Probabilistic Selective Encryption of
Convolutional Neural Networks for Hierarchical Services

We aim to design a CNN protection framework with the following two functionalities. Firstly, this system can prevent unauthorized access to the pretrained model. Namely, only authorized users could obtain the correct model outputs, while the unauthorized ones can only get irrelevant results. Secondly, it can provide hierarchical services for authorized users with different permissions. The framework of our system is presented in Fig. 1. Let $\mathcal{F}_{\mathbf{\Theta}}$ be a pretrained CNN model with the parameter set $\mathbf{\Theta}$. To protect this model via our proposed SE strategy, a service provider firstly feeds the pretrained model $\mathcal{F}_{\mathbf{\Theta}}$ into a Select module, which selects important parameters $\hat{\mathbf{\Theta}}$ from $\mathcal{F}_{\mathbf{\Theta}}$ by using the proposed PSS. Then, the Encrypt module constructs the protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ by encrypting $\hat{\mathbf{\Theta}}$ with the proposed DPRM. The model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ subsequently will be deployed, waiting for access with permissions. The Assign module generates several permissions $\mathbf{S}_{\hat{m}}$’s based on the outputs of the Select and Encrypt modules. Authorized users then obtain a decrypted model $\mathcal{F}_{\breve{\mathbf{\Theta}}_{\hat{m}}}$ by inputting a permission $\mathbf{S}_{\hat{m}}$ into the Decrypt module. The decrypted model will exhibit different levels of performance of the pretrained model $\mathcal{F}_{\mathbf{\Theta}}$ as the change of the permission $\mathbf{S}_{\hat{m}}$. As shown in Fig. 1, three authorized users decrypt the protected model with different permissions $\mathbf{S}_{\hat{m}}$’s ($\hat{m}=1,2,3$), and obtain corresponding decrypted models $\mathcal{F}_{\breve{\mathbf{\Theta}}_{\hat{m}}}$ with hierarchical performance on classifying a cat. When an unauthorized user attempts to access the protected model without any permission, the system will return a useless result.

The considered security threats of the proposed system mainly come from attackers who attempt to recover encrypted parameters $\hat{\mathbf{\Theta}}$ from the protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$, so as to use the pretrained model $\mathcal{F}_{\mathbf{\Theta}}$ without authorization. On the one hand, attackers could treat the parameter set $\tilde{\mathbf{\Theta}}$ of the protected model as a noisy version of the original parameter set $\mathbf{\Theta}$, where parameters $\hat{\mathbf{\Theta}}$ are contaminated. Attackers thus can recover $\hat{\mathbf{\Theta}}$ from $\tilde{\mathbf{\Theta}}$ with denoising techniques. On the other hand, those encrypted parameters $\hat{\mathbf{\Theta}}$ could be treated as the missing information in $\tilde{\mathbf{\Theta}}$, which possibly can be restored with retraining strategies. We call these two adversarial behaviors the denoising attack and the retraining attack.

To evaluate the effectiveness and security of the proposed scheme, we clarify the following design goals: 1) Effectiveness: To make the protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ dysfunctional to unauthorized access, we have to ensure that the selectively encrypted model exhibits sufficiently large performance degradation; 2) Hierarchy: The proposed system should provide users with different services by assigning them with different permissions. Therefore, the released model $\mathcal{F}_{\breve{\mathbf{\Theta}}_{\hat{m}}}$ needs to exhibit various performance in accordance to user’s permission $\mathbf{S}_{\hat{m}}$; and 3) Security: The protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ should be secure against threats discussed above. We will verify all the design goals in Section 5.

This module aims to select important parameters $\hat{\mathbf{\Theta}}$ from convolutional layers of $\mathcal{F}_{\mathbf{\Theta}}$. Here we only consider convolutional layers because most of parameters in a CNN model are concentrated in these layers [12, 18, 33, 34]. Hereafter, the term “layer” refers to the convolutional layer. We adopt a layer-wise strategy to determine $\hat{\mathbf{\Theta}}$ for parallel processing. Specifically, suppose the pretrained model contains $L$ layers, and hence, $\hat{\mathbf{\Theta}}$ is composed of $L$ subsets $\hat{\mathbf{\Theta}}^{l}$’s ($l=1,...,L$), where each $\hat{\mathbf{\Theta}}^{l}$ contains important parameters of the $l$-th layer. We propose a selection method PSS to identify each $\hat{\mathbf{\Theta}}^{l}$. The motivation of PSS is as follows.

