On-device deep learning (DL) has rapidly gained adoption in mobile apps, offering the benefits of offline model inference and user privacy preservation over cloud-based approaches. However, it inevitably stores models on user devices, introducing new vulnerabilities, particularly model-stealing attacks and intellectual property infringement. While system-level protections like Trusted Execution Environments (TEEs) provide a robust solution, practical challenges remain in achieving scalable on-device DL model protection, including complexities in supporting third-party models and limited adoption in current mobile solutions. Advancements in TEE-enabled hardware, such as NVIDIA's GPU-based TEEs, may address these obstacles in the future. Currently, watermarking serves as a common defense against model theft but also faces challenges here as many mobile app developers lack corresponding machine learning expertise and the inherent read-only and inference-only nature of on-device DL models prevents third parties like app stores from implementing existing watermarking techniques in post-deployment models. To protect the intellectual property of on-device DL models, in this paper, we propose THEMIS, an automatic tool that lifts the read-only restriction of on-device DL models by reconstructing their writable counterparts and leverages the untrainable nature of on-device DL models to solve watermark parameters and protect the model owner's intellectual property. Extensive experimental results across various datasets and model structures show the superiority of THEMIS in terms of different metrics. Further, an empirical investigation of 403 real-world DL mobile apps from Google Play is performed with a success rate of 81.14%, showing the practicality of THEMIS.

翻译：设备端深度学习在移动应用中迅速普及，相比基于云端的方法，其离线模型推理和用户隐私保护具有显著优势。然而，该方法不可避免地需要将模型存储在用户设备上，从而引入了新的安全漏洞，特别是模型窃取攻击和知识产权侵权问题。虽然可信执行环境等系统级防护提供了稳健的解决方案，但在实现可扩展的设备端深度学习模型保护方面仍存在实际挑战，包括支持第三方模型的复杂性以及当前移动解决方案中采用率有限等问题。未来，搭载TEE的硬件（如英伟达基于GPU的TEE）的进步可能解决这些障碍。目前，水印技术作为防御模型窃取的常见手段，在此领域同样面临挑战：许多移动应用开发者缺乏相应的机器学习专业知识，且设备端深度学习模型固有的只读性和仅推理特性，使得应用商店等第三方无法在部署后模型中实施现有的水印技术。为保护设备端深度学习模型的知识产权，本文提出THEMIS——一种通过重构可写模型副本来解除设备端深度学习模型只读限制的自动化工具，并利用设备端深度学习模型的不可训练特性来求解水印参数，从而保护模型所有者的知识产权。在不同数据集和模型结构上的大量实验结果表明，THEMIS在多项指标上均表现出优越性。此外，通过对Google Play中403个真实深度学习移动应用的实证研究，取得了81.14%的成功率，证明了THEMIS的实用性。