LymphNode: A Plug-and-Play Access Control Method for Deep Neural Networks

Hanyu Pei; Shang Liu; Zeyan Liu

arxiv: 2605.16227 · v1 · pith:M5PL7MA7new · submitted 2026-05-15 · 💻 cs.CR

LymphNode: A Plug-and-Play Access Control Method for Deep Neural Networks

Hanyu Pei , Shang Liu , Zeyan Liu This is my paper

Pith reviewed 2026-05-20 16:50 UTC · model grok-4.3

classification 💻 cs.CR

keywords access controldeep neural networksadversarial perturbationsmodel extractionintellectual property protectionfeature spacedefault-deny policyedge deployment

0 comments

The pith

LymphNode adds default-deny access control to deep neural networks by neutralizing utility on unauthorized queries unless they carry a stealthy feature-domain credential.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents LymphNode as a post-training method that turns a deployed neural network into its own guard against unrestricted use. It injects sparse universal perturbations into the model's internal feature space so that any query lacking a particular hidden credential produces useless outputs and resists gradient-based attacks. Only inputs that include the credential receive normal performance, allowing selective access without keeping original training data on hand. This matters for edge deployments where models are valuable intellectual property but face risks of being copied or having their data extracted through repeated queries. The approach claims to achieve protection with under 100 samples and to work across different datasets.

Core claim

LymphNode enforces a strict default-deny policy: it actively neutralizes model utility for unauthorized queries via Generalized Sparse Universal Adversarial Perturbations injected into the feature space, effectively blocking gradient estimation and data inference. Utility is selectively restored only for authorized inputs carrying a stealthy feature-domain credential. The framework achieves this with fewer than 100 samples and without requiring the original training data, using public surrogate data instead.

What carries the argument

Generalized Sparse Universal Adversarial Perturbations (GSUAP) added to the feature space, paired with a stealthy feature-domain credential that selectively bypasses the perturbations.

If this is right

Deployed models on edge devices can maintain performance only for authorized users while blocking extraction attempts.
Protection becomes possible even when owners cannot retain or access the full original training set.
The defense can be applied after training is complete without retraining the base model.
Gradient-based and data-inference attacks are disrupted at the point of query because the perturbations affect the internal representations.
Cross-dataset use allows protection to be set up with public data when private data is restricted.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same credential and perturbation idea might be tested on non-image models such as language or graph networks to check whether the feature-space approach generalizes.
If the credential survives model fine-tuning or compression, it could support ongoing access management after initial deployment.
Combining the method with output filtering or query-rate limits might address cases where the credential itself is eventually guessed.
The approach raises the practical question of how credential strength trades off against the number of samples needed to install the defense.

Load-bearing premise

A hidden credential can be embedded and detected reliably enough that attackers cannot forge or reverse-engineer it, while the perturbations continue to degrade all unauthorized inputs without needing the original training data.

What would settle it

An attacker who obtains a high-accuracy substitute model or recovers training data examples by querying without the credential would show the neutralization and selective restoration do not hold.

Figures

Figures reproduced from arXiv: 2605.16227 by Hanyu Pei, Shang Liu, Zeyan Liu.

**Figure 1.** Figure 1: An overview of LymphNode plugin morphic Encryption (HE) [32] theoretically guarantee secure execution. Similarly, methods like Deep-Lock [9] and NNLock [33] propose S-Box-based parameter encryption, requiring decryption for every query. However, recent surveys [34] highlight significant practical barriers: TEEs are susceptible to side-channel attacks, while HE and parameter decryption schemes impose proh… view at source ↗

**Figure 2.** Figure 2: Neutralization Efficiency. Mathematically, this represents the marginal neutralization utility, quantifying how much protection gain is achieved per [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗

**Figure 3.** Figure 3: Ablation study for selector. degradation for unauthorized users while maintaining the same sparse footprint. The results are presented in [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗

**Figure 4.** Figure 4: Impact of Noise Scale (λ) on model performance (ResNet-18 on CIFAR-10). As illustrated in [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗

**Figure 5.** Figure 5: effectiveness with different dataset size. [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗

**Figure 6.** Figure 6: Robustness against fine-tuning attacks. The trajectories illustrate the [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗

read the original abstract

Deep Neural Networks (DNNs) are high-value intellectual property (IP), yet deploying them to edge environments exposes them to \textbf{unrestricted oracle access}, rendering them vulnerable to model extraction and inversion attacks. Existing defenses fail to address this practically: passive watermarking only offers post-hoc provenance, while active defenses impose prohibitive latency or require persistent access to sensitive training data. To bridge this gap, we propose \textit{LymphNode}, a novel post-hoc defense framework that acts as an intrinsic ``immune system" within the model. \textit{LymphNode} enforces a strict ``default-deny'' policy: it actively neutralizes model utility for unauthorized queries via \textbf{Generalized Sparse Universal Adversarial Perturbations (GSUAP)} injected into the feature space, effectively blocking gradient estimation and data inference. Utility is selectively restored only for authorized inputs carrying a stealthy feature-domain credential. Our framework is highly practical: it is \textbf{data-efficient}, establishing robust protection with fewer than 100 samples ($<1\%$ of training data), and \textbf{cross-dataset adaptable}, enabling protection using public surrogate datasets. \textit{LymphNode} thus provides a lightweight, immediately deployable defense for high-stakes scenarios where original training data is restricted or unavailable.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