Intuitively, we can identify the importance of parameters by evaluating the performance degradation of the pretrained model without these parameters. However, neurons of a CNN model may have different responses for various inputs, implying that the importance of parameters is related to the inputs. More precisely, let $\mathbf{\Theta}^{l}$ denote parameters of the $l$-th layer. When feeding a sample $\mathbf{x}_{n}$ ($n=1,...,N$) into $\mathcal{F}_{\mathbf{\Theta}}$, there exists a parameter subset $\hat{\mathbf{\Theta}}^{l}$ of $\mathbf{\Theta}^{l}$ to cause the maximal performance degradation of $\mathcal{F}_{\mathbf{\Theta}}$ if we remove $\hat{\mathbf{\Theta}}^{l}$. Clearly, $\hat{\mathbf{\Theta}}^{l}$ changes with the input $\mathbf{x}_{n}$. To eliminate such randomness, we can count how many times each parameter $\theta$ in $\mathbf{\Theta}^{l}$ is selected as a candidate of $\hat{\mathbf{\Theta}}^{l}$, after feeding all $\mathbf{x}_{n}$. Denote the selected frequency of a parameter $\theta$ in $\mathbf{\Theta}^{l}$ by $p_{\theta}$. It is clear that the frequency $p_{\theta}$ directly reflects the importance of a parameter $\theta$ to the pretrained model. We thus name $p_{\theta}$ the importance of the parameter $\theta$. For simplicity, we call $\hat{\mathbf{\Theta}}^{l}$ dominated set of the $l$-th layer and call parameters in it dominated parameters. Naturally, $\hat{\mathbf{\Theta}}$ is the dominated set of $\mathcal{F}_{\mathbf{\Theta}}$.

Now we formulate the selection strategy PSS above into the following optimization problem.

where $\mathbf{Z}^{(n)}=\{z^{(n)}_{\theta}\}_{\theta\in\mathbf{\Theta}^{l}}$, $z^{(n)}_{\theta}\sim Bern(z_{\theta}|p_{\theta})$ is a sample of the binary random variable $z_{\theta}$, $\mathbf{I}$ is the vector of ones with the same length as $\mathbf{\Theta}^{l}$, and $\lambda$ is a weighting factor for the regularization term. Here, we briefly explain the relationship between the optimization problem (1) and the selection strategy. The element-wise multiplication $(\mathbf{I}-\mathbf{Z}^{(n)})\odot\mathbf{\Theta}^{l}$ is designed to simulate the removing operation by noting that a parameter $\theta$ will be removed from $\mathbf{\Theta}^{l}$ if the corresponding $z^{(n)}_{\theta}=1$. The first term thus indicates the performance of $\mathcal{F}_{\mathbf{\Theta}}$ after removing a part of the parameters ($\mathcal{L}(\cdot)$ is a performance evaluating function). To maximize the performance degradation of $\mathcal{F}_{\mathbf{\Theta}}$, which is equivalent to minimizing the first term in (1), those important parameters $\theta$’s in $\mathbf{\Theta}^{l}$ should be assigned with large importance $p_{\theta}$, so that $z^{(n)}_{\theta}=1$ for most $\mathbf{x}_{n}$’s. Thus, we can determine the importance $p_{\theta}$ of each $\theta$ in $\mathbf{\Theta}^{l}$ by solving the problem (1). It should be noted that the term $\|\mathbf{Z}^{(n)}\|_{0}$ penalizes the number of removed parameters, such that fewer parameters are assigned with large importance.

The discrete nature of the binary random variable $z_{\theta}$ challenges the optimization of the problem (1). We can overcome this obstacle via reparameterizing [14, 29] $z_{\theta}$ into the continuous random variable $\tilde{z}_{\theta}$ as follows

which was initially proposed in [22] and later improved in [21]. In (2), $u$ is a random variable of uniform distribution $U(0,1)$, $Sig(\cdot)$ represents the sigmoid function, $\zeta>0$ and $\gamma<0$ are parameters to extend the support of $\tilde{z}$ to be $[0,1]$.

