Different Pruning Criteria

Figure 6.6 compares different pruning criteria with the proposed impact based criterion. ”Mag- nitude” refers to pruning filters with the lowest absolute weights, a method used in [140], and ”random” refers to pruning filters randomly. Similarly, all the accurate measurements are the av- erage of 10 repeated experiments. For a fair comparison, the 10 subsets of classes are the same for all these criteria. Apparently random pruning results in inferior performance. Our method can achieve better results when fewer filters are pruned, or when more classes are pruned, com-

0% 10% 20% 30% 40% 50% Filters Pruned 0.70 0.75 0.80 0.85 0.90 0.95 1.00 Classification Accuracy proposed,2-class proposed,5-class magnitude,2-class magnitude,5-class random,2-class random,5-class

Figure 6.6: Comparison among different pruning criteria.

pared with the magnitude based method. One intuitive explanation would be that our impact based criteria can clearly identify the irrelevant filters. However, when more filters are pruned, we are inevitably touching relevant filters (filters that is important to at least one class). In that case, it is questionable whether our sum of impact criteria described earlier would be the best measure of relevance.

6.7

Conclusion

In this chapter, we propose a lightweight customization method that allows users to prune the unneeded classes and filters from CNNs. The method could be seen as a client-side counterpart to the existing pruning methods which do not address the customization needs from users. In the proposed method, we first identify and remove the low-impact filters. Then we use a different way to compensate for the pruned filters. The whole procedure can be efficiently run on-device with little overhead. Pruning unneeded classes not only brings about more targeted and accurate classification but also reduces computation costs. We observe a substantial reduction in energy consumption and latency from early experiments running the NIN model on CIFAR-10 dataset on

CHAPTER 7

Watermarking Deep Neural Networks for IP Protection

In the previous chapter, we have discussed the wide adoption of deep neural networks. Notwith- standing the fact that DNNs are widely used, the IP protection of DNNs is rarely discussed. Much like how we protect circuits and software, we need a mechanism to prove the authorship of a DNN in order to protect the IP [149] [150] [151] [152]. In the specific case of watermarking DNNs for embedded systems, the IP owners should be able to detect whether their libraries are used without proper authorization. The scenario is depicted in Figure 7.1. Since most embedded systems and applications allow very limited access, the watermarking method should support black-box detec- tion. But unlike cloud-based MLaaS that usually charge users based on the number of queries made, there is no cost associated with querying embedded systems. Thus we do not need to limit the number of inputs in designing a rigorous detection framework. Only a handful of watermark- ing methods for DNNs have been proposed so far [153] [154] [2]. However, the existing methods either fail to meet the requirements in the embedded systems setting, incur an unnecessary cost in the proof of authorship, or they are susceptible to attacks of various forms.

To this end, we propose a new DNN watermarking framework that is suitable for watermarking DNNs for embedded systems. In our proposed framework, we train a watermarked DNN on both the original dataset and the dataset where each image is modified according to our signature. The modified images consist of a trigger set of unlimited size. The watermarked DNN should behave differently when a sample embedded with our signature is encountered. Otherwise, it should act normally with minimal loss of performance. Under the generic framework, we implement a simple version of the framework and empirically verify its performance against various criteria. Our approach has a number of benefits. First, it operates completely in a black-box manner. Only a set of test images are needed to verify the existence of the watermark, making the verification

Figure 7.1: Watermarking DNNs that are intended for embedded devices.

process compatible with the embedded systems setting. Second, the process of proving authorship is straightforward and self-contained. Other than samples from the intended input space, we do require any other supplementary materials. It not only simplifies the process of the proof but also improves the robustness against attacks. Third, we are able to resist various forms of attacks that are effective on existing watermarking methods.

Further, we studied and compared different ways to produce trigger sets and improved existing methods. We propose a differential evolution-based framework to determine how any given trigger pattern should be added to the image such that false positive detections are reduced while the ro- bustness of the watermark is maintained. With our framework, trigger pattern-based watermarking adds the model functionality to its equation, while still keeping ownership proofs simple.

The rest of the chapter is organized in the following fashion. We begin by surveying some of the existing watermarking techniques in Section 7.1. Section 7.2 outlines the general watermarking framework. We also discuss the criteria we use to evaluate a watermarking system. A minimal and straightforward example that implements our framework is given in Section 7.3. Section 7.4 describes techniques to further improve the watermark trigger set. We then proceed to evaluate the given example on models in Section 7.5.

7.1

Related Work

Watermarking has been an extensively studied subject for multimedia. There are also various pieces of work that discuss watermarking in the context of algorithm, software, and circuit design. In this section, we first introduce the aforementioned traditional watermarking approaches. Then we introduce a few recent works on watermarking DNNs.