Xinyun Chen,Wenxiao Wang,Yiming Ding,Chris Bender,R. Jia,Bo Li,D. Song

2019-01-01

Abstract:Deep neural networks have achieved tremendous success in various fields; however, training these models from scratch could be computationally expensive and requires a lot of training data. Therefore, recent work has explored different watermarking techniques to protect the pre-trained deep neural networks from potential copyright infringements. Although several existing techniques could effectively embed such watermarks into the DNNs, they could be vulnerable to adversaries who aim at removing the watermarks. In this work, we demonstrate that a carefullydesigned fine-tuning method enables the adversary with limited training data to effectively remove the watermarks, without compromising the model functionality. In particular, leveraging auxiliary unlabeled data significantly decreases the amount of labeled training data needed for effective watermark removal, even if the unlabeled data samples are not drawn from the same distribution as the benign data for model evaluation.

Xiaoxuan Lou,Shangwei Guo,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1109/tcsvt.2022.3184644

IF: 5.859

2022-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep Neural Networks (DNN) are gaining higher commercial values in computer vision applications, e.g., image classification, video analytics, etc. This calls for urgent demands of the intellectual property (IP) protection of DNN models. In this paper, we present a novel watermarking scheme to achieve the ownership verification of DNN architectures. Existing works all embedded watermarks into the model parameters while treating the architecture as public property. These solutions were proven to be vulnerable by an adversary to detect or remove the watermarks. In contrast, we claim the model architectures as an important IP for model owners, and propose to implant watermarks into the architectures. We design new algorithms based on Neural Architecture Search (NAS) to generate watermarked architectures, which are unique enough to represent the ownership, while maintaining high model usability. Such watermarks can be extracted via side-channel-based model extraction techniques with high fidelity. We conduct comprehensive experiments on watermarked CNN models for image classification tasks and the experimental results show our scheme has negligible impact on the model performance, and exhibits strong robustness against various model transformations and adaptive attacks.

Jie Zhang,Dongdong Chen,Jing Liao,Weiming Zhang,Huamin Feng,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1109/tpami.2021.3064850

IF: 23.6

2022-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Despite the tremendous success, deep neural networks are exposed to serious IP infringement risks. Given a target deep model, if the attacker knows its full information, it can be easily stolen by fine-tuning. Even if only its output is accessible, a surrogate model can be trained through student-teacher learning by generating many input-output training pairs. Therefore, deep model IP protection is important and necessary. However, it is still seriously under-researched. In this work, we propose a new model watermarking framework for protecting deep networks trained for low-level computer vision or image processing tasks. Specifically, a special task-agnostic barrier is added after the target model, which embeds a unified and invisible watermark into its outputs. When the attacker trains one surrogate model by using the input-output pairs of the barrier target model, the hidden watermark will be learned and extracted afterwards. To enable watermarks from binary bits to high-resolution images, a deep invisible watermarking mechanism is designed. By jointly training the target model and watermark embedding, the extra barrier can even be absorbed into the target model. Through extensive experiments, we demonstrate the robustness of the proposed framework, which can resist attacks with different network structures and objective functions.

Haiming Wang,Zhikun Zhang,Min Chen,Shibo He

DOI: https://doi.org/10.1109/icc45041.2023.10278974

2023-01-01

Abstract:Collecting graph data is costly and well-trained graph neural networks (GNNs) are viewed as intellectual property. To make better use of GNNs, they are used to provide cloud-based services. However, models on cloud-based services may be leaked under model extraction attacks. Adversaries can extract an imitation model by simply querying the GNNs on the cloud-based services. To protect GNNs, watermarks are embedded in the models. However, the watermarks can be removed by the model extraction attacks. To address this issue, we propose adding a watermark that cannot be ignored by queries from the model extraction attacks. Concretely, we add the soft nearest neighbor loss to the loss function of the watermark embedding process to merge the distributions for the normal tasks and watermarks. We also observe that the watermark brings a performance loss to GNNs and propose an optimization method to maintain the model performance. We evaluate our method on multiple real-world datasets to demonstrate the superiority of the method.