Another challenge ascribes to the $L_{0}$ regularizer $\|\tilde{\mathbf{Z}}^{(n)}\|_{0}=\|\{\tilde{z}^{(n)}_{\theta}\}_{\theta\in\mathbf{\Theta}^{l}}\|_{0}$ in the problem (1). Note that the original $z_{\theta}$ has been relaxed by $\tilde{z}_{\theta}$ defined in (2). We can relax the $L_{0}$ regularizer into a differentiable form $\sum_{\theta\in\mathbf{\Theta}^{l}}\mathbb{P}\left\{\tilde{z}^{(n)}_{\theta}\neq 0\right\}$. The reason is that $L_{0}$ norm enforces less nonzero elements in $\tilde{\mathbf{Z}}^{(n)}$. This implies that, for most $\tilde{z}^{(n)}_{\theta}$’s in $\tilde{\mathbf{Z}}^{(n)}$, the probability $\mathbb{P}\left\{\tilde{z}^{(n)}_{\theta}\neq 0\right\}$ should be as small as possible. According to the cumulative distribution function (CDF) of $s_{\theta}(u)$ introduced in [22], we can conclude that

where the details is given in supplementary materials.

Upon having the relaxation (2) and (3), the problem (1) reduces to

When the performance evaluation function $\mathcal{L}(\cdot)$ is differentiable with respect to $p_{\theta}$’s, such as the negative cross-entropy or negative mean squared error, we can effortlessly solve this problem with automatic differentiation toolboxes TensorFlow [1] or Pytorch [25].

After solving the problem (4), we obtain the importance of parameters in the $l$-th layer, denoted by $\mathbf{P}^{l}=\{p_{\theta}\}_{\theta\in\mathbf{\Theta}^{l}}$. The dominated set $\hat{\mathbf{\Theta}}^{l}$ of this layer naturally can be identified as follows

where $\phi$ is the number of dominated parameters. By repeatedly solving the problem (4) with $l=1,...,L$, and searching dominated parameters as (5), we can obtain the dominated set $\hat{\mathbf{\Theta}}=\{\hat{\mathbf{\Theta}}^{l}\}^{L}_{l=1}$ for the model $\mathcal{F}_{\mathbf{\Theta}}$.

Upon having dominated parameters $\hat{\mathbf{\Theta}}$, we now split them into $M$ different subsets as follows:

where $Q_{m,l}$ is the $(M-m+1)/M$ percentile of elements in $\mathbf{P}^{l}$. Here we split $\hat{\mathbf{\Theta}}$ according to the importance of parameters as in (6), so that the subsequent procedure could control the performance of $\mathcal{F}_{\mathbf{\Theta}}$ by manipulating the number of decrypted parameters with different importance. More details are deferred to Section 3.4.

For the future decryption of dominated parameters in $\hat{\mathbf{\Theta}}$, we also need their locations $\hat{\mathbf{E}}=\{\mathbf{e}_{\theta}\}_{\theta\in\hat{\mathbf{\Theta}}}$ in the model $\mathcal{F}_{\mathbf{\Theta}}$, where $\mathbf{e}_{\theta}$ is a 2-D tuple to locate which layer $\theta$ belongs to and the position of $\theta$ in this layer. Similarly, we split $\hat{\mathbf{E}}$ following the partition of $\hat{\mathbf{\Theta}}$. That is,

We now propose an encryption method called DPRM to encrypt the dominated set $\hat{\mathbf{\Theta}}$, so as to protect the model $\mathcal{F}_{\mathbf{\Theta}}$ in terms of maximizing performance degradation. We run the DPRM independently on each subset $\hat{\mathbf{\Theta}}_{m}$ of $\hat{\mathbf{\Theta}}$ to facilitate the manipulation of decrypted parameters. The DPRM works by first generating a pseudorandom number sequence to mask $\hat{\mathbf{\Theta}}_{m}$, and then transforming the masked version of $\hat{\mathbf{\Theta}}_{m}$ into the same distribution as $\hat{\mathbf{\Theta}}_{m}$. The detailed procedure of running DPRM is listed in Algorithm 1. For each $\hat{\mathbf{\Theta}}_{m}$ in the partition of $\hat{\mathbf{\Theta}}$, the DPRM sequentially performs:

$\bm{1)}$ $RandMask(\hat{\mathbf{\Theta}}_{m},\kappa_{m})\rightarrow\mathbf{C}_{m}$: Given a secret key $\kappa_{m}$ produced by a key generator, we utilize the forward secure pseudorandom number generator (FSPRGN) [30] $\mathcal{G}_{fs}$ to produce a pseudorandom number sequence $\mathbf{R}_{m}$ with length $|\hat{\mathbf{\Theta}}_{m}|$. The subset $\hat{\mathbf{\Theta}}_{m}$ of the dominated set $\hat{\mathbf{\Theta}}$ then is masked by this pseudorandom number sequence as $\mathbf{C}_{m}=\hat{\mathbf{\Theta}}_{m}+\mathbf{R}_{m}$ (line 2).

$\bm{2)}$ $Mapping(\mathbf{C}_{m})\rightarrow{\hat{\mathbf{C}}_{m}}$: An obvious limitation of $RandMask$ is that masked parameters $\mathbf{C}_{m}$ are statistically different from the original $\hat{\mathbf{\Theta}}_{m}$. Attackers can then easily identify $\mathbf{C}_{m}$, which implies that locations of encrypted parameters are leaked. To tackle this serious threat, we have to further transform $\mathbf{C}_{m}$ to another domain whose distribution is consistent with $\hat{\mathbf{\Theta}}_{m}$. To this end, the fundamental issue now is to estimate the distribution of parameters in $\hat{\mathbf{\Theta}}_{m}$.

Observing the histograms of parameters of several layers in the CNN model VGG19 [32] in Fig. 2, it is reasonable to infer that parameters in each layer of a CNN model follow symmetric distributions such as Gaussian. Hence, we assume that parameters $\mathbf{\Theta}^{l}$ of the $l$-th layer follow a Gaussian distribution $\mathcal{N}(\theta|\mu^{l},\sigma^{l})$, where the mean $\mu^{l}$ and standard deviation $\sigma^{l}$ can be estimated with sample mean and sample standard deviation of parameters in $\mathbf{\Theta}^{l}$.

Note that the masked parameters in $\mathbf{C}_{m}$ are distributed across $L$ layers, where masked parameters in the $l$-th layer are denoted by $\mathbf{C}^{l}_{m}$ ($l=1,...,L$). Making the distribution of $\mathbf{C}_{m}$ be consistent with that of $\hat{\mathbf{\Theta}}_{m}$ reduces to transform each $\mathbf{C}^{l}_{m}$ into the Gaussian distribution $\mathcal{N}(\theta|\mu^{l},\sigma^{l})$ as $\hat{\mathbf{\Theta}}^{l}\subset\mathbf{\Theta}^{l}$. As shown in Algorithm 1 (lines 3-10), for $l=1,...,L$, we first scale elements in $\mathbf{C}_{m}^{l}$ into the interval $[0,1]$, and then transform these scaled $c$’s with the inverse Gaussian CDF as follows:

where $u^{l}_{m}=\min(\mathbf{C}^{l}_{m})$, $v^{l}_{m}=\max(\mathbf{C}^{l}_{m})$, and $F^{-1}(\cdot|\mu^{l},\sigma^{l})$ is the inverse CDF of $\mathcal{N}(\theta|\mu^{l},\sigma^{l})$. After transforming all subsets $\mathbf{C}_{m}^{l}$’s in $\mathbf{C}_{m}$ as (8), we obtain the ciphertext $\hat{\mathbf{C}}_{m}$ of $\hat{\mathbf{\Theta}}_{m}$ .

