When NAS Meets Watermarking: Ownership Verification of DNN Models via Cache Side Channels
Xiaoxuan Lou, Shangwei Guo, Tianwei Zhang, Yinqian Zhang, Yang Liu
WWhen NAS Meets Watermarking:Ownership Verification of DNN Models via Cache Side Channels
Lou Xiaoxuan
Nanyang Technological University
Guo Shangwei
Chongqing University
Zhang Tianwei
Nanyang Technological University
Zhang Yinqian
Southern University of Science and Technology
Liu Yang
Nanyang Technological University
Abstract
We present a novel watermarking scheme to verify the own-ership of DNN models. Existing solutions embedded water-marks into the model parameters , which were proven to beremovable and detectable by an adversary to invalidate theprotection. In contrast, we propose to implant watermarks intothe model architectures . We design new algorithms based onNeural Architecture Search (NAS) to generate watermarkedarchitectures, which are unique enough to represent the own-ership, while maintaining high model usability. We furtherleverage cache side channels to extract and verify watermarksfrom the black-box models at inference. Theoretical analysisand extensive evaluations show our scheme has negligible im-pact on the model performance, and exhibits strong robustnessagainst various model transformations.
Deep Neural Networks (DNNs) have shown tremendousprogress to solve artificial intelligence tasks. Novel DNNalgorithms and models were introduced to interpret and un-derstand the open world with higher automation and accuracy,such as image classification [29, 39, 62], natural language pro-cessing [11,16], bioinformatics [59], game playing [61]. Withthe increased complexity and demand of the tasks, it is morecostly to generate a state-of-the-art DNN model: design ofthe model architecture and algorithm requires human effortsand expertise; training a model with satisfactory performanceneeds a large amount of computation resources and valuabledata samples. Hence, commercialization of the deep learningtechnology makes DNN models the core Intellectual Property(IP) of AI products and applications.Release of DNN models can incur illegitimate plagiarism,unauthorized distribution or reproduction. Even a model ispacked in a black-box manner, a malicious entity can still stealthe model details from the inference results [35, 63, 66, 70]or execution behaviors [7, 33, 68]. Such model extractionattacks highlight the importance of IP protection for DNN models. One of the most common IP protection approachesis DNN watermarking, which processes the protected modelin a unique and observable way such that the model owneris able to recognize the ownership of his models. Some solu-tions were proposed to directly embed the watermarks into themodel parameters [56, 64]. Other works [2, 12, 71] fine-tunethe model parameters to produce unique output for certain in-put samples for verification. The embedded watermark needsto guarantee satisfactory performance for the protected model.Unfortunately, those parameter-based watermarking solu-tions are not practically robust. An adversary can easily defeatthem without any knowledge of the adopted watermarks. First,since these schemes modify the parameters to embed water-marks, the adversary can also modify the parameters of astolen model to remove the watermarks. Past works havedesigned such watermark removal attacks, which leveragemodel fine-tuning [13, 48, 60] or input transformation [27] tosuccessfully invalidate existing watermark methods. Second,watermarked models need to give unique behaviors, whichinevitably make them detectable by the adversary. Someworks [3, 51] introduced attack techniques to detect the verifi-cation samples and then manipulate the verification results.Motivated by the above limitations, we propose a water-marking scheme, which is fundamentally different from priorworks. Instead of crafting the parameters for watermarks, wetreat the network architecture as the IP of the model. We aimto design a methodology to generate unique network archi-tectures for the owner to train the protected models, whichcan serve as the evidence of ownership. In this way, the adver-sary is not able to tamper with the watermarks by refining theparameters. He has no incentive to modify the watermarkedarchitecture, as this will cause him to train a new model fromscratch, which has the same cost as training his own model.Two questions need to be answered in order to establish thisscheme: (1) how to systematically design network architec-tures, that are unique for watermarking and maintain highusability for the tasks? (2) how to extract the architecture ofthe suspicious model, and verify the ownership?
We introduce a set of techniques to address these questions.1 a r X i v : . [ c s . CR ] F e b onitor OwnerKey
Generation
Model MarkingNAS
Method
Stamp
Size n s Marked ModelVerification KeyCNNRNN BLAS
Framework
Stamp Verification
GEMM
Activations
Library Trace
Stage3: Side Channel Extraction
Watermarking StateMarking keyStage 1 Stage 2
Figure 1: Overview of our watermarking frameworkFor the first question, we leverage Neural Architecture Search(NAS) [75]. NAS is a very popular approach of AutomaticMachine Learning (AutoML), which can automatically dis-cover the optimal network architecture for a given task anddataset. A quantity of methods [10,17,46,47,53,76] have beenproposed to improve the search effectiveness and efficiency,and the searched architectures can significantly outperformthe ones hand-crafted by humans. Inspired by this technol-ogy, we design a novel NAS algorithm, which fixes certainconnections with specific operations in the search space, de-termined by the owner-specific watermark. Then we searchfor the rest connections/operations to produce a high-qualitynetwork architecture. This architecture is unique enough torepresent the ownership of the model (Section 4).The second question is solved by cache side-channel anal-ysis. Side-channel attacks are a common strategy to recoverconfidential information from the victim system without di-rect access permissions. Recently, some works designed novelattacks to steal DNN models [7, 33, 68]. Our scheme appliesside-channel analysis for IP protection, rather than confiden-tiality breach. The model owner can use side-channel tech-niques to extract the architecture of a black-box model toverify the ownership, even the model is encrypted or isolated.It is difficult to directly extend prior solutions [32, 68] to ourscenario, because they are designed only for conventionalDNN models, but fail to recover new operations in NAS. Wedevise a more comprehensive method to analyze and identifythe types and hyper-parameters of these new operations froma side-channel pattern. This enables us to precisely extractthe watermark from the target model (Section 5).The integration of the above techniques leads to the designof our novel watermarking scheme. It includes three stages,as shown in Figure 1. At stage 1, the model owner generatesa unique watermark and the corresponding marking key mk .At stage 2, he adopts a conventional NAS method with mk to produce the watermarked architecture and a verificationkey vk . He further trains a watermarked model from thisarchitecture. Stage 3 is to verify the ownership of a suspiciousmodel: the owner collects the inference execution trace, andidentifies any potential watermark based on vk . Comparedto prior watermarking solutions, it is more difficult for theadversary to remove our watermarks, which are embeddedinto the architecture instead of the parameters. Experimentsshow common model transformations (fine-tuning, pruning) ImagePre-processingNormal blockReduction cell
Classifier
Normal cellNormal cell (a) CNN macro-architecture : input: output (b) A toy cell supernet Figure 2: Architecture of a NAS model based on cellscannot affect the existence of watermarks in the model.This paper makes the following contributions: • It is the first to propose watermarks embedded into modelarchitectures, instead of parameters. It creatively utilizesNeural Architecture Search for watermark embedding. • It presents the first positive use of cache side channels toextract and verify watermarks. • It gives a comprehensive side-channel analysis about so-phisticated DNN operations that are not analyzed before.
NAS [21, 75] has gained popularity in recent years, due to itscapability of building machine learning pipelines with highefficiency and automation. It systematically searches for theoptimal network architecture for a given task and dataset. Itseffectiveness is mainly determined by two factors:
Search space.
This defines the scope of neural networks tobe designed and optimized. Instead of searching for the en-tire network, a practical strategy is to decompose the targetneural network into multiple cells , and search for the optimalstructure of a cell [76]. Then cells with the identified archi-tecture are stacked in predefined ways to construct the finalDNN models. Figure 2a shows the typical architecture of aCNN model based on the popular NAS-Bench-201 [18]. Ithas two types of cells: a normal cell is used to interpret thefeatures and a reduction cell is used to reduce the spatial size.A block is composed of several normal cells, and connectedto a reduction cell alternatively to form the model.2 cell is generally represented as a directed acyclic graph,where each edge is associated with an operation selected froma predefined operation set [53]. Figure 2b gives a toy cell supernet that contains four computation nodes (gray squares)and a set of three candidate operations (circles). The solidarrows denote the actual connection edges chosen by the NASmethod. Such supernet enables the sharing of network param-eters and avoids unnecessary repetitive training for selectedarchitectures. This significantly reduces the cost of perfor-mance estimation and accelerates the search process, and iswidely adopted in recent NAS methods [8, 14, 17, 47].
Search strategy.
This defines the approach to seek for theoptimal architecture in the search space. Different types ofstrategies have been designed to enhance the search efficiencyand results, based on reinforcement learning [53, 75, 76],evolutionary algorithm [20, 54] or gradient-based optimiza-tion [15, 17, 47]. Our watermarking scheme is general andindependent of the search strategies.
CPU caches are introduced between the CPU cores andmain memory to accelerate the memory access. Two micro-architectural features of caches enable an adversarial programto perform side-channel attacks and infer secrets from a vic-tim program, even their logical memory is isolated by theoperating system. First, multiple programs can share the sameCPU cache, and they have contention on the usage of cachelines. Second, the timing difference between a cache hit (fast)and a cache miss (slow) can reveal the access history of thememory lines. As a result, an adversary can carefully craftinterference with the victim program sharing the same cache,and measure the access time to infer the victim’s access trace.A quantity of techniques have been designed over the pastdecades to realize cache side-channel attacks. Two represen-tative attacks are P
RIME -P ROBE and F
LUSH -R ELOAD . Ina P
RIME -P ROBE attack [45], the adversary first fills up thecritical cache sets with its own memory lines. Then the victimexecutes and potentially evicts the adversary’s data out of thecache. After that, the adversary measures the access time ofeach memory line loaded previously. A longer access timeindicates that the victim used the corresponding cache set. AF
LUSH -R ELOAD attack [69] requires the adversary to sharethe critical memory lines with the victim, e.g., via sharedlibrary. The adversary first evicts the critical memory linesout of the cache using dedicated instructions (e.g., clflush ).After a period of time, it reloads these lines into the cache andmeasures the access time. A shorter time indicates that thememory lines were accessed by the victim.
