More and more companies' Intellectual Property (IP) is being integrated into Neural Network (NN) models. This IP has considerable value for companies and, therefore, requires adequate protection. For example, an attacker might replicate a production machines' hardware and subsequently simply copy associated software and NN models onto the cloned hardware. To make copying NN models onto cloned hardware infeasible, we present an approach to bind NN models - and thus also the IP contained within them - to their underlying hardware. For this purpose, we link an NN model's weights, which are crucial for its operation, to unique and unclonable hardware properties by leveraging Physically Unclonable Functions (PUFs). By doing so, sufficient accuracy can only be achieved using the target hardware to restore the original weights, rendering proper execution of the NN model on cloned hardware impossible. We demonstrate that our approach accomplishes the desired degradation of accuracy on various NN models and outline possible future improvements.

翻译：越来越多的企业知识产权正被集成到神经网络模型中。这些知识产权对企业具有重要价值，因此需要充分的保护。例如，攻击者可能复制生产设备的硬件，随后直接将相关软件和神经网络模型拷贝到克隆硬件上。为使神经网络模型无法被复制到克隆硬件，我们提出一种将神经网络模型（及其包含的知识产权）与底层硬件绑定的方法。为此，我们利用物理不可克隆函数，将神经网络模型运行所依赖的关键权重参数与硬件唯一且不可克隆的物理特性进行关联。通过这种方式，仅当使用目标硬件恢复原始权重时才能获得足够的模型精度，从而使得神经网络模型无法在克隆硬件上正确执行。我们通过多种神经网络模型验证了该方法能有效实现精度衰减目标，并展望了未来可能的改进方向。