Abstract: Abstract: Deep neural network (DNN) models have been widely applied due to their superior performance. However, training a powerful DNN model requires significant datasets, expertise, computing resources, hardware conditions, and time, and illegal theft can cause huge losses to model owners. Aiming at the security and intellectual property issues of DNN models, an active protection method for DNN models is proposed. This method uses a new comprehensive weight selection strategy to accurately locate the important weights in the model. Combined with the structural characteristics of the convolutional layer of the DNN model, the four-dimensional Chen chaotic system is introduced for the first time on the basis of the three-dimensional chaotic system to scramble and encrypt a small number of weights in the convolutional layer. Meanwhile, to address the problem that authorized users cannot decrypt even with the key, an elliptic curve encryption algorithm is integrated to construct a digital signature scheme for the encrypted model. After encryption, the weight position and the initial value of the chaotic sequence are combined to form an encryption key. The authorized user can use the key to correctly decrypt the DNN model. Even if the unauthorized attacker intercepts the DNN model, it cannot be used normally. Experimental results show that the classification accuracy can be significantly reduced by scrambling a small number of weight positions in the classification model, and the decrypted model can be restored losslessly. In addition, the method is resistant to fine-tuning and pruning attacks, and the key is resistant to brute force attacks and has strong sensitivity. The experiment further validated that this method is not only effective for image classification models, but also protects deep image steganography models and object detection models, demonstrating its transferability.The efficiency and security of this method in DNN model protection are verified.

Key words: AI model security, deep neural network model, weight encryption, four-dimensional Chen chaotic system, elliptic curve digital signature

摘要： 摘 要: 基于深度神经网络（DNN）的模型以其优越的性能得到了广泛的应用，但训练一个性能强大的DNN模型需要大量的数据集、专业知识、计算资源、硬件条件和时间等，如果非法盗用会对模型拥有者造成巨大的损失。针对DNN模型的安全和知识产权问题，提出一种DNN模型主动保护方法。该方法使用一种新的综合性权重选择策略精准定位模型中重要权重，并结合DNN模型卷积层的结构特点，在三维混沌系统的基础上，首次引入四维Chen混沌系统对卷积层少量权重进行位置置乱加密。同时，为解决授权用户即使拥有密钥也无法解密的问题，还结合了椭圆曲线加密算法构建加密模型数字签名方案。加密后，权重位置和混沌序列的初始值复合形成加密密钥，授权用户可以使用密钥正确解密DNN模型，未被授权的攻击者即使截获了DNN模型也无法正常使用。实验结果表明，通过对分类模型少量权重位置进行置乱能显著降低分类精度，并且解密模型可以实现无损恢复。此外，该方法能够抵抗微调和剪枝攻击，密钥具有较强的敏感性并能抵抗暴力攻击。通过实验验证了该方法不仅对图像分类模型有效，还能保护深度图像隐写模型和目标检测模型，具有可迁移性。

关键词: AI模型安全, 深度神经网络模型, 权重加密, 四维Chen混沌系统, 椭圆曲线数字签名