We consider a model owner searches a network architectureusing a NAS method, and then trains a production-level DNN model M . An adversary may obtain an illegal copy of M anduse it for profit without authorization. He may slightly modifythe model parameters (e.g., fine-tuning, model compression,transfer learning) to adapt to his scenario and avoid detection.However, it is not feasible for him to change the model archi-tecture (e.g., knowledge distillation [6, 30]), which requiressignificant cost to retrain the parameters from scratch.The goal of the model owner is to detect whether a sus-picious model M (cid:48) is plagiarized from M . He has black-boxaccess to the target model M (cid:48) , without any knowledge aboutthe model architecture, parameters, training algorithms andhyper-parameters. We further assume the model owner is ableto deploy his watermark extraction program on the same phys-ical machine as the target model. Our watermarking schemecan be applied to a couple of scenarios, as described below: Local scenario.
Trusted Execution Environment (TEE), e.g.,Intel SGX [50] and AMD SEV [36], has been widely adoptedto protect user-space applications from strong privileged ad-versaries. It introduces new hardware extensions to provideexecution isolation and memory encryption. Researchers alsoutilized TEE to guard the DNN model privacy and execu-tion integrity [26, 37, 38, 40, 42, 52]. However, an adversarycan also exploit TEE to hide their malicious activities, suchas side-channel attacks [58], rowhammer attacks [25] andmalware [49, 57]. Similarly, an adversary can hide the stolenmodel in TEE when distributing it to the public, so the modelowner cannot introspect into the DNN model to obtain theevidence of ownership. With our watermarking scheme, themodel owner can extract watermarks from the isolated en-claves, as past works have demonstrated successful cacheside-channel attacks in TEE processors [9, 24, 28]
Remote scenario.
This follows the same threat model in [68].An adversary can deploy the plagiarized model in the Ma-chine Learning-as-a-Service (MLaaS) cloud. For instance,Amazon offers the SageMaker [1] service for building ma-chine learning pipelines. Users can upload their DNN modelsto this platform, which then automatically launches virtualmachines in the shared EC2 cloud to host the DNN modeland release APIs for inference. To verify the ownership ofmodels using such kind of MLaaS, the model owner can per-form co-location attacks to launch a virtual machine on thesame server with the DNN model, and then conduct cross-VM side-channel attacks. The feasibility of co-location andcache side-channel attacks in the cloud has been validatedin [4, 5, 22, 55, 65, 67, 73, 74].
In this paper, we mainly focus on NAS methods using thecell-based search space, as it is the most popular and ef-ficient strategy. Formally, we consider a NAS task, whichaims to construct a model architecture containing N cells:3 = { c , ..., c N } . The search space of each cell c i is denotedas S i = ( B , E , O ) : B is the number of computation nodesin the cell; E = { E , ..., E B } is the set of all possible edgesbetween nodes and E j is the set of edges connected to the j -th node (1 ≤ j ≤ B ); O is the set of candidate operations onthese edges. Hence, the supernet of a cell can be representedas a matrix M c whose row size is the size of E and columnsize is the size of O . Each element at position ( x , y ) can be 1if edge x is attached with operation y , or 0 otherwise. Thenwe combine the search spaces of all cells as S , from whichwe look for an optimal architecture A . The NAS method weconsider is defined as below: Definition 3.1. (NAS) A NAS method is a machine learn-ing algorithm that iteratively searches optimal cell archi-tectures from the search space S on the proxy dataset D .These cells construct one architecture A = { c , ..., c N } , i.e., A = NAS ( S , D ) . After the search process, A is trained from the scratch onthe task dataset (cid:98) D to learn the optimal parameters. The ar-chitecture A and the corresponding parameters give the finalDNN model f = train ( A , (cid:98) D ) . A watermarking scheme for NAS enables the ownership veri-fication of DNN models searched from a NAS method. Thisis formally defined as below:
Definition 3.2.
A watermarking scheme for NAS is defined asa tuple of probabilistic polynomial time algorithms (
WMGen , Mark , Verify ), where • WMGen : this function takes the search space of a NASmethod as input and outputs a secret marking key mk. • Mark : given a NAS method, a proxy dataset D , and mk,this function outputs a watermarked DNN model f withthe corresponding verification key vk. • Verify : this function takes the input of vk and the moni-tored side-channel trace, and outputs the verification resultof the watermark in { , } . A strong watermarking scheme for NAS should have thefollowing properties.
Effectiveness.
The watermarking scheme needs to guaran-tee the success of the ownership verification over the water-marked f using the verification key. Formally, Pr [ Verify ( vk , T ) = ] = , (1)where T is the monitored side-channel trace from f . Usability.
Let f be the original DNN model without beingwatermarked. For any data distribution D , the watermarkedmodel f should exhibit competitive performance comparedwith f on the data sampled from D , i.e., Pr [ f ( x ) = y | ( x , y ) ∼ D ] − Pr [ f ( x ) = y | ( x , y ) ∼ D ] ≤ ε . (2) Robustness.
Since a probabilistic polynomial time adversarymay modify f with common transformations, we expect thewatermark remains in the model after those changes. Formally,let T (cid:48) be the side-channel leakage of a model f (cid:48) transformedfrom f , where f (cid:48) and f have similar performance. We have Pr [ Verify ( vk , T (cid:48) ) = ] ≥ − δ (3) Uniqueness.
A normal user can follow the same NAS methodto learn a model from the same proxy dataset. Without themarking key, the probability that this common model containsthe same watermark should be smaller than a given threshold δ . Let T (cid:48) be the side channel leakage of a common modellearned with the same dataset and NAS method, we have Pr [ Verify ( vk , T (cid:48) ) = ] ≤ δ . (4) Our solution embeds watermarks into the neural architectures,and uses cache side channels to verify the ownership. Figure1 shows the overview of our scheme, which includes water-mark generation (Section 4.1), embedding (Section 4.2) andverification (Section 4.3). We introduce a novel algorithm foreach stage, followed by a theoretical analysis (Section 4.4).
A watermark for a NAS model consists of multiple stamps .For a NAS cell, each element in its supernet M c can be 1 or0, identified by the search strategy. We select and fix certainelements in M c to be 1 during the search process. The set ofthe fixed edge-operation pairs inside a cell is called a stamp.It is formally defined as below: Definition 4.1. (Stamp) A stamp for a cell is a set of edge-operation paris { s e : s o } , where s e , s o are the set of the se-lected edges and the corresponding operations, respectively. According to Definition 3.1, a NAS model is a compositionof cells. Thus, the combination of the stamps of all cells forma watermark for the model, as defined below:
Definition 4.2. (Watermark) Consider a NAS method with aproxy dataset D and search space S . A = { c , ..., c N } repre-sents the neural architecture produced from this method. Awatermark for A is a set of stamps k , ..., k N , where k i is thestamp of cell c i . We introduce a marking key mk as the representation ofa watermark. Algorithm 1 illustrates the detailed procedureof constructing a watermark and the corresponding mk . Foreach cell c i , we randomly select n s edges from E . Since NASnormally requires each node j has maximal two inputs fromprevious nodes, at most two elements can be selected in E j .For each selected edge, we attach a random operation to it.4 lgorithm 1: Marking Key Generation (
WMGen ) Input: n s , search space S Output: marking key mk for i from do cell search space S i = ( B , E , O ) s e ← randomly select n s edges from E such that | s e ∩ E j | ≤ ∀ j ∈ [ , B ] s o ← randomly select n s operations from O for s e k i = { s e : s o } return mk = ( k , ..., k N ) This forms a stamp k i = { s e : s o } , where s e and s o denote thesets of selected edges and the corresponding operations. Fi-nally we are able to construct a marking key mk = ( k , ..., k N ) .In our implementation, we randomly sample the edges andoperations for the marking key. It is also possible the modelowner crafts the stamps based on his own expertise. He needsto ensure the design is unique and has very small probabilityto conflict with other models from the same NAS method. Wedo not discuss this option in this paper. To generate a competitive DNN model embedded with thewatermark, we apply a NAS method with the marking key mk . Due to the fixed connections and operations, this processwill have a smaller search space. Experimental evaluationsin Section 6 indicate that with an appropriate value of n s , thereduced search space incurs negligible impact on the modelperformance, which conforms to the conclusion in [47, 76].Algorithm 2 shows the procedure of embedding the water-mark to a NAS model. For each cell c i in the model, we firstidentify the fixed stamp edges and operations { s e : s o } fromkey k i . Then the cell search space S i is updated as ( B , ˜ E , O ) ,where ˜ E is the set of connection edges excluding those fixedones: ˜ E = E − s e . The search spaces of all the cells are com-bined to form the search space S of the model, from whichthe NAS method is used to find the optimal architecture A .Finally, the identified A is trained on the task dataset (cid:98) D toproduce the watermarked model f .It is worth noting that the marking key mk only describesthe abstract information of the watermark embedded in themodel architecture A , which is insufficient for verifying thedetails of the watermark from the suspicious model. Hence,we introduce a verification key vk for ownership identifica-tion. vk is a superset of the marking key mk , including somehyper-parameters of the model f (input size and channels).Besides, during the watermark extraction, the model ownercan only identify the sequence of operations with distinctpatterns from the side-channel trace. The edge information s e in mk cannot explicitly disclose their positions in the leakagetrace. So we replace s e with the relative orders s id of theiroperations s o , which help us better describe the watermark. Algorithm 2:
Watermark Embedding (
Mark ) Input: marking key mk , NAS method, proxy dataset D , taskdataset (cid:98) D Output: watermarked model f , verification key vk S ← search space of the whole model for each cell c i do { s e : s o } ⇐ k i ⇐ mk ˜ E = E − s e S i = ( B , ˜ E , O ) S .append( S i ) A = NAS ( S , D ) , f = train ( A , (cid:98) D ) s id ← relative orders of s e in the cell (cid:99) mk ← replace s e in mk with s id vk = ( (cid:99) mk , f . hyper _ para ) return f , vk To summarize, the marking key mk is used to represent a classof models that are constructed by the NAS cells with the samewatermark, while the verification key vk is used to identify themodels retrained for specific tasks. A model owner can usejust one marking key to watermark different models regard-less of the tasks, datasets or NAS methods, and then use thecorresponding verification keys for ownership identification. During verification, we utilize cache side channels to capturean execution trace T by monitoring the inference process ofthe target model f . Details about side-channel extraction canbe found in Section 5. Due to the existence of pre-processingand post-processing operations, the latency between two cellsis much longer and human-noticeable. So we can easily dividethis trace into sequential windows, with each one representingthe pattern of a NAS cell. If T does not have observablewindows, we claim it is not generated by a NAS method. Aleakage window further contains multiple clusters, each ofwhich corresponds to an operation inside the cell.Algorithm 3 describes the process of watermark verifica-tion. First the total number of stamp edges N s is computedfrom the verification key vk . We introduce a variable N v to de-note the number of matched edge-operation pairs, initializedas 0. Then we analyze the cluster patterns from the trace T insequence. Specifically, for the i -th leakage window, we first re-trieve its stamp from k i in vk , which contains the computationorders s id of stamp edges and the attached operations s o . Thenwe use the methodology in Section 5 to analyze each clusterwhose order is contained in s id , as it corresponds to a possiblestamp edge. If the recovered operation of the cluster matchesthe corresponding stamp operation in s o , N v is added by 1.After scanning all the clusters in all the cells, we calculatethe ratio of edge-operation pairs in the target model matchedwith the watermark as N v / N s . We claim the ownership of thismodel if the ratio is higher than a designated threshold τ .5 lgorithm 3: Watermark Verification (
Verify ) Input: verification key vk , verification threshold τ ,monitored side-channel leakage trace T Output: verification result number of total stamp edges N s ⇐ vk initialize the number of verified clusters N v as 0 for each window i in T do stamp edge order s id ⇐ k i ⇐ vk stamp operation s o ⇐ k i ⇐ vk for each cluster in window i do id ← the order of cluster if id ∈ s id then if match (cluster, s o [ id ] ) = True then N v + = return N v / N s ≥ τ ? 1 : 0 We theoretically prove our scheme can satisfy the propertiesin Section 3.2. We first assume the search space restricted bythe watermark is still large enough for the model owner tofind a qualified architecture.