By repeatedly implementing the DPRM above on each $\hat{\mathbf{\Theta}}_{m}$ in $\hat{\mathbf{\Theta}}$, we encrypt the dominated set $\hat{\mathbf{\Theta}}$ of $\mathcal{F}_{\mathbf{\Theta}}$ into the ciphertext $\hat{\mathbf{C}}$. The protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ thus could be constructed by replacing $\hat{\mathbf{\Theta}}$ in $\mathcal{F}_{\mathbf{\Theta}}$ with $\hat{\mathbf{C}}$ (line 11). Apart from the protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$, the Encrypt module also generates secret keys $\mathbf{K}$, scaling parameters $\mathbf{U},\mathbf{V}$, and the statistical information $\bm{\mu},\bm{\sigma}$, for generating permissions.

The performance of the protected model $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ now is heavily suppressed since dominated parameters $\hat{\mathbf{\Theta}}$ are encrypted. Users could access $\mathcal{F}_{\tilde{\mathbf{\Theta}}}$ only with permissions composed of locations $\hat{\mathbf{E}}$ of dominated parameters and other five security-related components outputted from the Encrypt module. More precisely, let $\mathbf{S}_{\hat{m}}$’s $({\hat{m}}=1,...,M)$ be $M$ different levels of permissions, each of which is generated as follows:

Here, each item $\{\hat{\mathbf{E}}_{m},\mathbf{u}_{m},\mathbf{v}_{m},\kappa_{m},\bm{\mu},\bm{\sigma}\}$ could independently decrypt the ciphertext of the dominated parameter subset $\hat{\mathbf{\Theta}}_{m}$ in $\hat{\mathbf{\Theta}}$. Details will be introduced in Section 3.4.

Also, the size of a permission $\mathbf{S}_{\hat{m}}$ in bits is $(b_{\kappa}+64L)\hat{m}+\frac{16L\hat{m}}{M}\phi$ (please refer to supplementary materials for detailed calculations), where $b_{\kappa}$ is the bit size of the secret key $\kappa$, and $\phi$ is the number of dominated parameters in each layer. For the prevailing models, VGG19 and DnCNN considered in our experiment, the size of permissions is less than 508KB. Such overhead is acceptable in practice.

When receiving a permission $\mathbf{S}_{\hat{m}}$ from users, the Decrypt module is operated as follows. For each item $\{\hat{\mathbf{E}}_{m},\mathbf{u}_{m},\mathbf{v}_{m},\kappa_{m},\bm{\mu},\bm{\sigma}\}$ in $\mathbf{S}_{\hat{m}}$, the decryption procedure starts with locating the ciphertext $\hat{\mathbf{C}}_{m}$ of dominated parameter subset $\hat{\mathbf{\Theta}}_{m}$ according to the location $\hat{\mathbf{E}}_{m}$ (line 2). The decryption of $\hat{\mathbf{C}}_{m}$ is merely the inverse process of the encryption of $\hat{\mathbf{\Theta}}_{m}$. As shown in Algorithm 2, for those encrypted parameters $\hat{\mathbf{C}}^{l}_{m}$ of $\hat{\mathbf{C}}_{m}$ in the $l$-th layer, we first transfer them back to the random masked version of $\hat{\mathbf{\Theta}}^{l}_{m}$, i.e., $\mathbf{C}^{l}_{m}$, via the following transformations (lines 6-7)

where $F(\cdot,\mu^{l},\sigma^{l})$ is the CDF of Gaussian distribution $\mathcal{N}(\theta|\mu^{l},\sigma^{l})$. By repeating the above procedure (10) for $l=1,...,L$, we obtain the masked version $\mathbf{C}_{m}$ of dominated parameters subset $\hat{\mathbf{\Theta}}_{m}$. Then, we input the key $\kappa_{m}$ to the FSPRNG to generate the same random number sequence $\mathbf{R}_{m}$ used to mask $\hat{\mathbf{\Theta}}_{m}$ (line 8). The subset $\hat{\mathbf{\Theta}}_{m}$ readily is decrypted by removing $\mathbf{R}_{m}$ from $\mathbf{C}_{m}$, i.e., $\hat{\mathbf{\Theta}}_{m}=\hat{\mathbf{C}}_{m}-\mathbf{R}_{m}$ (line 9).

