Recently, numerous highly-valuable Deep Neural Networks (DNNs) have been trained using deep learning algorithms. To protect the Intellectual Property (IP) of the original owners over such DNN models, backdoor-based watermarks have been extensively studied. However, most of such watermarks fail upon model extraction attack, which utilizes input samples to query the target model and obtains the corresponding outputs, thus training a substitute model using such input-output pairs. In this paper, we propose a novel watermark to protect IP of DNN models against model extraction, named MEA-Defender. In particular, we obtain the watermark by combining two samples from two source classes in the input domain and design a watermark loss function that makes the output domain of the watermark within that of the main task samples. Since both the input domain and the output domain of our watermark are indispensable parts of those of the main task samples, the watermark will be extracted into the stolen model along with the main task during model extraction. We conduct extensive experiments on four model extraction attacks, using five datasets and six models trained based on supervised learning and self-supervised learning algorithms. The experimental results demonstrate that MEA-Defender is highly robust against different model extraction attacks, and various watermark removal/detection approaches.

翻译：近期，大量高价值的深度神经网络通过深度学习算法训练而成。为保护此类深度神经网络模型原始所有者的知识产权，基于后门的水印技术已得到广泛研究。然而，当面临模型提取攻击时——即攻击者利用输入样本查询目标模型并获取对应输出，进而利用这些输入-输出对训练替代模型——多数此类水印均会失效。本文提出一种新型水印MEA-Defender，用于抵御模型提取攻击以保护深度神经网络模型的知识产权。具体而言，我们通过将输入域中两个源类别的样本进行融合来获取水印，并设计水印损失函数，使水印的输出域限定在主任务样本的输出域范围内。由于水印的输入域和输出域均为主任务样本对应域的不可分割组成部分，在模型提取过程中水印将随主任务一同被提取至被窃取模型中。我们基于五种数据集和六种采用监督学习与自监督学习算法训练的模型，针对四种模型提取攻击开展了大量实验。实验结果表明，MEA-Defender对不同模型提取攻击及各类水印移除/检测方法均具有高度鲁棒性。