Assumption 1.
Let S , S be the search spaces before and af-ter restricting a watermark in a NAS method, S ⊇ S . A ∈ S is the optimal architecture for an arbitrary data distribution D . A is the optimal architecture in S , The model accuracy of A is no smaller than that of A by a relaxation of ε N . We further assume the existence of an ideal analyzer thatcan recover the watermark from the given side-channel trace.
Assumption 2.
Let mk and vk be the marking and verificationkey of a DNN architecture A = { c , ..., c N } . For ∀ mk , vk , and A , there is a leakage analyzer P that is capable of recoveringall the stamps of { c i } Ni = from a corresponding cache side-channel trace. With the above two assumptions, we prove that our pro-posed algorithms (
WMGen , Mark , Verify ) form a qualifiedwatermarking scheme for NAS models. The proof can befound in Appendix A.
Theorem 1.
With Assumptions 1-2, the proposed Algorithms1-3 form a watermarking scheme that satisfies the propertiesof effectiveness, usability, robustness, and uniqueness.
Given a suspicious model, we aim to extract the embedded wa-termark using cache side channels. Past works have proposedcache side channel attacks to steal DNN models [32, 68].However, these attacks are only designed for conventionalDNN models and cannot extract NAS models with more so-phisticated operations (e.g., separable convolutions, dilated-separable convolutions). Besides, the adversary needs to have
Algorithm 4:
GEMM in OpenBLAS
Input: matrice A, B, C; scalars α , β Output: C = α A × B + β C for j in (0:R:n) do // Loop 1 for l in (0:Q:k) do // Loop 2 call itcopy for jj in (j:3UNROLL:j+R) do // Loop 4 call oncopy call kernel for i in (P:P:m) do // Loop 3 call itcopy call kernel the knowledge of the target model’s architecture family (i.e.,the type of each layer), which cannot be obtained in our case.We design an improved methodology over the CacheTelepathy [68] to extract the architecture of NAS models bymonitoring the side-channel pattern from the BLAS library .In this paper, we take OpenBLAS as an example, which is amainstream library for many deep learning frameworks (e.g.,Tensorflow, PyTorch). Our method is also generalized to otherBLAS libraries, such as Intel MKL. We make detailed anal-ysis about the leakage pattern of common operations usedin NAS, and describe how to identify the operation type andhyper-parameters. State-of-the-art NAS algorithms [18, 46, 47, 76] commonlyadopt eight classes of operations: (1) identity, (2) fully con-nected layer, (3) normal convolution, (4) dilated convolution,(5) separable convolution, (6) dilated-separable convolution,(7) pooling and (8) various activation function. Note that al-though zeroize is also a common operation in NAS, we do notconsider it, as it just indicates a lack of connection betweentwo nodes and is not actually used in the search process.These operations are commonly implemented in two steps.(1) The high-level deep learning framework converts an op-eration to a matrix multiplication: C = α A × B + β C , whereinput A is an m × k matrix and B is a k × n matrix, outputC is an m × n matrix, and both α and β are scalars; (2) Thelow-level BLAS library performs the matrix multiplicationwith the GEMM algorithm (Algorithm 4). Constants of P , Q , R and UNROLL are determined by the host machine config-uration. Our testbed (Section 6.1) adopts P = Q = R = UNROLL =
4. As R is generally larger than n in NAS models, we assume loop is performed only once.More details about GEMM can be found in Appendix B.We take three steps to recover each operation and its hyper-parameters. First, we monitor the memory accesses to the itcopy and oncopy functions in Algorithm 4, and count the For RNN models, we monitor the high-level deep learning framework,as the BLAS library does not leak information about the model a) fully connected layer (b) normal convolution(c) separable convolution (d) dilated separable convolution : itcopy : oncopy Figure 3: Side-channel patterns of four operations in NAS.number of iterations iter n for each loop n . Figure 3 illustratesthe leakage patterns of four representative operations with asampling interval of 2000 CPU cycles. Different operationshave distinct patterns of side-channel leakage. By observingsuch patterns, we can identify the type of the operation.Second, we utilize the technique in [68] to derive the rangeof the matrix dimension ( m , n , k ) from iter n , based on theequations: iter ≡ iter = (cid:100) k / Q (cid:101) , iter = (cid:100) ( m − P ) / P (cid:101) and iter = (cid:100) n / UNROLL (cid:101) . Note that the final two iterations ofeach loop are actually assigned with two equal-size blocks,rather than blocks of size m (or n , k ). This does not make bigdifferences on the derivation. Then we deduce the possiblevalues of matrix dimension from the range, based on theconstraints of NAS models.Third, we derive the hyper-parameters of each operationbased on the matrix dimension. The relationships between thehyper-parameters of various operations and the dimensionsof the transformed matrices are summarized in Table 1. Wepresent both the general calculations of the hyper-parametersas well as the ones specifically for NAS models.Below we give detailed descriptions of the above three-stepanalysis for each operation. Fully connected (FC) layer.
This operation can be trans-formed to the multiplication of a learnable weight matrix θ ( m × k ) and an input matrix in ( k × n ), to generate the outputmatrix out ( m × n ). m denotes the number of neurons in thelayer; k denotes the size of the input vector; and n reveals thebatch size of the input vectors. Hence, with the possible val-ues of ( m , n , k ) derived from the iteration counts of itcopy and oncopy , hyper-parameters (e.g., neurons number, input size)of the FC layer can be recovered. The number of FC layers inthe model can also be recovered by counting the number ofmatrix multiplications. Figure 3(a) shows the leakage patternof a classifier with two FC layers, where the first layer has1024 neurons and the second layer has 100 neurons. Fromthis pattern, it is easy to identify these two FC layers. The firstlayer takes as input a batch of 12 vectors of size 512, and ithas m=1024, n=12, k=512. We can infer the range of ( m , n , k ) based on the number of iterations in each loop: iter = Patch 1Patch 2
Input in i Filters F i Output out i F il t er F il t er = C h a nn e l C h a nn e l R i R i D i D i H i W i H i+1 W i+1 D i+1 D i+1 R i2 D i ( W i - R i + P i + ) ( H i - R i + P i + ) ... m = k = n = Figure 4: Implementing a convolution as matrix multiplicationnumber of pattern I − O − I ), iter = iter = Normal convolution.
