Authority Backdoor: A Certifiable Backdoor Mechanism for Authoring DNNs

Deep Neural Networks (DNNs), as valuable intellectual property, face unauthorized use. Existing protections, such as digital watermarking, are largely passive; they provide only post-hoc ownership verification and cannot actively prevent the illicit use of a stolen model. This work proposes a proactive protection scheme, dubbed ``Authority Backdoor," which embeds access constraints directly into the model. In particular, the scheme utilizes a backdoor learning framework to intrinsically lock a model's utility, such that it performs normally only in the presence of a specific trigger (e.g., a hardware fingerprint). But in its absence, the DNN's performance degrades to be useless. To further enhance the security of the proposed authority scheme, the certifiable robustness is integrated to prevent an adaptive attacker from removing the implanted backdoor. The resulting framework establishes a secure authority mechanism for DNNs, combining access control with certifiable robustness against adversarial attacks. Extensive experiments on diverse architectures and datasets validate the effectiveness and certifiable robustness of the proposed framework.

Key Contributions

• Authority Backdoor scheme that locks DNN utility to a hardware-specific trigger (e.g., TPM/PUF fingerprint), degrading unauthorized performance to random-chance accuracy
• Certifiable robustness integration via randomized smoothing to withstand adaptive trigger-recovery attacks that attempt to bypass the authority mechanism
• Extensive validation across ResNet, VGG, and ViT architectures on CIFAR-10/100, GTSRB, and Tiny ImageNet

🛡️ Threat Analysis

Details

Similar Papers