Huiying Li,Emily Willson,Hai-Tao Zheng,Ben Y. Zhao

2019-01-01

Abstract:As companies continue to invest heavily in larger, more accurate and more robust deep learning models, they are exploring approaches to monetize their models while protecting their intellectual property. Model licensing is promising, but requires a robust tool for owners to claim ownership of models, i.e. a watermark. Unfortunately, current designs have not been able to address piracy attacks, where third parties falsely claim model ownership by embedding their own into an already-watermarked model. We observe that resistance to piracy attacks is fundamentally at odds with the current use of incremental training to embed watermarks into models. In this work, we propose null embedding, a new way to build piracy-resistant watermarks into DNNs that can only take place at a model's initial training. A null embedding takes a bit string (watermark value) as input, and builds strong dependencies between the model's normal classification accuracy and the watermark. As a result, attackers cannot remove an embedded watermark via tuning or incremental training, and cannot add new pirate watermarks to already watermarked models. We empirically show that our proposed watermarks achieve piracy resistance and other watermark properties, over a wide range of tasks and models. Finally, we explore a number of adaptive counter-measures, and show our watermark remains robust against a variety of model modifications, including model fine-tuning, compression, and existing methods to detect/remove backdoors. Our watermarked models are also amenable to transfer learning without losing their watermark properties.

Jingxuan Tan,Nan Zhong,Zhenxing Qian,Xinpeng Zhang,Sheng Li

DOI: https://doi.org/10.1145/3581783.3612515

2023-01-01

Abstract:Deep neural network (DNN) watermarking is an emerging technique to protect the intellectual property of deep learning models. At present, many DNN watermarking algorithms have been proposed to achieve provenance verification by embedding identify information into the internals or prediction behaviors of the host model. However, most methods are vulnerable to model extraction attacks, where attackers collect output labels from the model to train a surrogate or a replica. To address this issue, we present a novel DNN watermarking approach, named SSW, which constructs an adaptive trigger set progressively by optimizing over a pair of symmetric shadow models to enhance the robustness to model extraction. Precisely, we train a positive shadow model supervised by the prediction of the host model to mimic the behaviors of potential surrogate models. Additionally, a negative shadow model is normally trained to imitate irrelevant independent models. Using this pair of shadow models as a reference, we design a strategy to update the trigger samples appropriately such that they tend to persist in the host model and its stolen copies. Moreover, our method could well support two specific embedding schemes: embedding the watermark via fine-tuning or from scratch. Our extensive experimental results on popular datasets demonstrate that our SSW approach outperforms state-of-the-art methods against various model extraction attacks in whether trigger set classification accuracy based or hypothesis test based verification. The results also show that our method is robust to common model modification schemes including fine-tuning and model compression.

Jie Zhang,Dongdong Chen,Jing Liao,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1007/978-981-19-7554-7_6

2022-01-01

Abstract:Deep learning has achieved tremendous success in low-level computer vision tasks such as image processing tasks. To protect the intellectual property (IP) of such valuable image processing networks, the model vendor can sell the service in the manner of the application program interface (API). However, even if the attacker can only query the API, he is still able to conduct model extraction attacks, which can steal the functionality of the target networks. In this chapter, we propose a new model watermarking framework for image processing networks. Under the framework, two strategies are further developed, namely, the model-agnostic strategy and the model-specific strategy. The proposed watermarking method performs well in terms of fidelity, capacity, and robustness.