Although this operation was adoptedin earlier NAS methods [54, 76], recent works [15, 17, 47]removed it from the search space as it is hardly used in thesearched cells. However, this operation is the basis of thefollowing complex convolutions. So it is also necessary toperform detailed analysis about it.Figure 4 shows the structure of a normal convolution at the i -th layer (upper part), and how it is transformed to a matrixmultiplication (lower part). Each patch in the input tensor isstretched as a row of matrix in i , and each filter is stretched as acolumn of matrix F i . Hence, the number of filters D i + can berecovered from the column size n of the filter matrix F i . Thekernel size R i can be revealed from the column size k = R i D i of the matrix in i , as we assume D i has been obtained fromthe previous layer. With the recovered R i , the padding size P i can be inferred as the difference between the row sizes of out i − and in i , which are W i × H i and ( W i − R i + P i + )( H i − R i + P i + ) , respectively. The stride can be deduced basedon the modification between the input size and output sizeof the convolution. In a NAS model, the convolved featuremaps are padded to preserve their spatial resolution, so wehave P i = R i −
1. A normal cell takes a stride of 1, while areduction cell takes a stride of 2.In terms of the leakage pattern, a normal convolution is hardto be distinguished from a FC layer, as both of their accesses tothe itcopy and oncopy functions can be denoted as xI − yO − zI , where ( x , y , z ) indicate the repeated times of the functions,determined by the operation hyper-parameters. This is whyCache Telepathy [68] needs to know the architecture familyof the target DNN to distinguish the operations. Figure 3(b)7 perations Parameters Value Operations Parameters ValueFully Connected C l : ≈ (cid:113) row ( out i − ) row ( in i ) C n : row ( θ ) Operations D i + : Number of Filters R i : Kernel Size P i : Padding Stride d : Dilated SpaceNormal Conv col ( F i ) (cid:113) col ( in i ) col ( out i − ) di f f ( row ( in i ) , row ( out i − )) NAS: R i − R (cid:48) i − R (cid:48) i = R i + d ( R i − ) (cid:113) row ( out i − ) row ( in i ) NAS: = 1 (normal cells)= 2 (reduction cells) 0Dilated Conv dSeparable Conv Filters 1 : col ( F i ) Filters 1 : (cid:112) row ( F i ) Filters 2 : 1 0Dil-Sep Conv d
Table 1: Mapping between operation hyper-parameters and matrix dimensions.shows the leakage pattern of a normal convolution ( H i = W i = D i = R i = P i = D i + = iter = iter =
11 and iter =
3. Note that the firsttwo red nodes (interval 409 and 410) can be treated as oneiteration, as they occur in a very short period and generatedby side-channel noise. In the NAS scenario, since the normalconvolution is generally used at the preprocessing stage, whilethe FC layer is adopted as the classifier at the end, they canbe distinguished based on their locations.
Dilated convolution.
This operation is a variant of the nor-mal convolution, which inflates the kernel by inserting spacesbetween each kernel element. We use the dilated space d to denote the number of spaces inserted between two adja-cent elements in the kernel. The conversion from the hyper-parameters of a dilated convolution to the matrix dimensionis similar with the normal convolution. The only differenceis the row size m of the input matrix in i , i.e., the number ofpatches. Due to the inserted spaces in the kernel, although thekernel size is still R i , the actual size covered by the dilatedkernel becomes R (cid:48) i , where R (cid:48) i = R i + d ( R i − ) . This changesthe number of patches to ( W i − R (cid:48) i + P i + )( H i − R (cid:48) i + P i + ) .As a dilated convolution is normally implemented as a dilatedseparable convolution in practical NAS methods [17, 47], theleakage pattern of the operation will be discussed with thedilated separable convolution. Separable convolution.
According to [68], the number ofconsecutive matrix multiplications with the same pattern re-veals the batch number of a normal convolution. However,we find this does not hold in the separable convolution, orprecisely, the depth-wise separable convolution used in NAS.This is because the separable convolution decomposes a con-volution into multiple separate operations, which can incurthe same conclusion that the number of the same patternsequals to the number of input channels.A separable convolution aims to achieve more efficientcomputation with less complexity by separating the filters.Figure 5 shows a two-step procedure of a separable convo-lution. The first step uses D i filters (Filters 1 ) to transformthe input to an intermediate tensor, where each filter onlyconvolves one input channel to generate one output channel.It can be regarded as D i normal convolutions, with the inputchannel size of 1 and the filter size of R i ×
1. These com-putations are further transformed to D i consecutive matrixmultiplications with the same pattern, which is similar as anormal convolution with the batch size of D i . But the sep- R i R i D i D i H i W i H i+1 W i+1 D i i+1 D i i+1 W i+1 D i+1 InputOutput Filters
Filters S t e p o n e S t e p t w o D i+1 H i+1 W i+1 Figure 5: Procedure of separable convolutions.arable convolution has much shorter intervals between twomatrix multiplications, as they are parts of the whole con-volution, rather than independent operations. In the secondstep, a normal convolution with D i + filters (Filters 2 ) ofsize 1 × D i is applied to the intermediate tensor to generatethe final output.In summary, the leakage pattern of the separable convolu-tion is fairly distinguishable, which contains D i consecutiveclusters and one individual cluster at the end. Note that ina NAS model, the separable convolution is always appliedtwice [17, 44, 47, 54, 76] to improve the performance, whichmakes its leakage pattern more recognizable. Figure 3(c)shows the trace of a separable convolution ( H i = W i = D i = R i = D i + = D i =
12, and an individualcluster denoting the last 1 × Dilated separable (DS) convolution.
This operation is thepractical implementation of a dilated convolution in NAS.The DS convolution only introduces a new variable, the di-lated space d , from the separable convolution. Hence, thisoperation has similar matrix transformation and leakage pat-tern as the separable convolution, except for two differences.First, R i is changed to R (cid:48) i = R i + d ( R i − ) in calculating thenumber of patches m = ( W i − R i + P i + )( H i − R i + P i + ) in Step One. Second, a DS convolution needs much shorterexecution time. Figure 3(d) shows the leakage pattern of a DSconvolution with the same hyper-parameters as a separableconvolution depicted in Figure 3(c), except that the dilatedspace d =
1. It is easy to see the performance advantage ofthe DS convolution (8400 intervals) over the separable convo-lution (10000 intervals) under the same configurations. Thereason is that the input matrix in a DS convolution contains8ore padding zeroes to reduce the computation complexity.Besides, the DS convolution does not need to be performedtwice, which also helps us distinguish it from a separable one.
Skip connect.
The operation is also called identity in the NASsearch space, which just sends out i to in j without any pro-cessing. This operation cannot be directly detected from theside-channel leakage trace, as it does not invoke any GEMMcomputations. While [68] argues the skip can be identified asit causes a longer latency due to the introduction of an extramerge operation, it is not feasible in a NAS model. This is be-cause in a cell, each node has an add operation of two inputsand the skip operation does not invoke any extra operations.So there is no obvious difference between the latency of skipand the normal inter-GEMM intervals. Our experiments showthat while the skip connect cannot be distinguished in a CNNmodel, it can still be identified in an RNN model. More detailscan be found in Section 6. Pooling.
We assume the width and height of the pooling op-eration is the same, which is default in all practical imple-mentations. Given that pooling can reduce the size of theinput matrix in i from the last output matrix out i − , the sizeof the pooling layer can be obtained by performing squareroot over the quotient of the number of rows in out i − and in i . In general, pooling and non-unit striding cannot be dis-tinguished as they both reduce the matrix size. However, in aNAS model, non-unit striding is only used in reduction cellswhich can double the channels. This information can be usedfor identification. Pooling cannot be directly detected as itdoes not invoke any matrix multiplications in GEMM. But itcan introduce much longer latency (nearly 1.5 × of the normalinter-GEMM latency) for other computations. Hence, we canidentify this operation by monitoring the matrix size and exe-cution intervals. While monitoring the BLAS library can onlytell the existence of the pooling operation, the type can berevealed by monitoring the corresponding pooling functionsin the deep learning framework. Activation function.
An activation function is normally at-tached with each convolution operation. Different from CNNmodels, an RNN model searched by NAS only consists ofactivation functions, e.g., relu , sigmod , tanh . As they do notperform any complex matrix multiplications, their footprintscannot be found in the low-level BLAS library. Hence, weturn to monitor the deep learning framework for identification. Testbed.
Our approach is general for different types of deeplearning frameworks and libraries. Without loss of generality,we adopt the latest version of Pytorch (1.7.0) and OpenBLAS(0.3.13), deployed in Ubuntu 18.04 with a kernel versionof 4.15.0. Evaluations are performed on a workstation ofDell Precision T5810 (6-core Intel Xeon E5 processor, 32GB DDR4 memory). The processor has core-private 32KB L1caches, 256KB L2 caches and a shared 15MB last level cache.
NAS implementation.
Our scheme is independent of thesearch strategy, and can be applied to all cell-based NASmethods. We mainly focus on the CNN tasks, and select astate-of-the-art NAS method GDAS [17], which can producequalified network designs within five GPU hours. We fol-low the default configurations to perform NAS [17, 76]: thesearch space of a CNN cell contains eight candidate opera-tions: identity, zeroize, 3 × × × × × × tanh , relu , sigmoid activations, identity and zeroize. We usethe PTB dataset to search and train RNN models. Side channel extraction.
For CNN models, we monitor the itcopy and oncopy functions in OpenBLAS. For RNN models,we monitor the activation functions ( tanh , relu and sigmoid )in Pytorch, since executions in OpenBLAS do not leak in-formation about the models. We adopt the F LUSH +R ELOAD side-channel technique, but other methods can achieve ourgoal as well. We inspect the cache lines storing these func-tions at a granularity of 2000 CPU cycles to obtain accurateinformation. Details about the monitored code locations canbe found in Table 4 in Appendix D.