LymphNode combines GSUAP with a feature credential for selective DNN access control, but the bypass mechanism's security against adaptive attacks looks like the main open question.

read the letter

Hey, The punchline on this one is that LymphNode gives a practical way to add default-deny access control to a deployed DNN without needing the original training data. It injects a generalized sparse universal adversarial perturbation into the feature space to kill utility for most queries, then uses a stealthy credential to restore it for authorized users. What stands out as new is the specific setup: using GSUAP for the blocking part and a feature-domain credential for the selective pass, all while claiming it works with fewer than 100 surrogate samples and across datasets. That data efficiency and plug-and-play aspect addresses a real gap, since most existing defenses either require training data or add too much overhead. The paper does well at laying out the motivation. Unrestricted oracle access on edge devices is a growing issue for IP protection, and contrasting it with watermarking and other active methods makes the case clear. The soft spots are around the credential's security. The idea that it can be detected to cancel the GSUAP effect without being forgeable by an adversary who can query the model is central, but it seems vulnerable to optimization attacks that try to match the feature signature. If the full paper has experiments, I'd look for attack success rates under query limits and whether the GSUAP stays effective against mimicked credentials. Without strong evidence there, the default-deny claim is shaky. This is for ML security researchers and practitioners deploying models in untrusted environments. Someone looking for deployable defenses against extraction attacks would find it relevant. It deserves a serious referee because the problem is practical and the construction is novel enough to warrant discussion. I'd recommend sending it for peer review, focusing the review on empirical validation of the credential's robustness.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes LymphNode, a post-hoc defense framework for deep neural networks that acts as an intrinsic 'immune system' by injecting Generalized Sparse Universal Adversarial Perturbations (GSUAP) into the feature space. This enforces a strict default-deny policy that neutralizes model utility for unauthorized queries to block gradient estimation and data inference attacks, while selectively restoring utility only for authorized inputs carrying a stealthy feature-domain credential. The method is claimed to be highly practical, requiring fewer than 100 samples (<1% of training data) from surrogate datasets and being cross-dataset adaptable without needing original training data.

Significance. If the central claims are empirically validated, LymphNode could provide a lightweight, immediately deployable solution for protecting high-value DNN IP in edge deployments where training data access is restricted. The data-efficiency and use of public surrogates address practical limitations of existing passive watermarking and active defenses. The GSUAP-based neutralization combined with selective credential bypass is a novel construction that, if shown to hold under realistic attack models, would strengthen the case for feature-space access control mechanisms.

major comments (2)

[Abstract] Abstract: The central claims of effective neutralization of model utility, blocking of gradient estimation and data inference, and selective restoration via the stealthy credential are asserted without any quantitative results, attack success rates, ablation studies, or baseline comparisons. This absence is load-bearing because the practical advantages and default-deny guarantee cannot be assessed without evidence that GSUAP remains effective against unauthorized queries while the credential bypass works reliably.
[Abstract] Abstract: The assumption that a stealthy feature-domain credential can be embedded, detected, and used to selectively cancel the GSUAP effect without being forged or reverse-engineered is critical to the selective-bypass construction but receives no analysis. An adversary with oracle access could in principle optimize an input (e.g., via gradient ascent on a surrogate loss approximating the bypass condition) to match the credential signature, especially given that GSUAP is generated from <100 surrogate samples; this directly undermines the default-deny guarantee.

minor comments (1)

Clarify the precise definition and generation procedure for Generalized Sparse Universal Adversarial Perturbations (GSUAP) and the embedding/detection mechanism for the feature-domain credential, including any notation for how these are integrated post-hoc into the model.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting the need for clearer quantitative support in the abstract and a more explicit treatment of the credential's resistance to forgery. We address each point below and indicate revisions that will strengthen the manuscript while preserving its core contributions on data-efficient, post-hoc access control.

read point-by-point responses

Referee: [Abstract] Abstract: The central claims of effective neutralization of model utility, blocking of gradient estimation and data inference, and selective restoration via the stealthy credential are asserted without any quantitative results, attack success rates, ablation studies, or baseline comparisons. This absence is load-bearing because the practical advantages and default-deny guarantee cannot be assessed without evidence that GSUAP remains effective against unauthorized queries while the credential bypass works reliably.

Authors: The abstract serves as a concise summary and therefore omits detailed metrics. The full manuscript contains the requested evidence in the experimental evaluation: Sections 4 and 5 report attack success rates for gradient-estimation and data-inference attacks (utility drops to near-random levels for unauthorized inputs), ablation studies confirming effectiveness with fewer than 100 surrogate samples, and direct comparisons against passive watermarking and prior active defenses. These results substantiate the default-deny policy and selective restoration. We will revise the abstract to include the most salient quantitative highlights (e.g., attack success rates and sample efficiency) so that the central claims can be assessed at a glance. revision: yes
Referee: [Abstract] Abstract: The assumption that a stealthy feature-domain credential can be embedded, detected, and used to selectively cancel the GSUAP effect without being forged or reverse-engineered is critical to the selective-bypass construction but receives no analysis. An adversary with oracle access could in principle optimize an input (e.g., via gradient ascent on a surrogate loss approximating the bypass condition) to match the credential signature, especially given that GSUAP is generated from <100 surrogate samples; this directly undermines the default-deny guarantee.

