As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: https://github.com/Tongzhou0101/NNSplitter.

翻译：作为一种有价值的知识产权（IP），深度神经网络（DNN）模型已通过水印等技术得到保护。然而，这种被动模型保护无法完全防止模型滥用。本文提出了一种主动的模型IP保护方案，即NNSplitter。该方案通过将模型拆分为两部分来主动保护模型：因权重混淆而表现较差的混淆模型，以及由被混淆权重的索引和原始值组成的模型秘密。只有经授权的用户才能在可信执行环境的支持下访问模型秘密。实验结果表明了NNSplitter的有效性：例如，仅需修改超过1100万个权重中的275个（即0.002%），混淆后的ResNet-18模型在CIFAR-10上的准确率即可降至10%。此外，NNSplitter具有隐蔽性，并能抵御范数裁剪和微调攻击，使其成为DNN模型保护的理想解决方案。代码地址：https://github.com/Tongzhou0101/NNSplitter。