A NAS method generally considers two types of cells. So weset the same stamp for each type. Then the marking key can bedenoted as mk = ( k n , k r ) , where k n = { s en : s on } and k r = { s er : s or } represent the stamps embedded to the normal cells andreduction cells, respectively. Each cell has four computationnodes ( B = ≤ n s ≤
8. We choose n s = mk , as shown in Table 2. k n s en c i − → n n → n c i − → n c i − → n s on skip dil_conv(3) avg_pool(3) sep_conv(5) k r s er c i − → n c i − → n n → n n → n s or sep_conv(5) dil_conv(5) max_pool(3) sep_conv(5) Table 2: Values of mk . sep_conv(r) is a r × r separate convo-lution; dil_conv(r) is a r × r dilated separate convolution.9 i-1 c i-2 n n n n concat c i sep5x5 skip dil3x3 skip sep3x3avg3x3 avg3x3 sep5x5 (a) Normal cell c i-1 c i-2 n n n concat c i sep5x5 sep5x5 sep5x5 sep5x5 max3x3 sep5x5 n sep dil (b) Reduction cell Figure 6: Architectures of the searched cells. c i − and c i − are the outputs from the previous cells. Arrows denote the connectionedges. Green rectangles denote the nodes. Yellow rectangles denote the operations. Red edges denote the embedded stamps. We follow Algorithm 2 to embed the watermark determinedby mk to the DNN model during the search process. Figure6 shows the architectures of two cells searched by GDAS,where stamps are marked as red edges, and the relative orderof each operation is annotated with a number. These twocells are further stacked to construct a complete DNN model(Figure 2a), including three normal blocks (each containssix normal cells) connected by two reduction cells. The pre-processing layer is a normal convolution that extends thenumber of channels from 3 to 33. The number of filters isdoubled in the reduction cells, so the channel sizes (i.e., filternumber) of the three normal blocks are 33, 66 and 132. Wetrain the searched architecture over CIFAR10 for 300 epochsto achieve a 3.52% error rate on the validation dataset. Thisis just slightly higher than the baseline (3.32%), where allconnections participate in the search process. This shows theusability of our watermarking scheme. Finally, we generatethe verification key vk from the computation orders s id andhyper-parameters of the stamp operations. Given a suspicious model, we launch a spy process to monitorthe function activities in OpenBLAS during inference, andcollect the side-channel trace. We conduct the following stepsto analyze this trace.First, we check whether the pattern of the whole tracematches the macro-architecture of a NAS model, i.e., thetrace has three blocks, each of which contains six similar leak-age windows, and divided by two different leakage windows.An example of a leakage trace can be found in Appendix ESecond, we focus on the internal structure of each cell. Herewe only demonstrate the pattern of the first leakage window(i.e., the first normal cell) as an example (Figure 7). Othercells can be analyzed in the same way. From this figure, wecan observe four large clusters, which can be easily identified skip Figure 7: A side-channel trace of the first normal cell.as four (dilated-)separable convolutions. Figure 8a showsthe measured execution time of the four GEMM operations.Clusters 2 , 6 and 7 are separable convolutions with 33input channels, since they all contain D i =
33 consecutive sub-clusters . The shorter cluster 4 denotes a dilated separableconvolution, based on the patterns profiled in Section 5.2. Thethree small clusters at the beginning of the trace are identifiedas three normal convolutions used for preprocessing the input.Third, we further identify other non-convolution operationsfrom the leakage trace. Figure 8b shows the inter-GEMMlatency for different clusters in the cell. We observe the la-tency of 5 and 8 is much larger, indicating they are poolingoperations. Particularly, the latency of 8 contains two parts:pooling and interval between two cells. The other three inter-GEMM latency have similar values, even two of them actuallycontain a skip operation. This confirms our conclusion aboutthe skip connect in Section 5.2, and a simple way to addressit is ignoring the skip when constructing the verification key.We can modify the s id from { , , , } to { , , } to removetwo skip operations, which can still lead to correct verificationresults. The analysis of the reduction cell is similar.The above analysis discloses the types of stamp operations,channel size (number of filters) and stride size (cell type),which can give fair verification results. To be more confident,we further recover the remaining hyper-parameters (in particu-lar, the kernel size) based on their matrix dimensions ( m , n , k ) , The value of D can be identified if we zoom in Figure 7, which is notshown in this paper due to page limit. (a) GEMM operations - (b) Inter-GEMM latency Figure 8: Execution time of the operations in a cell
Actual value
Detected value or range from side channel Deduced value using NAS constraints
Figure 9: Extracted values of the matrix parameters ( m , n , k ) .according to Table 1. Figure 9 shows the values of ( m , n , k ) extracted from iter n in the normal cell, where each operationcontains two types of normal convolutions. For certain matrixdimensions that cannot be extracted precisely, we empiricallydeduce their values based on the constraints of NAS models.For instance, m is detected to be between [961, 1280]. We canfix it as m = ×
32 is the most common setting. The value of n canbe easily deduced as it is equal to the channel size. Deductionof k is more difficult, since the filter size k in a NAS model isnormally smaller than the constant Q in OpenBLAS, whichonly invokes one loop in Algorithm 4. So we can only tell k ≤ Q from the trace. However, an interesting observation isthat 5 × × R i when the search space islimited. Analysis on the reduction cells is similar.In our experiments, we choose a threshold of τ = CIFAR-10 Accuracy(%) o r i g i n a l n s = 1 n s = 2 n s = 3 n s = 4 n s = 5 n s = 6 n s = 7 n s = 8
CIFAR-100 Accuracy(%)
E p o c h I D
Figure 10: Top-1 validation accuracy on CIFAR10 (top) andCIFAR100 (bottom) for watermarked models.
This property requires the watermarked model has competi-tive performance with the original one. To evaluate this prop-erty, we vary the number of stamp edges n s from 1 to 8 tosearch watermarked architectures. Then we train the modelsover CIFAR10 and CIFAR100, and measure the top-1 valida-tion accuracy. Figure 10 shows the average results over fiveexperiments versus the training epochs.We observe that models with different stamp sizes havequite distinct performance at epoch 50. Then they graduallyconverge along with the training process, and finally reach asimilar accuracy at epoch 300. For CIFAR10, the accuracy ofthe original model is 96.53%, while the watermarked modelwith the worst performance ( n s =
7) gives an accuracy of96.09%. Similarly for CIFAR100, the baseline accuracy andworst accuracy ( n s =
3) are 81.07% and 80.05%. We alsocheck this property on ImageNet. Since training an ImageNetmodel is quite time-consuming (about 12 GPU days), we onlymeasure the accuracies of the baseline model and two water-marked models ( n s = A watermarked model should be robust against any modeltransformations that aim to remove the watermarks whilemaintaining the model usability. Prior solutions watermarkthe parameters of the target model, which are proven to bevulnerable against model fine-tuning or image transforma-tions [13, 27]. In contrast, our scheme modifies the networkarchitecture instead of parameters. So it is robust against com-mon model transformations.First, we consider four types of model fine-tuning evaluatedin [2], including
Fine-Tune Last Layer (FTLL),
Fine-TuneAll Layers (FTAL),
Re-Train Last Layer (RTLL),
Re-TrainAll Layers (RTAL). These transformations only focus on tun-11 a) Prune Rate = 0.3, Accuracy = 94.13%(b) Prune Rate = 0.6, Accuracy = 85.59%(c) Prune Rate = 0.9, Accuracy = 10.03%(d) Prune the first normal cell, Accuracy = 17.50%
Figure 11: Side-channel pattern with various pruning ratesing the model parameters, and are verified not to corrupt thewatermarks embedded to the model architecture.Second, we consider model compression. Common pruningtechniques set certain parameters to 0 to shrink the networksize. However, the GEMM computations are still performedover pruned parameters, which give similar side-channel pat-terns. Figures 11(a)-(c) show the extraction trace of the firstnormal cell after the entire model is pruned with differentrates (0.3, 0.6, 0.9) using L -norm. Figure 11(d) shows onecase where we prune all the parameters in the first normalcell. We observe that a bigger pruning rate can decrease thelength of the leakage window, as there are more zero weightsto simplify the computation. However, the pattern of the op-erations in the cell keeps unchanged, indicating the weightpruning cannot remove the embedded watermark.There are also some model transformations which can alterthe network architectures (e.g., knowledge distillation [6,30]).These techniques can possibly destroy our watermarks. How-ever, the adversary needs to spend the same cost (computationresources, time, dataset) to perform such transformations astraining a new model from scratch. He has no incentive tosteal a DNN model and then modify the architecture. We donot consider such operations in our paper. Given a watermarked model, we expect that benign users havevery low probability to obtain the same architecture followingthe original NAS method. This is to guarantee small falsepositives of watermark verification.To evaluate this property, we repeat the GDAS method onCIFAR10 for 100 times with different random seeds to gener-ate 100 architecture pairs for the normal and reduction cells.We find our stamps have no collision with these 100 normalmodels. Specifically, Figure 12 shows the distribution of theoperations on eight connection edges in the two cells. Weobserve that most edges have some preferable operations, and s k i ps e p - c o n v ( 3 )d i l - c o n v ( 3 )s e p - c o n v ( 5 )d i l - c o n v ( 5 )a v g - p o o lm a x - p o o l
Operations
C o n n e c t i o n I n d e x (a) Normal Cell
C o n n e c t i o n I n d e x
T i m e s (b) Reduction Cell
Figure 12: Heat maps of operations on 8 connection edges. x i h i-1 n n n n n n n n n av er ag e h i sigmoidrelu tanhrelu sigmoidtanhrelu Figure 13: Recurrent cell learned on PTB.there are some operations never attached to certain edges. Thisis more obvious in the architecture of the reduction cell. So ifa stamp selects such operation-edge pairs, the probability ofmodel collision is even lower than random selection. Besides,the collision probability is decreased when the stamp size n s is larger. A stamp size of 4 with random edge-operationselection can already achieve strong uniqueness. In addition to CNN models, our scheme can watermark RNNmodels as well. A NAS RNN model is commonly stacked bya series of recurrent cells with a searched architecture. In arecurrent cell, each computation node only takes one inputfrom the previous nodes, which is processed by one functionin the candidate operation set. Then all the intermediate nodesare averaged to generate the cell output h i . Figure 13 showsan example of a recurrent cell searched on the PTB datasetwith DARTS. Two inputs (the input data x i and hidden stateof the last layer h i − ) are added and passed to a tanh functionfor the initial node n [47, 53].Our scheme randomly selects n s = tanh operation at the cellinput and the remaining eight clusters are the operations at-tached to the computation nodes. The input to each node isprocessed by the sigmoid functions, followed by the searchedNAS operations. Compared with the leakage trace of a CNNmodel, a RNN model has a much simpler and observable12 relu : tanh : sigmoid Figure 14: The side-channel trace of a recurrent cell.pattern, where each cluster corresponds to a node in order.Besides, it is easier to discover the identity operation fromthe RNN leakage trace than the CNN trace, as it results ina distinguishable blank area that shortens the cluster length(e.g., the fifth cluster in Figure 14).The embedded watermark has relatively larger impact onthe performance of the searched RNN model, as the recurrentcell is much simpler and more sensitive from the initial state.Table 3 shows the perplexity of the watermarked models overthe validation and test datasets, with different stamp sizes n s .We observe the watermark can increase the perplexity of theRNN model. However, such performance is still satisfactory[47], proving the usability of our scheme. Perplexity Original Stamp Size n s Table 3: Perplexity of watermarked RNN models with various n s (lower perplexity indicates better performance). Numerous watermarking schemes have been proposed forconventional DNN models, where the architectures are pub-licly available. They can be classified into two categories:
Parameter-embedding.