Authors: The credential is realized as a low-magnitude, sparse feature-space perturbation whose detection and cancellation are tightly coupled to the specific GSUAP parameters; this coupling is intended to raise the bar for forgery. Nevertheless, we agree that an explicit analysis of adaptive, oracle-access attacks (including gradient-based optimization to approximate the bypass condition) is not present in the current version. We will add a dedicated discussion subsection that (i) explains why the sparsity and cross-dataset universality of GSUAP make exact signature matching difficult without knowledge of the generation process, and (ii) reports preliminary empirical results showing that such optimization attempts fail to restore utility for unauthorized inputs. These additions will be included in the revised manuscript. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper presents LymphNode as a constructed post-hoc defense framework using GSUAP perturbations and feature-domain credentials for selective access control. No equations, fitted parameters renamed as predictions, or self-referential derivations appear in the provided abstract or description. The central claims rest on empirical construction and practical properties (data-efficiency with <100 samples, cross-dataset adaptability) rather than any quantity defined in terms of its own outputs or reduced by self-citation to unverified premises. This is a standard engineering proposal without load-bearing mathematical steps that collapse to inputs by construction.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 2 invented entities

The central claim rests on the postulated effectiveness of GSUAP for selective neutralization and the existence of a reliable stealthy credential; both are introduced without independent evidence or derivation from first principles in the available text.

free parameters (1)

Sample count for protection setup
Protection is established with fewer than 100 samples drawn from surrogate data.

axioms (1)

domain assumption GSUAP injected in feature space can neutralize utility for unauthorized queries while permitting selective bypass via credential.
This premise underpins the default-deny policy and selective restoration described in the abstract.

invented entities (2)

Generalized Sparse Universal Adversarial Perturbations (GSUAP) no independent evidence
purpose: To actively neutralize model utility for unauthorized queries in feature space.
Newly specified perturbation type introduced to achieve the access-control goal.
stealthy feature-domain credential no independent evidence
purpose: To selectively restore utility only for authorized inputs.
Postulated authorization mechanism enabling the selective bypass.

pith-pipeline@v0.9.0 · 5760 in / 1649 out tokens · 182729 ms · 2026-05-20T16:50:56.797152+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

GSUAP injected into feature space... stealthy feature-domain credential... default-deny policy

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages · 4 internal anchors

[1]

GPT-4 Technical Report

OpenAI, “Gpt-4 technical report,” OpenAI, Tech. Rep., 2024, arXiv:2303.08774v6. [Online]. Available: https://arxiv.org/abs/2303. 08774

work page internal anchor Pith review Pith/arXiv arXiv 2024
[2]

LLaMA: Open and Efficient Foundation Language Models

H. Touvron, T. Lavril, G. Izacard, X. Martinet, M.-A. Lachaux, T. Lacroix, B. Rozi `ere, N. Goyal, E. Hambro, F. Azhar, A. Rodriguez, A. Joulin, E. Grave, and G. Lample, “Llama: Open and efficient foundation language models,”arXiv preprint arXiv:2302.13971, 2023. [Online]. Available: https://arxiv.org/abs/2302.13971

work page internal anchor Pith review Pith/arXiv arXiv 2023
[3]

Stealing machine learning models via prediction APIs,

F. Tram `er, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing machine learning models via prediction APIs,” in25th USENIX Security Symposium (USENIX Security 16). USENIX Association, 2016, pp. 601–618

work page 2016
[4]

High accuracy and high fidelity extraction of neural networks,

M. Jagielski, N. Carlini, D. Berthelot, A. Kurakin, and N. Papernot, “High accuracy and high fidelity extraction of neural networks,” in 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2020, pp. 1345–1362

work page 2020
[5]

Model inversion attacks that exploit confidence information and basic countermeasures,

M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015, pp. 1322–1333

work page 2015
[6]

Turning your weakness into a strength: Watermarking deep neural networks by backdooring,

Y . Adi, C. Baum, M. Cisse, B. Pinkas, and J. Keshet, “Turning your weakness into a strength: Watermarking deep neural networks by backdooring,” in27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1615–1631

work page 2018
[7]

Embedding water- marks into deep neural networks,

Y . Uchida, Y . Nagai, S. Sakazawa, and S. Satoh, “Embedding water- marks into deep neural networks,” inProceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017, pp. 269–277

work page 2017
[8]

Protecting intellectual property of deep neural networks with watermarking,

J. Zhang, Z. Gu, J. Jang, H. Wu, M. P. Stoecklin, H. Huang, and I. Molloy, “Protecting intellectual property of deep neural networks with watermarking,” inProceedings of the 2018 on Asia Conference on Computer and Communications Security, 2018, pp. 159–172

work page 2018
[9]

