Recent studies show that deployed deep learning (DL) models such as those of Tensor Flow Lite (TFLite) can be easily extracted from real-world applications and devices by attackers to generate many kinds of attacks like adversarial attacks. Although securing deployed on-device DL models has gained increasing attention, no existing methods can fully prevent the aforementioned threats. Traditional software protection techniques have been widely explored, if on-device models can be implemented using pure code, such as C++, it will open the possibility of reusing existing software protection techniques. However, due to the complexity of DL models, there is no automatic method that can translate the DL models to pure code. To fill this gap, we propose a novel method, CustomDLCoder, to automatically extract the on-device model information and synthesize a customized executable program for a wide range of DL models. CustomDLCoder first parses the DL model, extracts its backend computing units, configures the computing units to a graph, and then generates customized code to implement and deploy the ML solution without explicit model representation. The synthesized program hides model information for DL deployment environments since it does not need to retain explicit model representation, preventing many attacks on the DL model. In addition, it improves ML performance because the customized code removes model parsing and preprocessing steps and only retains the data computing process. Our experimental results show that CustomDLCoder improves model security by disabling on-device model sniffing. Compared with the original on-device platform (i.e., TFLite), our method can accelerate model inference by 21.0% and 24.3% on x86-64 and ARM64 platforms, respectively. Most importantly, it can significantly reduce memory consumption by 68.8% and 36.0% on x86-64 and ARM64 platforms, respectively.

翻译：最新研究表明，已部署的深度学习模型（如TensorFlow Lite模型）易被攻击者从真实应用和设备中提取，进而实施对抗攻击等各类攻击。尽管保护已部署的设备端深度学习模型日益受到关注，但现有方法均无法完全防范上述威胁。传统软件保护技术已被广泛探索，若设备端模型能通过纯代码（如C++）实现，则有望复用现有软件保护技术。然而，由于深度学习模型的复杂性，目前尚无自动化方法可将其转化为纯代码。为此，我们提出新型方法CustomDLCoder，能够自动提取设备端模型信息，并为各类深度学习模型合成定制化可执行程序。CustomDLCoder首先解析深度学习模型，提取其后端计算单元，将计算单元配置为计算图，进而生成定制化代码实现和部署机器学习解决方案，无需显式模型表示。由于所合成程序无需保留显式模型表示，它能够隐藏深度学习部署环境中的模型信息，从而防范针对深度学习模型的多种攻击。此外，由于定制化代码移除了模型解析和预处理步骤，仅保留数据计算过程，因此可提升机器学习性能。实验结果表明，CustomDLCoder通过禁用设备端模型嗅探提升了模型安全性。与原始设备端平台（即TensorFlow Lite）相比，本方法在x86-64和ARM64平台上分别实现模型推理加速21.0%和24.3%；更重要的是，在相应平台上内存消耗分别显著降低68.8%和36.0%。