Sebastian Szyller,Buse Gul Atli,Samuel Marchal,N. Asokan

DOI: https://doi.org/10.48550/arXiv.1906.00830

2021-07-16

Abstract:Training machine learning (ML) models is expensive in terms of computational power, amounts of labeled data and human expertise. Thus, ML models constitute intellectual property (IP) and business value for their owners. Embedding digital watermarks during model training allows a model owner to later identify their models in case of theft or misuse. However, model functionality can also be stolen via model extraction, where an adversary trains a surrogate model using results returned from a prediction API of the original model. Recent work has shown that model extraction is a realistic threat. Existing watermarking schemes are ineffective against IP theft via model extraction since it is the adversary who trains the surrogate model. In this paper, we introduce DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction IP theft. Unlike prior watermarking schemes, DAWN does not impose changes to the training process but it operates at the prediction API of the protected model, by dynamically changing the responses for a small subset of queries (e.g., <0.5%) from API clients. This set is a watermark that will be embedded in case a client uses its queries to train a surrogate model. We show that DAWN is resilient against two state-of-the-art model extraction attacks, effectively watermarking all extracted surrogate models, allowing model owners to reliably demonstrate ownership (with confidence $>1- 2^{-64}$), incurring negligible loss of prediction accuracy (0.03-0.5%).

Cryptography and Security,Machine Learning

Jie Zhang,Dongdong Chen,Jing Liao,Zehua Ma,Han Fang,Weiming Zhang,Huamin Feng,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1109/tpami.2024.3381543

IF: 23.6

2024-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:The intellectual property of deep networks can be easily &quot;stolen&quot; by surrogate model attack. There has been significant progress in protecting the model IP in classification tasks. However, little attention has been devoted to the protection of image processing models. By utilizing consistent invisible spatial watermarks, the work [1] first considered model watermarking for deep image processing networks and demonstrated its efficacy in many downstream tasks. Its success depends on the hypothesis that if a consistent watermark exists in all prediction outputs, that watermark will be learned into the attacker&#x27;s surrogate model. However, when the attacker uses common data augmentation attacks (e.g., rotate, crop, and resize) during surrogate model training, it will fail because the underlying watermark consistency is destroyed. To mitigate this issue, we propose a new watermarking methodology, &quot;structure consistency&quot;, based on which a new deep structure-aligned model watermarking algorithm is designed. Specifically, the embedded watermarks are designed to be aligned with physically consistent image structures, such as edges or semantic regions. Experiments demonstrate that our method is more robust than the baseline in resisting data augmentation attacks. Besides that, we test the generalization ability and robustness of our method to a broader range of adaptive attacks.

computer science, artificial intelligence,engineering, electrical & electronic

Yuki Nagai,Yusuke Uchida,Shigeyuki Sakazawa,Shin’ichi Satoh

DOI: https://doi.org/10.1007/s13735-018-0147-1

2018-02-02

International Journal of Multimedia Information Retrieval

Abstract:Although deep neural networks have made tremendous progress in the area of multimedia representation, training neural models requires a large amount of data and time. It is well known that utilizing trained models as initial weights often achieves lower training error than neural networks that are not pre-trained. A fine-tuning step helps to both reduce the computational cost and improve the performance. Therefore, sharing trained models has been very important for the rapid progress of research and development. In addition, trained models could be important assets for the owner(s) who trained them; hence, we regard trained models as intellectual property. In this paper, we propose a digital watermarking technology for ownership authorization of deep neural networks. First, we formulate a new problem: embedding watermarks into deep neural networks. We also define requirements, embedding situations, and attack types on watermarking in deep neural networks. Second, we propose a general framework for embedding a watermark in model parameters, using a parameter regularizer. Our approach does not impair the performance of networks into which a watermark is placed because the watermark is embedded while training the host network. Finally, we perform comprehensive experiments to reveal the potential of watermarking deep neural networks as the basis of this new research effort. We show that our framework can embed a watermark during the training of a deep neural network from scratch, and during fine-tuning and distilling, without impairing its performance. The embedded watermark does not disappear even after fine-tuning or parameter pruning; the watermark remains complete even after 65% of parameters are pruned.