Deep-lock: Secure authorization for deep neural networks,

M. Alam, S. Saha, D. Mukhopadhyay, and S. Kundu, “Deep-lock: Secure authorization for deep neural networks,” in2020 IEEE 38th VLSI Test Symposium (VTS). IEEE, 2020, pp. 1–6

work page 2020
[10]

Model assertion: A defense against model theft via authorized model encryption,

H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “Model assertion: A defense against model theft via authorized model encryption,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021, pp. 15 380–15 389

work page 2021
[11]

Ssat: Active authorization control and user’s fingerprint tracking framework for dnn ip protection,

M. Xue, Y . Wu, L. Y . Zhang, D. Gu, Y . Zhang, and W. Liu, “Ssat: Active authorization control and user’s fingerprint tracking framework for dnn ip protection,”ACM Transactions on Multimedia Computing, Communications and Applications, vol. 20, no. 10, 2024

work page 2024
[12]

Advparams: An active dnn intellectual property protection technique via adversarial pertur- bation based parameter encryption,

M. Xue, Z. Wu, J. Wang, Y . Zhang, and W. Liu, “Advparams: An active dnn intellectual property protection technique via adversarial pertur- bation based parameter encryption,”arXiv preprint arXiv:2105.13697, 2021

work page arXiv 2021
[13]

Prediction poisoning: Towards defenses against DNN model stealing attacks,

T. Orekondy, B. Schiele, and M. Fritz, “Prediction poisoning: Towards defenses against DNN model stealing attacks,” inInternational Confer- ence on Learning Representations (ICLR), 2020

work page 2020
[14]

Categorical inference poisoning: Verifiable defense against black-box DNN model stealing without constraining surrogate data and query times,

H. Zhang, G. Hua, X. Wang, H. Jiang, and W. Yang, “Categorical inference poisoning: Verifiable defense against black-box DNN model stealing without constraining surrogate data and query times,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1473– 1486, 2023

work page 2023
[15]

Knockoff nets: Stealing func- tionality of black-box models,

T. Orekondy, B. Schiele, and M. Fritz, “Knockoff nets: Stealing func- tionality of black-box models,” inCVPR, 2019

work page 2019
[16]

The secret revealer: Generative model-inversion attacks against machine learning models,

Y . Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, “The secret revealer: Generative model-inversion attacks against machine learning models,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020, pp. 253–261

work page 2020
[17]

Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural net- works,

B. D. Rouhani, H. Chen, and F. Koushanfar, “Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural net- works,” inProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, 2019, pp. 485–497

work page 2019
[18]

Untargeted backdoor watermark: Towards harmless and stealthy dataset copyright protection,

Y . Li, Y . Bai, Y . Jiang, Y . Yang, S.-T. Xia, and B. Li, “Untargeted backdoor watermark: Towards harmless and stealthy dataset copyright protection,” inAdvances in Neural Information Processing Systems (NeurIPS), vol. 35, 2022, pp. 13 862–13 875, oral, Top 2%

work page 2022
[19]

Domain watermark: Effective and harmless dataset copyright protection is closed at hand,

J. Guo, Y . Li, L. Wang, S.-T. Xia, H. Huang, C. Liu, and B. Li, “Domain watermark: Effective and harmless dataset copyright protection is closed at hand,” inAdvances in Neural Information Processing Systems (NeurIPS), 2023

work page 2023
[20]

IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary,

X. Cao, J. Jia, and N. Z. Gong, “IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary,” inProceedings of the 2021 ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2021, pp. 14–25

work page 2021
[21]

Adversarial frontier stitching for remote neural network watermarking,

E. Le Merrer, P. P ´erez, and G. Tr ´edan, “Adversarial frontier stitching for remote neural network watermarking,”Neural Computing and Ap- plications, vol. 32, no. 13, pp. 9233–9244, 2020

work page 2020
[22]

DynaMarks: Defending against deep learn- ing model extraction using dynamic watermarking,

A. Chakrabortyet al., “DynaMarks: Defending against deep learn- ing model extraction using dynamic watermarking,”arXiv preprint arXiv:2207.13321, 2022

work page arXiv 2022
[23]

Sok: How robust is image classification deep neural network watermarking?