With the permission $\mathbf{S}_{\hat{m}}$, we can recover $\hat{m}$ dominated parameter subsets $\{\hat{\mathbf{\Theta}}_{m}\}_{m=1}^{\hat{m}}$ in $\hat{\mathbf{\Theta}}$ by repeating the above procedure.

The resulting decrypted model is denoted by $\mathcal{F}_{\breve{\mathbf{\Theta}}_{\hat{m}}}$ (lines 10-11). Obviously, when $\hat{m}<M$, $M-\hat{m}$ dominated parameter subsets $\{\hat{\mathbf{\Theta}}_{m}\}_{m=\hat{m}+1}^{M}$ are still encrypted in $\mathcal{F}_{\breve{\mathbf{\Theta}}_{\hat{m}}}$. Hence it is a partially encrypted version of $\mathcal{F}_{\mathbf{\Theta}}$. As $\hat{m}$ increases to $M$, all dominated parameters $\hat{\mathbf{\Theta}}=\{\hat{\mathbf{\Theta}}_{m}\}_{m=1}^{M}$ are recovered, and $\mathcal{F}_{\breve{\mathbf{\Theta}}_{M}}=\mathcal{F}_{\mathbf{\Theta}}$. Thus, the full performance of $\mathcal{F}_{\mathbf{\Theta}}$ is then released. On the contrary, if no permissions are fed into the Decrypt module, the performance of $\mathcal{F}_{\mathbf{\Theta}}$ is still suppressed in the encrypted model. Consequently, we have provided users with hierarchical services (different performance levels) of the pretrained model and achieved access control against unauthorized users.

For rejecting unauthorized access, a successful protection should degrade the performance of the encrypted model into the worst situation, if no permission is granted. For instance, for VGG19 on CIFAR10, the worst prediction accuracy is $10\%$ (random guess among 10 classes). To the best of our knowledge, our proposed scheme is the first one to protect CNN models with SE. For preparing the competing algorithms, we design four different strategies to select parameters from considered layers, and encrypt them with the proposed DPRM. 1) $\mathbf{Random}$: We select parameters uniformly at random; 2) $\mathbf{Mean}$: We extract parameters around the mean value. This selection strategy is motivated by the observation that parameters are concentrated around the mean value (see Fig. 2); 3) $\mathbf{Descending}$: A reasonable hypothesis is that the importance of parameters is positively correlated to their values. Thus, we select parameters in the descending order of their values; and 4) $\mathbf{Ascending}$: Conversely, we select parameters in ascending order.

Fig. 3 shows the classification accuracy of VGG after encrypting different percentages of parameters of considered layers. We can observe that our PSS (red curve) degrades the VGG19 to the worst case when only $8\%$ of parameters are encrypted, while the best competing one needs to encrypt $40\%$ of parameters. Such a result demonstrates the effectiveness of the proposed SE for protecting VGG19. Similarly, Fig. 4 shows the denoising performance of the DnCNN when PSS and other competing algorithms are used for the parameter selection. As can be observed, the denoising performance degrades very quickly when model parameters are selected by PSS and encrypted. Note that, to eliminate the randomness, results in Fig. 3 and 4 are the averages over repeating the encryption for 20 times.

We now demonstrate that models decrypted from the protected model with various permissions could exhibit different levels of performance. We selectively encrypt $10\%$ ($2\%$) parameters of considered layers of the VGG19 (DnCNN). Then, 5 permissions $\mathbf{S}_{\hat{m}}$ ($\hat{m}=1,...,5$) are generated by the module $\mathbf{Assign}$ in Section 3.3 ($M=5$). These permissions are fed into the $\mathbf{Decrypt}$ module to decrypt the protected VGG19 (DnCNN). The performance of the decrypted VGG19 and DnCNN with respect to the $5$ permissions is recorded in Table 1. As the increase of $\hat{m}$, the decrypted VGG19 (DnCNN) exhibits different levels of accuracy (PSNR) and reaches the best one when inputting the highest permission ($\hat{m}=5$). Here, $\hat{m}=0$ implies no permission is granted, corresponding to the worst prediction accuracy. For a better illustration of the hierarchical performance of the released DnCNN, the visualized denoising results of a test image under different permissions are shown in Fig. 5. One can see from Fig. 5(d)-(f) that a higher level of permission (larger $\hat{m}$) endows users with a better denoised image. Interestingly, for users without permission ($\hat{m}=0$, see Fig. 5(c)), the resulting denoised image is even worse than the original one.