computer science, artificial intelligence, software engineering

Tong Qiao,Yuyan Ma,Ning Zheng,Hanzhou Wu,Yanli Chen,Ming Xu,Xiangyang Luo

DOI: https://doi.org/10.1016/j.cose.2023.103102

2023-01-15

Abstract:With the advance of deep learning, it definitely has achieved the unprecedented success in the community of artificial intelligence. However, the issue of the intellectual property (IP) protection towards deep learning model is usually ignored, which largely threats the interests of the model owner. Currently, although a few schemes of model watermarking have been continuously proposed, in order to protect the specific neural network designed for detection or classification task, most of them are hardly directly applicable to generative adversarial networks (GAN). To our knowledge, the GAN model has plays more and more important role in the computer vision, such as image-to-image translation, text-to-image translation, image inpainting and etc., which remarkably improves the capability of image generation. Similarly, the malicious attackers possibly steal a trained GAN model to infringe the IP of the true model owner. To address that challenging issue, it is proposed to establish the framework of model watermarking towards GAN model. In particular, we first establish the trigger set by combining the watermark label with the verification image. Next, the watermarked generator is efficiently trained on the premise of preserving the original model performance. Finally, only relying on the correct watermark label, the synthetic watermark can be successfully triggered by the model owner for IP protection. The extensive experiments have verified the effectiveness and generalization of our designed method, which can easily be applicable to the benchmark GAN models such as WGAN-GP, ProGAN and StyleGAN2. Moreover, our proposed model watermark is robust enough to resist against the mainstream attacks, such as parameter fine-tuning and model pruning.

computer science, information systems

Meng Li,Qi Zhong,Leo Yu Zhang,Yajuan Du,Jun Zhang,Yong Xiangt,Yong Xiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00062

2020-12-01

Abstract:Similar to other digital assets, deep neural network (DNN) models could suffer from piracy threat initiated by insider and/or outsider adversaries due to their inherent commercial value. DNN watermarking is a promising technique to mitigate this threat to intellectual property. This work focuses on black-box DNN watermarking, with which an owner can only verify his ownership by issuing special trigger queries to a remote suspicious model. However, informed attackers, who are aware of the watermark and somehow obtain the triggers, could forge fake triggers to claim their ownerships since the poor robustness of triggers and the lack of correlation between the model and the owner identity. This consideration calls for new watermarking methods that can achieve better trade-off for addressing the discrepancy. In this paper, we exploit frequency domain image watermarking to generate triggers and build our DNN watermarking algorithm accordingly. Since watermarking in the frequency domain is high concealment and robust to signal processing operation, the proposed algorithm is superior to existing schemes in resisting fraudulent claim attack. Besides, extensive experimental results on 3 datasets and 8 neural networks demonstrate that the proposed DNN watermarking algorithm achieves similar performance on functionality metrics and better performance on security metrics when compared with existing algorithms.

Hanzhou Wu,Gen Liu,Yuwei Yao,Xinpeng Zhang

DOI: https://doi.org/10.1109/tcsvt.2020.3030671

IF: 5.859

2020-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Watermarking neural networks is a quite important means to protect the intellectual property (IP) of neural networks. In this paper, we introduce a novel digital watermarking framework suitable for deep neural networks that output images as the results, in which any image outputted from a watermarked neural network must contain a certain watermark. Here, the host neural network to be protected and a watermark-extraction network are trained together, so that, by optimizing a combined loss function, the trained neural network can accomplish the original task while embedding a watermark into the outputted images. This work is totally different from previous schemes carrying a watermark by network weights or classification labels of the trigger set. By detecting watermarks in the outputted images, this technique can be adopted to identify the ownership of the host network and find whether an image is generated from a certain neural network or not. We demonstrate that this technique is effective and robust on a variety of image processing tasks, including image colorization, super-resolution, image editing, semantic segmentation and so on.