This strategy adopts redundant bitsas watermarks and embeds them into the model parameters.For instance, Uchida et al. [64] introduced a parameter reg-ularizer to embed a bit-vector (e.g. signature) into modelparameters which can guarantee the performance of the wa-termarked model. Rouhan et al. [56] found that implantingwatermarks into model parameters directly could affect theirstatic properties (e.g histogram). Thus, they injected water-marks in the probability density function of the activationsets of the DNN layers. These methods require the ownerto have white-box accesses to the model parameters duringthe watermark extraction and verification phase, which cansignificantly limit the possible usage scenarios.
Data-poisoning.
This strategy takes a set of unique sample-label pairs as watermarks and embeds their correlation intoDNN models. For examples, Le et al. [41] adopted adver-sarial examples near the frontiers as watermarks to identifythe ownership of DNN models. Zhang et al. [72] and Adi et al. [2] employed backdoor attack techniques to embed back-door samples with certain trigger patterns into DNN models.Namba et al. [51] and Li et al. [43] generated watermark sam-ples that are almost indistinguishable from normal samples toavoid detection by adversaries.Different from the above works, this paper proposes a to-tally new watermarking scheme. Instead of modifying theparameters, our approach makes the architecture design asIntellectual Property, and adopts cache side channels for archi-tecture verification. This strategy can defeat all the watermarkremoval attacks via parameter transformations.
Cache side channels.
One popular class of model extractionattacks is based on cache side channels, which monitors thecache accesses of the inference program. Hong et al. [32]recovered the architecture attributes by observing the invo-cations of critical functions in the deep learning frameworks(e.g., Pytorch, TensorFlow). Similar technique is also appliedto NAS models [31]. However, these attacks are very coarse-grained. They can only identify convolutions without thespecific types and hyper-parameters. Yan et al. [68] proposedCache Telepathy, which monitors the GEMM calls in the low-level BLAS library. The number of GEMM calls can greatlynarrow down the range of DNN hyper-parameters and thenreveal the model architecture. Our method extends this tech-nique to NAS models. Our improved solution can recovermore sophisticated operations without the prior knowledge ofthe architecture family, which cannot be achieved in [68].
Other side channels.
Some works leveraged other side chan-nels to extract DNN models. Batina et al. [7] extracted a func-tionally equivalent model by monitoring the electromagneticsignals of a microprocessor hosting the inference program.Duddu et al. [19] found that models with different depthshave different execution time, which can be used as a timingchannel to leak the network details. Memory side-channelswere discovered to infer the network structure of DNN modelson GPUs [33] and DNN accelerators [34]. Future work willapply those techniques to our watermarking scheme.
In this work, we proposed a new direction of DNN modelwatermarking. We showed a carefully-crafted network archi-tecture can be utilized as the ownership evidence, which ex-hibits stronger resilience against model transformations thanprevious parameter-based watermarks. We leveraged the Neu-ral Architecture Search technique to produce watermarkedarchitecture, and cache side channels to extract the black-boxmodels for ownership verification. Evaluations indicate ourscheme can provide great effectiveness, usability, robustness,and uniqueness, making it a promising and practical optionfor IP protection of AI products.13 eferences [1] Amazon SageMaker - Machine Learning. https://aws.amazon.com/sagemaker/ , 2021.[2] A DI , Y., B AUM , C., C
ISSE , M., P
INKAS , B.,
AND K ESHET , J. Turningyour weakness into a strength: Watermarking deep neural networks bybackdooring. In
USENIX Security Symposium (2018), pp. 1615–1631.[3] A
IKEN , W., K IM , H., AND W OO , S. Neural network laundering:Removing black-box backdoor watermarks from deep neural networks. arXiv preprint arXiv:2004.11368 (2020).[4] A TYA , A. O. F., Q
IAN , Z., K
RISHNAMURTHY , S. V., L A P ORTA ,T., M C D ANIEL , P.,
AND M ARVEL , L. Malicious co-residency onthe cloud: Attacks and defense. In
IEEE Conference on ComputerCommunications (2017), pp. 1–9.[5] A
TYA , A. O. F., Q
IAN , Z., K
RISHNAMURTHY , S. V., L A P ORTA , T.,M C D ANIEL , P.,
AND M ARVEL , L. M. Catch me if you can: A closerlook at malicious co-residency on the cloud.
IEEE/ACM Transactionson Networking 27 , 2 (2019), 560–576.[6] B A , L. J., AND C ARUANA , R. Do deep nets really need to be deep? arXiv preprint arXiv:1312.6184 (2013).[7] B
ATINA , L., B
HASIN , S., J AP , D., AND P ICEK , S. CSI NN: Reverseengineering of neural network architectures through electromagneticside channel. In
USENIX Security Symposium (2019), pp. 515–532.[8] B
ENDER , G., K
INDERMANS , P.-J., Z
OPH , B., V
ASUDEVAN , V.,
AND L E , Q. Understanding and simplifying one-shot architecture search. In International Conference on Machine Learning (2018), pp. 550–559.[9] B
RASSER , F., M
ÜLLER , U., D
MITRIENKO , A., K
OSTIAINEN , K.,C
APKUN , S.,
AND S ADEGHI , A.-R. Software grand exposure: SGXcache attacks are practical. In
USENIX Workshop on Offensive Tech-nologies (2017).[10] B
ROCK , A., L IM , T., R ITCHIE , J. M.,
AND W ESTON , N. SMASH:One-shot model architecture search through hypernetworks. arXivpreprint arXiv:1708.05344 (2017).[11] B
ROWN , T. B., M
ANN , B., R
YDER , N., S
UBBIAH , M., K
APLAN ,J., D
HARIWAL , P., N
EELAKANTAN , A., S
HYAM , P., S
ASTRY , G.,A
SKELL , A.,
ET AL . Language models are few-shot learners. arXivpreprint arXiv:2005.14165 (2020).[12] C
HEN , K., G UO , S., Z HANG , T., L I , S., AND L IU , Y. Temporalwatermarks for deep reinforcement learning models. In InternationalConference on Autonomous Agents and Multiagent Systems (2021).[13] C
HEN , X., W
ANG , W., B
ENDER , C., D
ING , Y., J IA , R., L I , B., AND S ONG , D. REFIT: A unified watermark removal framework for deeplearning systems with limited data. arXiv preprint arXiv:1911.07205 (2019).[14] C HU , X., Z HANG , B., X U , R., AND L I , J. Fairnas: Rethinking eval-uation fairness of weight sharing neural architecture search. arXivpreprint arXiv:1907.01845 (2019).[15] C HU , X., Z HOU , T., Z
HANG , B.,
AND L I , J. Fair DARTS: Eliminatingunfair advantages in differentiable architecture search. In EuropeanConference on Computer Vision (2020), pp. 465–480.[16] D
EVLIN , J., C
HANG , M.-W., L EE , K., AND T OUTANOVA , K. BERT:Pre-training of deep bidirectional transformers for language understand-ing. arXiv preprint arXiv:1810.04805 (2018).[17] D
ONG , X.,
AND Y ANG , Y. Searching for a robust neural architecture infour GPU hours. In
IEEE Conference on Computer Vision and PatternRecognition (2019), pp. 1761–1770.[18] D
ONG , X.,
AND Y ANG , Y. NAS-Bench-201: Extending the scope of re-producible neural architecture search. arXiv preprint arXiv:2001.00326 (2020).[19] D
UDDU , V., S
AMANTA , D., R AO , D. V., AND B ALAS , V. E. Steal-ing neural networks via timing side channels. arXiv preprintarXiv:1812.11720 (2018). [20] E
LSKEN , T., M
ETZEN , J. H.,
AND H UTTER , F. Efficient multi-objective neural architecture search via lamarckian evolution. arXivpreprint arXiv:1804.09081 (2018).[21] E
LSKEN , T., M
ETZEN , J. H., H
UTTER , F.,
ET AL . Neural architecturesearch: A survey.
Journal of Machine Learning Research 20 , 55 (2019),1–21.[22] E
ZHILCHELVAN , P. D.,
AND M ITRANI , I. Evaluating the probabilityof malicious co-residency in public clouds.
