Deep neural networks (DNNs), such as the widely-used GPT-3 with billions of parameters, are often kept secret due to high training costs and privacy concerns surrounding the data used to train them. Previous approaches to securing DNNs typically require expensive circuit redesign, resulting in additional overheads such as increased area, energy consumption, and latency. To address these issues, we propose a novel hardware-software co-design approach for DNN intellectual property (IP) protection that capitalizes on the inherent aging characteristics of circuits and a novel differential orientation fine-tuning (DOFT) to ensure effective protection. Hardware-wise, we employ random aging to produce authorized chips. This process circumvents the need for chip redesign, thereby eliminating any additional hardware overhead during the inference procedure of DNNs. Moreover, the authorized chips demonstrate a considerable disparity in DNN inference performance when compared to unauthorized chips. Software-wise, we propose a novel DOFT, which allows pre-trained DNNs to maintain their original accuracy on authorized chips with minimal fine-tuning, while the model's performance on unauthorized chips is reduced to random guessing. Extensive experiments on various models, including MLP, VGG, ResNet, Mixer, and SwinTransformer, with lightweight binary and practical multi-bit weights demonstrate that the proposed method achieves effective IP protection, with only 10\% accuracy on unauthorized chips, while preserving nearly the original accuracy on authorized ones.

翻译：深度神经网络（DNNs），例如广泛使用的具有数十亿参数的GPT-3，常因高昂的训练成本及训练数据涉及的隐私问题而被保密。以往保护DNNs的方法通常需要昂贵的电路重新设计，导致额外的开销，如面积增加、能耗上升和延迟增大。为解决这些问题，我们提出了一种新颖的硬件-软件协同设计方法，用于DNN知识产权（IP）保护，该方法利用电路固有的老化特性及一种新颖的差分定向微调（DOFT）来确保有效保护。在硬件层面，我们采用随机老化技术来制造授权芯片。这一过程避免了芯片重新设计的需要，从而消除了DNN推理过程中任何额外的硬件开销。此外，与未授权芯片相比，授权芯片在DNN推理性能上表现出显著差异。在软件层面，我们提出了一种新颖的DOFT，它使得预训练的DNNs在授权芯片上通过最小程度的微调即可保持其原始准确率，而模型在未授权芯片上的性能则降至随机猜测水平。在多种模型（包括MLP、VGG、ResNet、Mixer和SwinTransformer）上，使用轻量级二进制及实际多比特权重进行的广泛实验表明，所提方法实现了有效的IP保护，在未授权芯片上准确率仅为10%，同时在授权芯片上几乎保持了原始准确率。