We then evaluate the security of the protected model against denoising and retraining attacks considered in the threat model. First of all, we define the attackers’ capability and goals to quantitatively evaluate whether an attack succeeds. $\mathbf{Attackers^{\prime}~{}Capability}$: Attackers could challenge the protected model under one or all of the following capabilities. 1) Attackers can access all parameters of the protected model; 2) Attackers possess limited data ($10\%$) used for training the pretrained model; 3) Attackers own another model that has the same structure as the protected one; but is trained over another dataset; and 4) Attackers have known which layers in the model are encrypted. $\mathbf{Attackers^{\prime}~{}Goal}$: The attackers’ goal is to obtain the same model performance as a user with the lowest permission. As shown in Table 1, for VGG19 and DnCNN, the attackers’ goals are 65.41% classification accuracy and 20.12dB of the denoised image, respectively.

We now consider several potential denoising and retraining attacks and show that the protected model is secure against them. Note that, in Section 4, we have proved the imperceptibility of the encrypted parameters. Hence, all attacks discussed below are based on the premise that the locations of the encrypted parameters are unknown.

DENOISING ATTACKS

1) Denoising via Wavelets: Attackers take selectively encrypted parameters in each considered layer as a partially contaminated discrete signal (flattening parameter tensors into a 1-D vector). They can remove the noise by resorting to wavelet denoising techniques. To simulate attackers’ behavior, we consider three different wavelets: $\mathbf{DB2}$, $\mathbf{Haar}$, and $\mathbf{Sym9}$. As shown in Table 2, the accuracies of the protected model suffering the three wavelet based denoising attacks are 21.15%, 23.13%, and 24.72%, respectively. Obviously, none of them achieves an accuracy better than the attacking goal 65.41%. For DnCNN, the best performance given by the three types of attack is 16.71dB, which is still inferior to the attacking goal (20.12dB). Thus, we conclude that the VGG19 and DnCNN protected by our scheme are secure against the wavelets based denoising attacks.

2) Denosing via Filters: The significant performance degradation of the encrypted model possibly ascribes to some abnormally large or small parameters. Attacker could implement the average filter or the median filter on the 1-D signal of encrypted parameters. Moreover, the Gaussian filter possibly is suitable since the noise used to encrypt dominated parameters follows a Gaussian distribution. The performance of the protected VGG19 and DnCNN under these filter based attacks is recorded in Table 2. As can be seen, for VGG19, all the restored accuracies after attacks cannot exceed the attacking goal (65.41%). Similarly, for DnCNN, the best PSNR of the attacked model is 15.51dB, which is still worse than the attacking goal (20.12dB). Therefore, the encrypted VGG19 and DnCNN models are secure against the filtering based attacks.

RETRAINING ATTACKS

1) Layer-wise: Since only several layers are encrypted by our proposed scheme, attackers could retrain each layer independently by fixing parameters of other layers, based on the available training data. The classification accuracy of the retrained VGG19 is recorded in Table 2. It can be seen that the resulting accuracy is $55.15\%$, which is lower than the attacking goal 65.41%. A similar result for DnCNN is 18.24dB, which is also worse than the attacking goal (20.12dB). Thus, under the assumption on attackers’ capability and the defined attacking goal, we conclude that this type of retraining attack is not successful.

2) Transfering: Attackers may hypothesize that the distribution of encrypted parameters possibly is consistent among models with the same structure; but trained on another dataset. They thus implement the proposed PSS strategy on a new VGG19 trained on other ten classes from CIFAR100 [17] and obtain locations of dominated parameters of this VGG19. Then, they retrain parameters of the protected VGG19 at locations learned from the new VGG19. The performance of such attacked model is only 39.14%, far from the attacking goal 65.41%. We also try to attack DnCNN by using the same strategy, where the locations of encrypted parameters are transferred from another DnCNN trained over the noisy images with noise level 25. In this case, the PSNR value of the denoised image is 17.49dB, which is still lower than the attacking goal (20.12dB).