IEEE Transactions onCloud Computing 5 , 3 (2015), 420–427.[23] G
OTO , K.,
AND G EIJN , R. A. V . D . Anatomy of high-performancematrix multiplication. ACM Transactions on Mathematical Software34 , 3 (2008), 1–25.[24] G
ÖTZFRIED , J., E
CKERT , M., S
CHINZEL , S.,
AND M ÜLLER , T.Cache attacks on Intel SGX. In
European Workshop on Systems Secu-rity (2017), pp. 1–6.[25] G
RUSS , D., L
IPP , M., S
CHWARZ , M., G
ENKIN , D., J
UFFINGER , J.,O’C
ONNELL , S., S
CHOECHL , W.,
AND Y AROM , Y. Another flip inthe wall of rowhammer defenses. In
IEEE Symposium on Security andPrivacy (2018), pp. 245–261.[26] G U , Z., H UANG , H., Z
HANG , J., S U , D., J AMJOOM , H., L
AMBA ,A., P
ENDARAKIS , D.,
AND M OLLOY , I. Yerbabuena: Securing deeplearning inference data via enclave-based ternary model partitioning. arXiv preprint arXiv:1807.00969 (2018).[27] G UO , S., Z HANG , T., Q IU , H., Z ENG , Y., X
IANG , T.,
AND L IU , Y.The hidden vulnerability of watermarking for deep neural networks. arXiv preprint arXiv:2009.08697 (2020).[28] H ÄHNEL , M., C UI , W., AND P EINADO , M. High-resolution sidechannels for untrusted operating systems. In
USENIX Annual TechnicalConference (2017), pp. 299–312.[29] H E , K., Z HANG , X., R EN , S., AND S UN , J. Deep residual learningfor image recognition. In IEEE Conference on Computer Vision andPattern Recognition (2016), pp. 770–778.[30] H
INTON , G., V
INYALS , O.,
AND D EAN , J. Distilling the knowledgein a neural network. arXiv preprint arXiv:1503.02531 (2015).[31] H
ONG , S., D
AVINROY , M., K
AYA , Y., D
ACHMAN -S OLED , D.,
AND D UMITRA ¸S , T. How to 0wn NAS in your spare time. arXiv preprintarXiv:2002.06776 (2020).[32] H
ONG , S., D
AVINROY , M., K
AYA , Y., L
OCKE , S. N., R
ACKOW , I.,K
ULDA , K., D
ACHMAN -S OLED , D.,
AND D UMITRA ¸S , T. Securityanalysis of deep neural networks operating in the presence of cacheside-channel attacks. arXiv preprint arXiv:1810.03487 (2018).[33] H U , X., L IANG , L., L I , S., D ENG , L., Z UO , P., J I , Y., X IE , X., D ING ,Y., L IU , C., S HERWOOD , T.,
ET AL . DeepSniffer: A DNN modelextraction framework based on learning architectural hints. In
In-ternational Conference on Architectural Support for ProgrammingLanguages and Operating Systems (2020), pp. 385–399.[34] H UA , W., Z HANG , Z.,
AND S UH , G. E. Reverse engineering con-volutional neural networks through side-channel information leaks.In ACM/ESDA/IEEE Design Automation Conference (2018), IEEE,pp. 1–6.[35] J
AGIELSKI , M., C
ARLINI , N., B
ERTHELOT , D., K
URAKIN , A.,
AND P APERNOT , N. High accuracy and high fidelity extraction of neuralnetworks. In
USENIX Security Symposium (2020).[36] K
APLAN , D., P
OWELL , J.,
AND W OLLER , T. Amd memory encryp-tion. In
White Paper (2016).[37] K
ARL , R., T
AKESHITA , J.,
AND J UNG , T. Using Intel SGX to improveprivate neural network training and inference. In
Symposium on HotTopics in the Science of Security (2020), pp. 1–2.[38] K IM , K., K IM , C. H., R HEE , J. J., Y U , X., C HEN , H., T
IAN , D.,
AND L EE , B. Vessels: efficient and scalable deep learning predictionon trusted processors. In ACM Symposium on Cloud Computing (2020),pp. 462–476.
39] K
RIZHEVSKY , A., S
UTSKEVER , I.,
AND H INTON , G. E. ImageNetclassification with deep convolutional neural networks.
Advances inNeural Information Processing Systems 25 (2012), 1097–1105.[40] K
UNKEL , R., Q
UOC , D. L., G
REGOR , F., A
RNAUTOV , S., B
HATOTIA ,P.,
AND F ETZER , C. TensorSCONE: A secure TensorFlow frameworkusing Intel SGX. arXiv preprint arXiv:1902.04413 (2019).[41] L E M ERRER , E., P
EREZ , P.,
AND T RÉDAN , G. Adversarial frontierstitching for remote neural network watermarking.
Neural Computingand Applications (2019), 1–12.[42] L EE , T., L IN , Z., P USHP , S., L I , C., L IU , Y., L EE , Y., X U , F., X U ,C., Z HANG , L.,
AND S ONG , J. Occlumency: Privacy-preserving re-mote deep-learning inference using SGX. In
Annual InternationalConference on Mobile Computing and Networking (2019), pp. 1–17.[43] L I , Z., H U , C., Z HANG , Y.,
AND G UO , S. How to prove your modelbelongs to you: A blind-watermark based framework to protect intel-lectual property of DNN. In Annual Computer Security ApplicationsConference (2019), pp. 126–137.[44] L IU , C., Z OPH , B., N
EUMANN , M., S
HLENS , J., H UA , W., L I , L.-J.,F EI -F EI , L., Y UILLE , A., H
UANG , J.,
AND M URPHY , K. Progressiveneural architecture search. In
European Conference on ComputerVision (2018), pp. 19–34.[45] L IU , F., Y AROM , Y., G E , Q., H EISER , G.,
AND L EE , R. B. Last-level cache side-channel attacks are practical. In IEEE Symposium onSecurity and Privacy (2015), pp. 605–622.[46] L IU , H., S IMONYAN , K., V
INYALS , O., F
ERNANDO , C.,
AND K AVUKCUOGLU , K. Hierarchical representations for efficient archi-tecture search. arXiv preprint arXiv:1711.00436 (2017).[47] L IU , H., S IMONYAN , K.,
AND Y ANG , Y. DARTS: Differentiablearchitecture search. arXiv preprint arXiv:1806.09055 (2018).[48] L IU , X., L I , F., W EN , B., AND L I , Q. Removing backdoor-basedwatermarks in neural networks with limited data. arXiv preprintarXiv:2008.00407 (2020).[49] M ARSCHALEK , M. The wolf in SGX clothing. In
Bluehat IL (2018).[50] M C K EEN , F., A
LEXANDROVICH , I., B
ERENZON , A., R
OZAS , C. V.,S
HAFI , H., S
HANBHOGUE , V.,
AND S AVAGAONKAR , U. R. Innovativeinstructions and software model for isolated execution.
Hasp@ isca10 , 1 (2013).[51] N
AMBA , R.,
AND S AKUMA , J. Robust watermarking of neural networkwith exponential weighting. In
ACM Asia Conference on Computerand Communications Security (2019), pp. 228–240.[52] O
HRIMENKO , O., S
CHUSTER , F., F
OURNET , C., M
EHTA , A.,N
OWOZIN , S., V
ASWANI , K.,
AND C OSTA , M. Oblivious multi-partymachine learning on trusted processors. In
USENIX Security Sympo-sium (2016), pp. 619–636.[53] P
HAM , H., G
UAN , M. Y., Z
OPH , B., L E , Q. V., AND D EAN , J. Effi-cient neural architecture search via parameter sharing. arXiv preprintarXiv:1802.03268 (2018).[54] R
EAL , E., A
GGARWAL , A., H
UANG , Y.,
AND L E , Q. V. Regularizedevolution for image classifier architecture search. In AAAI Conferenceon Artificial Intelligence (2019), vol. 33, pp. 4780–4789.[55] R
ISTENPART , T., T
ROMER , E., S
HACHAM , H.,
AND S AVAGE , S. Hey,you, get off of my cloud: exploring information leakage in third-partycompute clouds. In
ACM Conference on Computer and Communica-tions Security (2009), pp. 199–212.[56] R
OUHANI , B. D., C
HEN , H.,
AND K OUSHANFAR , F. DeepSigns: Anend-to-end watermarking framework for protecting the ownership ofdeep neural networks. In
ACM International Conference on Archi-tectural Support for Programming Languages and Operating Systems (2019).[57] S
CHWARZ , M., W
EISER , S.,
AND G RUSS , D. Practical enclave mal-ware with Intel SGX. In
International Conference on Detection of In-trusions and Malware, and Vulnerability Assessment (2019), Springer,pp. 177–196. [58] S
CHWARZ , M., W
EISER , S., G
RUSS , D., M
AURICE , C.,
AND M AN - GARD , S. Malware guard extension: Using SGX to conceal cacheattacks. In
International Conference on Detection of Intrusions andMalware, and Vulnerability Assessment (2017), Springer, pp. 3–24.[59] S
ENIOR , A. W., E
VANS , R., J
UMPER , J., K
IRKPATRICK , J., S
IFRE ,L., G
REEN , T., Q IN , C., Ž ÍDEK , A., N
ELSON , A. W., B
RIDGLAND ,A.,
ET AL . Improved protein structure prediction using potentials fromdeep learning.
Nature 577 , 7792 (2020), 706–710.[60] S
HAFIEINEJAD , M., W
ANG , J., L
UKAS , N., L I , X., AND K ER - SCHBAUM , F. On the robustness of the backdoor-based watermarkingin deep neural networks. arXiv preprint arXiv:1906.07745 (2019).[61] S
ILVER , D., H
UANG , A., M
ADDISON , C. J., G
UEZ , A., S
IFRE , L.,V AN D EN D RIESSCHE , G., S
CHRITTWIESER , J., A
NTONOGLOU , I.,P
ANNEERSHELVAM , V., L
ANCTOT , M.,
ET AL . Mastering the gameof go with deep neural networks and tree search.
