Recent studies show that deployed deep learning (DL) models such as those of Tensor Flow Lite (TFLite) can be easily extracted from real-world applications and devices by attackers to generate many kinds of attacks like adversarial attacks. Although securing deployed on-device DL models has gained increasing attention, no existing methods can fully prevent the aforementioned threats. Traditional software protection techniques have been widely explored, if on-device models can be implemented using pure code, such as C++, it will open the possibility of reusing existing software protection techniques. However, due to the complexity of DL models, there is no automatic method that can translate the DL models to pure code. To fill this gap, we propose a novel method, CustomDLCoder, to automatically extract the on-device model information and synthesize a customized executable program for a wide range of DL models. CustomDLCoder first parses the DL model, extracts its backend computing units, configures the computing units to a graph, and then generates customized code to implement and deploy the ML solution without explicit model representation. The synthesized program hides model information for DL deployment environments since it does not need to retain explicit model representation, preventing many attacks on the DL model. In addition, it improves ML performance because the customized code removes model parsing and preprocessing steps and only retains the data computing process. Our experimental results show that CustomDLCoder improves model security by disabling on-device model sniffing. Compared with the original on-device platform (i.e., TFLite), our method can accelerate model inference by 21.8% and 24.3% on x86-64 and ARM64 platforms, respectively. Most importantly, it can significantly reduce memory consumption by 68.8% and 36.0% on x86-64 and ARM64 platforms, respectively.

翻译：近期研究表明，部署在真实应用和设备中的深度学习模型（如TensorFlow Lite模型）极易被攻击者提取，进而引发对抗攻击等多种攻击手段。尽管保护已部署的端侧深度学习模型日益受到关注，但现有方法无法完全消除上述威胁。传统软件保护技术已得到广泛探索，若能将端侧模型通过纯代码（如C++）实现，将有望复用现有软件保护技术。然而，由于深度学习模型的复杂性，目前尚无自动化方法能将DL模型转化为纯代码。为填补这一空白，我们提出了一种新颖方法CustomDLCoder，能够自动提取端侧模型信息，并针对各类深度学习模型合成定制化可执行程序。CustomDLCoder首先解析DL模型，提取其后端计算单元，将计算单元配置为计算图，随后生成定制化代码以实现和部署机器学习解决方案，无需显式模型表示。由于该合成程序无需保留显式模型表示，因此能够隐藏面向DL部署环境的模型信息，有效抵御针对DL模型的多类攻击。此外，定制化代码移除了模型解析与预处理步骤，仅保留数据计算过程，从而提升了机器学习性能。实验结果表明，CustomDLCoder通过禁用端侧模型嗅探提升了模型安全性。与原始端侧平台（TFLite）相比，本方法在x86-64和ARM64平台上分别实现模型推理加速21.8%和24.3%。更重要的是，其在x86-64和ARM64平台上的内存消耗分别显著降低68.8%和36.0%。