N. Lukas, E. Jiang, X. Li, and F. Kerschbaum, “Sok: How robust is image classification deep neural network watermarking?” in2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022, pp. 787–804

work page 2022
[24]

Enhancing generalization of universal adversarial perturbation through gradient aggregation,

X. Liu, Y . Zhong, Y . Zhang, L. Qin, and W. Deng, “Enhancing generalization of universal adversarial perturbation through gradient aggregation,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2023, pp. 4428–4437

work page 2023
[25]

Improving generalization of universal adversarial perturbation via dy- namic maximin optimization,

Y . Zhang, Y . Xu, J. Shi, L. Y . Zhang, S. Hu, M. Li, and Y . Zhang, “Improving generalization of universal adversarial perturbation via dy- namic maximin optimization,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, 2025, pp. –

work page 2025
[26]

Robust universal adversarial perturbations,

C. Xu and G. Singh, “Robust universal adversarial perturbations,”arXiv preprint arXiv:2206.10858, 2022

work page arXiv 2022
[27]

Sparse-PGD: A unified framework for sparse adversarial perturbations generation,

X. Zhong and C. Liu, “Sparse-PGD: A unified framework for sparse adversarial perturbations generation,”arXiv preprint arXiv:2405.05075, 2024

work page arXiv 2024
[28]

Generalizable data- free objective for crafting universal adversarial perturbations,

K. R. Mopuri, A. Ganeshan, and R. V . Babu, “Generalizable data- free objective for crafting universal adversarial perturbations,” inIEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), vol. 41, no. 10, 2019, pp. 2452–2465

work page 2019
[29]

Hardware-assisted intellectual property protection of deep learning models,

A. Chakraborty, A. Mondal, and A. Srivastava, “Hardware-assisted intellectual property protection of deep learning models,” in2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, 2020, pp. 1–6

work page 2020
[30]

Modellock: Locking your model with a spell,

Y . Gong, D. Chen, W. Niu, S. Cheng, X. Pan, Q. Nie, Y . Xiao, L. Zhang, and H. Zheng, “Modellock: Locking your model with a spell,” in Proceedings of the 32nd ACM International Conference on Multimedia, 2024, pp. 6595–6604

work page 2024
[31]

Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,

F. Tramer and D. Boneh, “Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,” inInternational Conference on Learning Representations (ICLR), 2019

work page 2019
[32]

Chex-mix: Com- bining homomorphic encryption with trusted execution environments for two-party oblivious inference in the cloud,

D. Natarajan, A. Loveless, W. Dai, and R. Dreslinski, “Chex-mix: Com- bining homomorphic encryption with trusted execution environments for two-party oblivious inference in the cloud,” in8th IEEE European Symposium on Security and Privacy (EuroS&P), 2023, pp. 457–477

work page 2023
[33]

Nn-lock: A lightweight authorization to prevent ip threats of deep learning models,

M. Alam, S. Saha, D. Mukhopadhyay, and S. Kundu, “Nn-lock: A lightweight authorization to prevent ip threats of deep learning models,” ACM Journal on Emerging Technologies in Computing Systems, vol. 18, no. 2, pp. 1–27, 2022

work page 2022
[34]

Survey of research on confidential computing,

W. Fenget al., “Survey of research on confidential computing,”IET Communications, vol. 18, no. 8, pp. 465–486, 2024

work page 2024
[35]

Activeguard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users’ fingerprints,

M. Xue, S. Sun, C. He, D. Gu, Y . Zhang, J. Wang, and W. Liu, “Activeguard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users’ fingerprints,”IET Computers & Digital Techniques, vol. 17, no. 3-4, pp. 111–126, 2023

work page 2023
[36]

AMAO: A comprehensive defense framework against model extraction attacks,

M. Jianget al., “AMAO: A comprehensive defense framework against model extraction attacks,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 2, 2024

work page 2024
[37]

Loneneuron: A highly- effective feature-domain neural trojan using invisible and polymorphic watermarks,

Z. Liu, F. Li, Z. Li, and B. Luo, “Loneneuron: A highly- effective feature-domain neural trojan using invisible and polymorphic watermarks,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’22. New York, NY , USA: ACM, 2022, pp. 2129–2143. [Online]. Available: https://dl.acm.org/doi/10.1145/3548606.3560678

work page doi:10.1145/3548606.3560678 2022
[38]

Univer- sal adversarial perturbations,

S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Univer- sal adversarial perturbations,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 1765–1773

work page 2017
[39]

Pruning convolutional neural networks for resource efficient inference,

P. Molchanov, S. Tyree, T. Karras, T. Aila, and J. Kautz, “Pruning convolutional neural networks for resource efficient inference,” inIn- ternational Conference on Learning Representations, 2017

work page 2017
[40]

Pruning filters for efficient convnets,

H. Li, A. Kadav, I. Durdanovic, H. Samet, and H. P. Graf, “Pruning filters for efficient convnets,” inInternational Conference on Learning Representations (ICLR), 2017

work page 2017
[41]

Learning both weights and connections for efficient neural networks,

S. Han, J. Pool, J. Tran, and W. J. Dally, “Learning both weights and connections for efficient neural networks,” inAdvances in Neural Information Processing Systems (NeurIPS), 2015, pp. 1135–1143

work page 2015
[42]

Learning multiple layers of features from tiny images,

A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep., 2009

work page 2009
[43]

Gradient-based learning applied to document recognition,

Y . LeCun, L. Bottou, Y . Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,”Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 1998

work page 1998
[44]

Reading digits in natural images with unsupervised feature learning,

Y . Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y . Ng, “Reading digits in natural images with unsupervised feature learning,” in NIPS Workshop on Deep Learning and Unsupervised Feature Learning, 2011

work page 2011
[45]

Deep residual learning for image recognition,

K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778

work page 2016
[46]