Nature 529 , 7587(2016), 484–489.[62] S
IMONYAN , K.,
AND Z ISSERMAN , A. Very deep convolu-tional networks for large-scale image recognition. arXiv preprintarXiv:1409.1556 (2014).[63] T
RAMÈR , F., Z
HANG , F., J
UELS , A., R
EITER , M. K.,
AND R ISTEN - PART , T. Stealing machine learning models via prediction apis. In
USENIX Security Symposium (2016), pp. 601–618.[64] U
CHIDA , Y., N
AGAI , Y., S
AKAZAWA , S.,
AND S ATOH , S. Embed-ding watermarks into deep neural networks. In
ACM on InternationalConference on Multimedia Retrieval (2017), pp. 269–277.[65] V
ARADARAJAN , V., Z
HANG , Y., R
ISTENPART , T.,
AND S WIFT , M. Aplacement vulnerability study in multi-tenant public clouds. In
USENIXSecurity Symposium (2015), pp. 913–928.[66] W
ANG , B.,
AND G ONG , N. Z. Stealing hyperparameters in machinelearning. In
IEEE Symposium on Security and Privacy (2018), pp. 36–52.[67] X U , Z., W ANG , H.,
AND W U , Z. A measurement study on co-residence threat inside the cloud. In =USENIX Security Symposium (2015), pp. 929–944.[68] Y AN , M., F LETCHER , C. W.,
AND T ORRELLAS , J. Cache telepathy:Leveraging shared resource attacks to learn DNN architectures. In
USENIX Security Symposium (2020), pp. 2003–2020.[69] Y
AROM , Y.,
AND F ALKNER , K. FLUSH+ RELOAD: A high reso-lution, low noise, L3 cache side-channel attack. In
USENIX SecuritySymposium (2014), pp. 719–732.[70] Y U , H., Y ANG , K., Z
HANG , T., T
SAI , Y.-Y., H O , T.-Y., AND J IN ,Y. CloudLeak: Large-scale deep learning models stealing throughadversarial examples. In Network and Distributed Systems SecuritySymposium (2020).[71] Z
HANG , J., C
HEN , D., L
IAO , J., F
ANG , H., Z
HANG , W., Z
HOU , W.,C UI , H., AND Y U , N. Model watermarking for image processingnetworks. In AAAI Conference on Artificial Intelligence (2020), vol. 34,pp. 12805–12812.[72] Z
HANG , J., G U , Z., J ANG , J., W U , H., S TOECKLIN , M. P., H
UANG ,H.,
AND M OLLOY , I. Protecting intellectual property of deep neuralnetworks with watermarking. In
ACM Asia Conference on Computerand Communications Security (2018), pp. 159–172.[73] Z
HANG , Y., J
UELS , A., R
EITER , M. K.,
AND R ISTENPART , T. Cross-VM side channels and their use to extract private keys. In
ACM Confer-ence on Computer and Communications Security (2012), pp. 305–316.[74] Z
HANG , Y., J
UELS , A., R
EITER , M. K.,
AND R ISTENPART , T. Cross-tenant side-channel attacks in PaaS clouds. In
ACM SIGSAC Confer-ence on Computer and Communications Security (2014), pp. 990–1003.[75] Z
OPH , B.,
AND L E , Q. V. Neural architecture search with reinforce-ment learning. arXiv preprint arXiv:1611.01578 (2016).[76] Z OPH , B., V
ASUDEVAN , V., S
HLENS , J.,
AND L E , Q. V. Learningtransferable architectures for scalable image recognition. In IEEE Con-ference on Computer Vision and Pattern Recognition (2018), pp. 8697–8710. Proof Sketch of Theorem 1
Proof Sketch.
We prove the proposed watermarking schemesatisfies the watermarking properties.
Effectiveness.
The property can be guaranteed by Assump-tion 2.
Usability.
Let S c i , , S c i be the architecture search spaces be-fore and after restricting the stamp k i of c i . A c i , and A c i arethe two architecture searched from S c i , and S c i , respectively. f c i , and f c i are the corresponding models trained on the thesame data distribution D . From Assumption 1, we have Pr [ f c i , ( x ) = y | ( x , y ) ∼ D ] − Pr [ f c i ( x ) = y | ( x , y ) ∼ D ] ≤ ε N . (5)Let f , f are the DNN models that are learned before andafter restricting their architecture search spaces by a water-mark. One can easily use the mathematical induction to provethe usability of our watermarking scheme, i.e., Pr [ f ( x ) = y | ( x , y ) ∼ D ] − Pr [ f ( x ) = y | ( x , y ) ∼ D ] ≤ ε . (6) Robustness.
We classify the model modification attacks intotwo categories. The first approach is to only change the param-eters of f using existing techniques such as fine-tuning andmodel compression. Since the architecture is preserved, thestamps of all cells are also preserved. According to Assump-tion 2, the idea analyzer can extract the stamps and verify theownership of the modified models.The other category of attacks modifies the architecture ofthe model. Since the marking key (watermark) is secret, theadversary can uniformly modify the operation of an edge ordelete an edge in a cell. The probability that the adversarycan successfully modify one edge/operation of a stamp isnot larger than n s | c i | , where | c i | is the number of connectededges in c i . Thus, the expected value of the total number ofmodification is δ × N × n s ∑ Ni = | c i | τ × N s . However, since the adversarycannot access the proxy and task datasets, he cannot obtainnew models with competitive performance by retraining themodified architectures. Uniqueness.
Without loss of generality, we assume the NASalgorithm can search the same architecture if the search spacesof all cells are the same. Thus, the uniqueness of the water-marked model is decided by the probability that the adversarycan identify the same search spaces. Because the markingkey is secret, the adversary has to guess the edges and thecorresponding operations of each stamp if he wants to iden-tify the same search spaces (the similarity ratio τ is 100%here). The probability that he can identify the same searchspace of a cell is much smaller than ( | O | ) n s . Therefore, theuniqueness property of our watermarking scheme is provedif δ < ( | O | ) n s × N . As we empirically evaluated in Section 6.5,the watermarked models are unique and the probability ofmodel collision is very low. B Details about GEMM in OpenBLAS
BLAS realizes the matrix multiplication with the function gemm . This function computes C = α A × B + β C , where Ais an m × k matrix, B is a k × n matrix, C is an m × n matrix,and both α and β are scalars. OpenBLAS adopts Goto’s al-gorithm [23] to accelerate the multiplication using moderncache hierarchies. This algorithm divides a matrix into smallblocks (with constant parameters P, Q, R), as shown in Figure15. The matrix A is partitioned into P × Q blocks and B ispartitioned into Q × R blocks, which can be fit into the L2and L3 caches, respectively. The multiplication of such twoblocks generates a P × R block in the matrix C. Algorithm 4shows the process of gemm that contains 4 loops controlledby the matrix size ( m , n , k ) . Functions itcopy and oncopy areused to allocate data and functions. kernel runs the actualcomputation. Note that the partition of m contains two loops, loop and loop , where loop is used to process the multipli-cation of the first P × Q block and the chosen Q × R block.For different cache sizes, OpenBLAS selects different valuesof P, Q and R to achieve the optimal performance. C + = A B m n m k k n + = QP Q R RP Figure 15: The procedure of GEMM.
C Details about the NAS AlgorithmsC.1 Architecture Search
CIFAR10.
We adopt GDAS [17] to search for the optimalCNN architectures on CIFAR10. We set the number of initialchannels in first convolution layer as 16, the number of thecomputation nodes in a cell as 4 and the number of normalcells in a block as 2. Then we train the model for 240 epochs.The setting of the optimizer and learning rate schedule is thesame as that in [17]. The search process on CIFAR10 takesabout five hours with a single NVIDIA Tesla V100 GPU.
PTB.
We adopt DARTS [47] to search for the optimal RNNarchitecture on PTB. Both the embedding and hidden sizesare set as 300, and the network is trained for 50 epochs usingSGD optimization. We set the learning rate as 20, the batchsize as 256, BPTT length as 35, and the weight decay as5 × − . Other setting of the optimization of the architectureis also the same as [47]. The search process takes 6 hours ona single GPU.16 .2 Model Retraining CIFAR
After obtaining the searched cells, we form a CNNwith 33 initial channels. We set number of computation nodesin a cell as 4 and the number of normal cells in a block as 6.Then we train the network for 300 epochs on the dataset (bothCIFAR10 and CIFAR100), with a learning rate reducing from0.025 to 0 with the cosine schedule. The preprocessing anddata augmentation is the same as [17]. The training processtakes about 11 GPU hours.
ImageNet
For the CNN on ImageNet, we set the initial chan-nel size as 52, and the number of normal cells in a block as4. The network is trained with 250 epochs using the SGDoptimization and the batch size is 128. The learning rate isinitialized as 0.1, and is reduced by 0.97 after each epoch. Thetraining process takes 12 days on a single GPU.
PTB
A RNN with the searched recurrent cell is trained onPTB with the SGD optimization and the batch size of 64 untilthe convergence. Both the embedding and hidden sizes are setas 850. The learning rate is set as 20 and the weight decay is8 × − . The training process takes 3 days on a single GPU. D Monitored Functions in Pytorch and Open-BLAS
Table 4 gives the monitored lines of the code in the latestPytorch 1.7.0 and OpenBLAS 0.3.13.
Library Functions Code LineOpenBLAS Itcopy kernel/generic/gemm_tcopy_8.c:78Oncopy kernel/x86_64/sgemm_ncopy_4_skylakex.c:57Pytorch Relu aten/src/ATen/Functions.cpp:6332Tanh aten/src/ATen/native/UnaryOps.cpp:452Sigmoid aten/src/ATen/native/UnaryOps.cpp:389Avgpool aten/src/ATen/native/AdaptiveAveragePooling.cpp:325Maxpool aten/src/ATen/native/Pooling.cpp:47
Table 4: Monitored code lines in OpenBLAS and Pytorch.
E Whole side channel leakage trace
Figure 16 shows the whole side channel leakage trace ofthe tested NAS model in our end-to-end watermarking pro-cess. While the nodes representing the function accesses arestacked up, we can still identity the first block from interval0 to around 2 × e
6, where there are more accesses to itcopyitcopy