With the development of deep learning processors and accelerators, deep learning models have been widely deployed on edge devices as part of the Internet of Things. Edge device models are generally considered as valuable intellectual properties that are worth for careful protection. Unfortunately, these models have a great risk of being stolen or illegally copied. The existing model protections using encryption algorithms are suffered from high computation overhead which is not practical due to the limited computing capacity on edge devices. In this work, we propose a light-weight, practical, and general Edge device model Pro tection method at neuron level, denoted as EdgePro. Specifically, we select several neurons as authorization neurons and set their activation values to locking values and scale the neuron outputs as the "asswords" during training. EdgePro protects the model by ensuring it can only work correctly when the "passwords" are met, at the cost of encrypting and storing the information of the "passwords" instead of the whole model. Extensive experimental results indicate that EdgePro can work well on the task of protecting on datasets with different modes. The inference time increase of EdgePro is only 60% of state-of-the-art methods, and the accuracy loss is less than 1%. Additionally, EdgePro is robust against adaptive attacks including fine-tuning and pruning, which makes it more practical in real-world applications. EdgePro is also open sourced to facilitate future research: https://github.com/Leon022/Edg

翻译：随着深度学习处理器和加速器的发展，深度学习模型已作为物联网的一部分广泛部署在边缘设备上。边缘设备模型通常被视为需要精心保护的重要知识产权。然而，这些模型面临被窃取或非法复制的巨大风险。现有的基于加密算法的模型保护方案存在计算开销过高的问题，由于边缘设备计算能力有限，这种方案并不实用。本文提出一种轻量级、实用且通用的边缘设备模型神经元级保护方法，记为EdgePro。具体而言，我们选取若干神经元作为授权神经元，在训练过程中将其激活值设定为锁定值，并缩放神经元输出作为"密码"。EdgePro通过确保仅在满足"密码"条件时模型才能正确工作来保护模型，其代价仅为加密和存储"密码"信息而非整个模型。大量实验结果表明，EdgePro能在不同模式的数据集上有效完成保护任务。与现有最优方法相比，EdgePro的推理时间增量仅为60%，精度损失小于1%。此外，EdgePro对包括微调和剪枝在内的自适应攻击具有鲁棒性，使其在实际应用中更具实用性。EdgePro也已开源以促进未来研究：https://github.com/Leon022/EdgePro