An image is worth 16x16 words: Transformers for image recognition at scale,

A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai, T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gellyet al., “An image is worth 16x16 words: Transformers for image recognition at scale,” inInternational Conference on Learning Representations, 2021

work page 2021
[47]

Imagenet classification with deep convolutional neural networks,

A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” inAdvances in Neural Infor- mation Processing Systems, vol. 25, 2012

work page 2012
[48]

Densely connected convolutional networks,

G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” inProceedings of the IEEE Confer- ence on Computer Vision and Pattern Recognition (CVPR), 2017, pp. 4700–4708

work page 2017
[49]

Importance estimation for neural network pruning,

P. Molchanov, A. Mallya, S. Tyree, I. Frosio, and J. Kautz, “Importance estimation for neural network pruning,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2019, pp. 11 264–11 272

work page 2019
[50]

BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnera- bilities in the machine learning model supply chain,”arXiv preprint arXiv:1708.06733, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[51]

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,”arXiv preprint arXiv:1712.05526, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[52]

Deepipr: Deep neural network ownership verification with passports,

L. Fan, K. W. Ng, and C. S. Chan, “Deepipr: Deep neural network ownership verification with passports,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 10, pp. 6122–6139, 2022

work page 2022

[1] [1]

GPT-4 Technical Report

OpenAI, “Gpt-4 technical report,” OpenAI, Tech. Rep., 2024, arXiv:2303.08774v6. [Online]. Available: https://arxiv.org/abs/2303. 08774

work page internal anchor Pith review Pith/arXiv arXiv 2024

[2] [2]

LLaMA: Open and Efficient Foundation Language Models

H. Touvron, T. Lavril, G. Izacard, X. Martinet, M.-A. Lachaux, T. Lacroix, B. Rozi `ere, N. Goyal, E. Hambro, F. Azhar, A. Rodriguez, A. Joulin, E. Grave, and G. Lample, “Llama: Open and efficient foundation language models,”arXiv preprint arXiv:2302.13971, 2023. [Online]. Available: https://arxiv.org/abs/2302.13971

work page internal anchor Pith review Pith/arXiv arXiv 2023

[3] [3]

Stealing machine learning models via prediction APIs,

F. Tram `er, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing machine learning models via prediction APIs,” in25th USENIX Security Symposium (USENIX Security 16). USENIX Association, 2016, pp. 601–618

work page 2016

[4] [4]

High accuracy and high fidelity extraction of neural networks,

M. Jagielski, N. Carlini, D. Berthelot, A. Kurakin, and N. Papernot, “High accuracy and high fidelity extraction of neural networks,” in 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2020, pp. 1345–1362

work page 2020

[5] [5]

Model inversion attacks that exploit confidence information and basic countermeasures,

M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015, pp. 1322–1333

work page 2015

[6] [6]

Turning your weakness into a strength: Watermarking deep neural networks by backdooring,

Y . Adi, C. Baum, M. Cisse, B. Pinkas, and J. Keshet, “Turning your weakness into a strength: Watermarking deep neural networks by backdooring,” in27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1615–1631

work page 2018

[7] [7]

Embedding water- marks into deep neural networks,

Y . Uchida, Y . Nagai, S. Sakazawa, and S. Satoh, “Embedding water- marks into deep neural networks,” inProceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017, pp. 269–277

work page 2017

[8] [8]

Protecting intellectual property of deep neural networks with watermarking,

J. Zhang, Z. Gu, J. Jang, H. Wu, M. P. Stoecklin, H. Huang, and I. Molloy, “Protecting intellectual property of deep neural networks with watermarking,” inProceedings of the 2018 on Asia Conference on Computer and Communications Security, 2018, pp. 159–172

work page 2018

[9] [9]

Deep-lock: Secure authorization for deep neural networks,

M. Alam, S. Saha, D. Mukhopadhyay, and S. Kundu, “Deep-lock: Secure authorization for deep neural networks,” in2020 IEEE 38th VLSI Test Symposium (VTS). IEEE, 2020, pp. 1–6

work page 2020

[10] [10]

Model assertion: A defense against model theft via authorized model encryption,

H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “Model assertion: A defense against model theft via authorized model encryption,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021, pp. 15 380–15 389

work page 2021

[11] [11]

Ssat: Active authorization control and user’s fingerprint tracking framework for dnn ip protection,

M. Xue, Y . Wu, L. Y . Zhang, D. Gu, Y . Zhang, and W. Liu, “Ssat: Active authorization control and user’s fingerprint tracking framework for dnn ip protection,”ACM Transactions on Multimedia Computing, Communications and Applications, vol. 20, no. 10, 2024

work page 2024

[12] [12]

Advparams: An active dnn intellectual property protection technique via adversarial pertur- bation based parameter encryption,

M. Xue, Z. Wu, J. Wang, Y . Zhang, and W. Liu, “Advparams: An active dnn intellectual property protection technique via adversarial pertur- bation based parameter encryption,”arXiv preprint arXiv:2105.13697, 2021

work page arXiv 2021

[13] [13]

