业的部署持续扩大，针对这些已部署模型的恶意入侵威胁也在上升。若攻击者通过服务器入侵、内部攻击或模型反演技术获取已部署模型的访问权限，他们便能构建白盒对抗攻击来操纵模型的分类结果，从而对依赖这些模型执行关键任务的组织构成重大风险。模型所有者需要机制来保护自身免受此类损失，且无需获取新的训练数据——这一过程通常需要大量时间和资金投入。在本文中，我们探讨了在不获取新训练数据或更改模型架构的情况下，生成具有不同攻击属性的多个模型版本的可行性。模型所有者可一次部署一个版本，并在泄露版本出现时立即替换为新版本。新部署的模型版本能够抵御利用对单个或所有先前泄露版本的白盒访问权限生成的对抗攻击。我们从理论上证明，这可以通过在模型训练数据中引入参数化的隐藏分布来实现，迫使模型学习由所选数据唯一定义的任务无关特征。此外，隐藏分布的最优选择可以生成一系列模型版本，这些版本能够随时间抵御复合可迁移性攻击。基于我们的分析洞见，我们设计并实现了一种针对深度神经网络分类器的实用模型版本管理方法，该方法相较于现有方法在鲁棒性方面有显著提升。我们相信，这项工作为在初始部署后保护深度神经网络服务提供了一种有前景的方向。