Provenance of Training without Training Data: Towards Privacy-Preserving DNN Model Ownership Verification

In the era of deep learning, it is critical to protect the intellectual property of high-performance deep neural network (DNN) models. Existing proposals, however, are subject to adversarial ownership forgery (e.g., methods based on watermarks or fngerprints) or require full access to the original training dataset for ownership verifcation (e.g., methods requiring the replay of the learning process). In this paper, we propose a novel Provenance of Training (PoT) scheme, the frst empirical study towards verifying DNN model ownership without accessing any original dataset while being robust against existing attacks. At its core, PoT relies on a coherent model chain built from the intermediate checkpoints saved during model training to serve as the ownership certifcate. Through an in-depth analysis of model training, we propose six key properties that a legitimate model chain shall naturally hold. In contrast, it is difcult for the adversary to forge a model chain that satisfes these properties simultaneously without performing actual training. We systematically analyze PoT's robustness against various possible attacks, including the adaptive attacks that are designed given the full knowledge of PoT's design, and further perform extensive empirical experiments to demonstrate our security analysis. CCS Concepts • Computer systems organization → Neural networks; • Security and privacy → Digital rights management.