Prediction poisoning: Towards defenses against DNN model stealing attacks,

T. Orekondy, B. Schiele, and M. Fritz, “Prediction poisoning: Towards defenses against DNN model stealing attacks,” inInternational Confer- ence on Learning Representations (ICLR), 2020

work page 2020

[14] [14]

Categorical inference poisoning: Verifiable defense against black-box DNN model stealing without constraining surrogate data and query times,

H. Zhang, G. Hua, X. Wang, H. Jiang, and W. Yang, “Categorical inference poisoning: Verifiable defense against black-box DNN model stealing without constraining surrogate data and query times,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1473– 1486, 2023

work page 2023

[15] [15]

Knockoff nets: Stealing func- tionality of black-box models,

T. Orekondy, B. Schiele, and M. Fritz, “Knockoff nets: Stealing func- tionality of black-box models,” inCVPR, 2019

work page 2019

[16] [16]

The secret revealer: Generative model-inversion attacks against machine learning models,

Y . Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, “The secret revealer: Generative model-inversion attacks against machine learning models,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020, pp. 253–261

work page 2020

[17] [17]

Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural net- works,

B. D. Rouhani, H. Chen, and F. Koushanfar, “Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural net- works,” inProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, 2019, pp. 485–497

work page 2019

[18] [18]

Untargeted backdoor watermark: Towards harmless and stealthy dataset copyright protection,

Y . Li, Y . Bai, Y . Jiang, Y . Yang, S.-T. Xia, and B. Li, “Untargeted backdoor watermark: Towards harmless and stealthy dataset copyright protection,” inAdvances in Neural Information Processing Systems (NeurIPS), vol. 35, 2022, pp. 13 862–13 875, oral, Top 2%

work page 2022

[19] [19]

Domain watermark: Effective and harmless dataset copyright protection is closed at hand,

J. Guo, Y . Li, L. Wang, S.-T. Xia, H. Huang, C. Liu, and B. Li, “Domain watermark: Effective and harmless dataset copyright protection is closed at hand,” inAdvances in Neural Information Processing Systems (NeurIPS), 2023

work page 2023

[20] [20]

IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary,

X. Cao, J. Jia, and N. Z. Gong, “IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary,” inProceedings of the 2021 ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2021, pp. 14–25

work page 2021

[21] [21]

Adversarial frontier stitching for remote neural network watermarking,

E. Le Merrer, P. P ´erez, and G. Tr ´edan, “Adversarial frontier stitching for remote neural network watermarking,”Neural Computing and Ap- plications, vol. 32, no. 13, pp. 9233–9244, 2020

work page 2020

[22] [22]

DynaMarks: Defending against deep learn- ing model extraction using dynamic watermarking,

A. Chakrabortyet al., “DynaMarks: Defending against deep learn- ing model extraction using dynamic watermarking,”arXiv preprint arXiv:2207.13321, 2022

work page arXiv 2022

[23] [23]

Sok: How robust is image classification deep neural network watermarking?

N. Lukas, E. Jiang, X. Li, and F. Kerschbaum, “Sok: How robust is image classification deep neural network watermarking?” in2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022, pp. 787–804

work page 2022

[24] [24]

Enhancing generalization of universal adversarial perturbation through gradient aggregation,

X. Liu, Y . Zhong, Y . Zhang, L. Qin, and W. Deng, “Enhancing generalization of universal adversarial perturbation through gradient aggregation,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2023, pp. 4428–4437

work page 2023

[25] [25]

Improving generalization of universal adversarial perturbation via dy- namic maximin optimization,

Y . Zhang, Y . Xu, J. Shi, L. Y . Zhang, S. Hu, M. Li, and Y . Zhang, “Improving generalization of universal adversarial perturbation via dy- namic maximin optimization,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, 2025, pp. –

work page 2025

[26] [26]

Robust universal adversarial perturbations,

C. Xu and G. Singh, “Robust universal adversarial perturbations,”arXiv preprint arXiv:2206.10858, 2022

work page arXiv 2022

[27] [27]

Sparse-PGD: A unified framework for sparse adversarial perturbations generation,

X. Zhong and C. Liu, “Sparse-PGD: A unified framework for sparse adversarial perturbations generation,”arXiv preprint arXiv:2405.05075, 2024

work page arXiv 2024

[28] [28]

Generalizable data- free objective for crafting universal adversarial perturbations,

K. R. Mopuri, A. Ganeshan, and R. V . Babu, “Generalizable data- free objective for crafting universal adversarial perturbations,” inIEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), vol. 41, no. 10, 2019, pp. 2452–2465

work page 2019

[29] [29]

Hardware-assisted intellectual property protection of deep learning models,

A. Chakraborty, A. Mondal, and A. Srivastava, “Hardware-assisted intellectual property protection of deep learning models,” in2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, 2020, pp. 1–6

work page 2020

[30] [30]

Modellock: Locking your model with a spell,

Y . Gong, D. Chen, W. Niu, S. Cheng, X. Pan, Q. Nie, Y . Xiao, L. Zhang, and H. Zheng, “Modellock: Locking your model with a spell,” in Proceedings of the 32nd ACM International Conference on Multimedia, 2024, pp. 6595–6604

work page 2024

[31] [31]

Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,

F. Tramer and D. Boneh, “Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,” inInternational Conference on Learning Representations (ICLR), 2019

work page 2019

[32] [32]

Chex-mix: Com- bining homomorphic encryption with trusted execution environments for two-party oblivious inference in the cloud,

D. Natarajan, A. Loveless, W. Dai, and R. Dreslinski, “Chex-mix: Com- bining homomorphic encryption with trusted execution environments for two-party oblivious inference in the cloud,” in8th IEEE European Symposium on Security and Privacy (EuroS&P), 2023, pp. 457–477

work page 2023

[33] [33]

Nn-lock: A lightweight authorization to prevent ip threats of deep learning models,

M. Alam, S. Saha, D. Mukhopadhyay, and S. Kundu, “Nn-lock: A lightweight authorization to prevent ip threats of deep learning models,” ACM Journal on Emerging Technologies in Computing Systems, vol. 18, no. 2, pp. 1–27, 2022

work page 2022

[34] [34]

Survey of research on confidential computing,

W. Fenget al., “Survey of research on confidential computing,”IET Communications, vol. 18, no. 8, pp. 465–486, 2024

work page 2024

[35] [35]

Activeguard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users’ fingerprints,

M. Xue, S. Sun, C. He, D. Gu, Y . Zhang, J. Wang, and W. Liu, “Activeguard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users’ fingerprints,”IET Computers & Digital Techniques, vol. 17, no. 3-4, pp. 111–126, 2023

work page 2023

[36] [36]

AMAO: A comprehensive defense framework against model extraction attacks,

M. Jianget al., “AMAO: A comprehensive defense framework against model extraction attacks,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 2, 2024

work page 2024

[37] [37]

Loneneuron: A highly- effective feature-domain neural trojan using invisible and polymorphic watermarks,

Z. Liu, F. Li, Z. Li, and B. Luo, “Loneneuron: A highly- effective feature-domain neural trojan using invisible and polymorphic watermarks,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’22. New York, NY , USA: ACM, 2022, pp. 2129–2143. [Online]. Available: https://dl.acm.org/doi/10.1145/3548606.3560678

work page doi:10.1145/3548606.3560678 2022

[38] [38]

Univer- sal adversarial perturbations,

S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Univer- sal adversarial perturbations,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 1765–1773

work page 2017

[39] [39]

Pruning convolutional neural networks for resource efficient inference,

P. Molchanov, S. Tyree, T. Karras, T. Aila, and J. Kautz, “Pruning convolutional neural networks for resource efficient inference,” inIn- ternational Conference on Learning Representations, 2017

work page 2017

[40] [40]

Pruning filters for efficient convnets,

H. Li, A. Kadav, I. Durdanovic, H. Samet, and H. P. Graf, “Pruning filters for efficient convnets,” inInternational Conference on Learning Representations (ICLR), 2017

work page 2017

[41] [41]

Learning both weights and connections for efficient neural networks,

S. Han, J. Pool, J. Tran, and W. J. Dally, “Learning both weights and connections for efficient neural networks,” inAdvances in Neural Information Processing Systems (NeurIPS), 2015, pp. 1135–1143

work page 2015

[42] [42]

Learning multiple layers of features from tiny images,

A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep., 2009

work page 2009

[43] [43]

Gradient-based learning applied to document recognition,

Y . LeCun, L. Bottou, Y . Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,”Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 1998

work page 1998

[44] [44]

Reading digits in natural images with unsupervised feature learning,

Y . Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y . Ng, “Reading digits in natural images with unsupervised feature learning,” in NIPS Workshop on Deep Learning and Unsupervised Feature Learning, 2011

work page 2011

[45] [45]

Deep residual learning for image recognition,

K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778

work page 2016

[46] [46]

An image is worth 16x16 words: Transformers for image recognition at scale,

A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai, T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gellyet al., “An image is worth 16x16 words: Transformers for image recognition at scale,” inInternational Conference on Learning Representations, 2021

work page 2021

[47] [47]

Imagenet classification with deep convolutional neural networks,

A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” inAdvances in Neural Infor- mation Processing Systems, vol. 25, 2012

work page 2012

[48] [48]

Densely connected convolutional networks,

G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” inProceedings of the IEEE Confer- ence on Computer Vision and Pattern Recognition (CVPR), 2017, pp. 4700–4708

work page 2017

[49] [49]

Importance estimation for neural network pruning,

P. Molchanov, A. Mallya, S. Tyree, I. Frosio, and J. Kautz, “Importance estimation for neural network pruning,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2019, pp. 11 264–11 272

work page 2019

[50] [50]

BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnera- bilities in the machine learning model supply chain,”arXiv preprint arXiv:1708.06733, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[51] [51]

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,”arXiv preprint arXiv:1712.05526, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[52] [52]

Deepipr: Deep neural network ownership verification with passports,

L. Fan, K. W. Ng, and C. S. Chan, “Deepipr: Deep neural network ownership verification with passports,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 10, pp. 6122–6139, 2022

work page 2022