Ruan, Hongjia,Song, Huihui,Liu, Bo,Cheng, Yong,Liu, Qingshan

DOI: https://doi.org/10.1007/s11704-021-1186-y

IF: 2.6688

2022-08-08

Frontiers of Computer Science

Abstract:Deep neural networks have achieved great success in varieties of artificial intelligent fields. Since training a good deep model is often challenging and costly, such deep models are of great value and even the key commercial intellectual properties. Recently, deep model intellectual property protection has drawn great attention from both academia and industry, and numerous works have been proposed. However, most of them focus on the classification task. In this paper, we present the first attempt at protecting deep semantic segmentation models from potential infringements. In details, we design a new hybrid intellectual property protection framework by combining the trigger-set based and passport based watermarking simultaneously. Within it, the trigger-set based watermarking mechanism aims to force the network output copyright watermarks for a pre-defined trigger image set, which enables black-box remote ownership verification. And the passport based watermarking mechanism is to eliminate the ambiguity attack risk of trigger-set based watermarking by adding an extra passport layer into the target model. Through extensive experiments, the proposed framework not only demonstrates its effectiveness upon existing segmentation models, but also shows strong robustness to different attack techniques.

computer science, information systems, theory & methods, software engineering

Jie Zhang,Dongdong Chen,Jing Liao,Han Fang,Zehua Ma,Weiming Zhang,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.48550/arXiv.2108.02360

2021-08-05

Cryptography and Security

Abstract:The intellectual property (IP) of Deep neural networks (DNNs) can be easily ``stolen'' by surrogate model attack. There has been significant progress in solutions to protect the IP of DNN models in classification tasks. However, little attention has been devoted to the protection of DNNs in image processing tasks. By utilizing consistent invisible spatial watermarks, one recent work first considered model watermarking for deep image processing networks and demonstrated its efficacy in many downstream tasks. Nevertheless, it highly depends on the hypothesis that the embedded watermarks in the network outputs are consistent. When the attacker uses some common data augmentation attacks (e.g., rotate, crop, and resize) during surrogate model training, it will totally fail because the underlying watermark consistency is destroyed. To mitigate this issue, we propose a new watermarking methodology, namely ``structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed. Specifically, the embedded watermarks are designed to be aligned with physically consistent image structures, such as edges or semantic regions. Experiments demonstrate that our method is much more robust than the baseline method in resisting data augmentation attacks for model IP protection. Besides that, we further test the generalization ability and robustness of our method to a broader range of circumvention attacks.

Carl De Sousa Trias,Mihai Mitrea,Attilio Fiandrotti,Marco Cagnazzo,Sumanta Chaudhuri,Enzo Tartaglione

2024-09-06

Abstract:Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack's strength: even small alterations of the watermarked weights would impact the model's performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

Machine Learning,Cryptography and Security,Multimedia

Yusuke Uchida,Yuki Nagai,Shigeyuki Sakazawa,Shin'ichi Satoh

DOI: https://doi.org/10.1145/3078971.3078974

2017-04-21

Abstract:Deep neural networks have recently achieved significant progress. Sharing trained models of these deep neural networks is very important in the rapid progress of researching or developing deep neural network systems. At the same time, it is necessary to protect the rights of shared trained models. To this end, we propose to use a digital watermarking technology to protect intellectual property or detect intellectual property infringement of trained models. Firstly, we formulate a new problem: embedding watermarks into deep neural networks. We also define requirements, embedding situations, and attack types for watermarking to deep neural networks. Secondly, we propose a general framework to embed a watermark into model parameters using a parameter regularizer. Our approach does not hurt the performance of networks into which a watermark is embedded. Finally, we perform comprehensive experiments to reveal the potential of watermarking to deep neural networks as a basis of this new problem. We show that our framework can embed a watermark in the situations of training a network from scratch, fine-tuning, and distilling without hurting the performance of a deep neural network. The embedded watermark does not disappear even after fine-tuning or parameter pruning; the watermark completely remains even after removing 65% of parameters were pruned. The implementation of this research is: <a class="link-external link-https" href="https://github.com/yu4u/dnn-watermark" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition

Zhicheng Ye,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1007/s00521-024-09469-5

2024-02-21

Neural Computing and Applications

Abstract:With the rising costs of model training, it is urgent to safeguard the intellectual property of deep neural networks. To achieve this, researchers have proposed various model watermarking techniques. Existing methods utilize visible trigger patterns, which are vulnerable to being detected by humans or detectors. Moreover, these approaches fail to establish active protection mechanisms that link the model with the user’s identity. In this study, we present an innovative imperceptible model watermarking approach that utilizes deep hiding to encode the user’s copyright verification information. This process superimposes a trigger pattern onto clean images, resulting in watermark trigger images. These watermark trigger images closely mimic the original images, achieving excellent stealthiness while enabling the retrieval of the user’s copyright verification information, thus definitively asserting ownership rights. Slight alterations made to the images to maintain stealthiness can weaken the triggering of the watermark pattern. We first leverage the triple loss in metric learning to tackle this challenge of training watermark samples. Using watermark trigger images as anchor samples and selecting appropriate positive and negative samples, we enhance the model’s capability to discern the watermark trigger. Experimental results on CIFAR-10, GTSRB, and Tiny-ImageNet confirm the defender’s capability to embed watermark successfully. The average watermark accuracy exceeds 90%, while the average performance loss is less than 0.05% points. It is also robust to existing watermark removal attacks and backdoor detection methods.

computer science, artificial intelligence

Zheng Li,Chengyu Hu,Yang Zhang,Shanqing Guo

DOI: https://doi.org/10.48550/arXiv.1903.01743

2019-03-05

Cryptography and Security

Abstract:Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity. To fill these gaps, in this paper, we propose a novel intellectual property protection (IPP) framework based on blind-watermark for watermarking deep neural networks that meet the requirements of security and feasibility. Our framework accepts ordinary samples and the exclusive logo as inputs, outputting newly generated samples as watermarks, which are almost indistinguishable from the origin, and infuses these watermarks into DNN models by assigning specific labels, leaving the backdoor as the basis for our copyright claim. We evaluated our IPP framework on two benchmark datasets and 15 popular deep learning models. The results show that our framework successfully verifies the ownership of all the models without a noticeable impact on their primary task. Most importantly, we are the first to successfully design and implement a blind-watermark based framework, which can achieve state-of-art performances on undetectability against evasion attack and unforgeability against fraudulent claims of ownership. Further, our framework shows remarkable robustness and establishes a clear association between the model and the author's identity.

Yuxuan Li,Sarthak Kumar Maharana,Yunhui Guo

2024-07-19

Abstract:With the increasing prevalence of Machine Learning as a Service (MLaaS) platforms, there is a growing focus on deep neural network (DNN) watermarking techniques. These methods are used to facilitate the verification of ownership for a target DNN model to protect intellectual property. One of the most widely employed watermarking techniques involves embedding a trigger set into the source model. Unfortunately, existing methodologies based on trigger sets are still susceptible to functionality-stealing attacks, potentially enabling adversaries to steal the functionality of the source model without a reliable means of verifying ownership. In this paper, we first introduce a novel perspective on trigger set-based watermarking methods from a feature learning perspective. Specifically, we demonstrate that by selecting data exhibiting multiple features, also referred to as \emph{multi-view data}, it becomes feasible to effectively defend functionality stealing attacks. Based on this perspective, we introduce a novel watermarking technique based on Multi-view dATa, called MAT, for efficiently embedding watermarks within DNNs. This approach involves constructing a trigger set with multi-view data and incorporating a simple feature-based regularization method for training the source model. We validate our method across various benchmarks and demonstrate its efficacy in defending against model extraction attacks, surpassing relevant baselines by a significant margin. The code is available at: \href{<a class="link-external link-https" href="https://github.com/liyuxuan-github/MAT" rel="external noopener nofollow">this https URL</a>}{<a class="link-external link-https" href="https://github.com/liyuxuan-github/MAT" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning