Convolutional Neural Networks (CNNs) and their quantized counterparts are vulnerable to extraction attacks, posing a significant threat of IP theft. Yet, the robustness of quantized models against these attacks is little studied compared to large models. Previous defenses propose to inject calculated noise into the prediction probabilities. However, these defenses are limited since they are not incorporated during the model design and are only added as an afterthought after training. Additionally, most defense techniques are computationally expensive and often have unrealistic assumptions about the victim model that are not feasible in edge device implementations and do not apply to quantized models. In this paper, we propose DivQAT, a novel algorithm to train quantized CNNs based on Quantization Aware Training (QAT) aiming to enhance their robustness against extraction attacks. To the best of our knowledge, our technique is the first to modify the quantization process to integrate a model extraction defense into the training process. Through empirical validation on benchmark vision datasets, we demonstrate the efficacy of our technique in defending against model extraction attacks without compromising model accuracy. Furthermore, combining our quantization technique with other defense mechanisms improves their effectiveness compared to traditional QAT.

翻译：卷积神经网络（CNNs）及其量化版本易受提取攻击，构成知识产权盗窃的重大威胁。然而，与大型模型相比，量化模型针对此类攻击的鲁棒性研究甚少。现有防御方法主要通过在预测概率中注入计算噪声来实现，但这些防御存在局限，因为它们未融入模型设计阶段，仅作为训练后的补充措施。此外，大多数防御技术计算成本高昂，且常基于对受害模型不切实际的假设，这些假设在边缘设备部署中难以实现，也不适用于量化模型。本文提出DivQAT，一种基于量化感知训练（QAT）的新型算法，用于训练量化CNNs，旨在提升其对抗提取攻击的鲁棒性。据我们所知，该技术首次通过修改量化过程，将模型提取防御机制整合到训练流程中。通过在基准视觉数据集上的实证验证，我们证明了该技术在抵御模型提取攻击的同时，不会损害模型精度。此外，与传统QAT相比，将我们的量化技术与其他防御机制结合使用，能进一步提升防御效果。