FlatD: Protecting Deep Neural Network Program from Reversing Attacks

Jinquan Zhang; Zihao Wang; Dinghao Wu; Pei Wang; Rui Zhong

doi:10.1109/ICSE-SEIP66354.2025.00062

FlatD: Protecting Deep Neural Network Program from Reversing Attacks

Jinquan Zhang
, Zihao Wang
, Dinghao Wu
, Pei Wang
, Rui Zhong

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The emergence of Deep Learning compilers provides automated optimization and compilation across Deep Learning frameworks and hardware platforms, which enhances the performance of AI service and benefits the deployment to edge devices and low-power processors. However, deep neural network (DNN) programs generated by Deep Learning compilers introduce a new attack interface. They are targeted by new model extraction attacks that can fully or partially rebuild the DNN model by reversing the DNN programs. Unfortunately, no defense countermeasure is designed to hinder this kind of attack. To address the issue, we investigate all of the state-of-the-art reversing-based model extraction attacks and identify an essential component shared across the frameworks. Based on this observation, we propose FlatD, the first defense framework for DNN programs toward reversing-based model extraction attacks. FlatD manipulates and conceals the original Control Flow Graphs of DNN programs based on Control Flow Flattening. Unlike traditional Control Flow Flattening, FlatD ensures the DNN programs are challenging for attackers to recover their Control Flow Graphs and gain necessary information statically. Our evaluation shows that, compared to the traditional Control Flow Flattening (O-LLVM), FlatD provides more effective and stealthy protection to DNN programs with similar performance and lower scale.

Original language	English (US)
Title of host publication	Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering
Subtitle of host publication	Software Engineering in Practice, ICSE-SEIP 2025
Publisher	Institute of Electrical and Electronics Engineers
Pages	641-652
Number of pages	12
Edition	2025
ISBN (Electronic)	9798331536855
DOIs	https://doi.org/10.1109/ICSE-SEIP66354.2025.00062
State	Published - 2025
Event	47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 - Ottawa, Canada Duration: Apr 27 2025 → May 3 2025

Conference

Conference	47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025
Country/Territory	Canada
City	Ottawa
Period	4/27/25 → 5/3/25

All Science Journal Classification (ASJC) codes

Software
Safety, Risk, Reliability and Quality

Access to Document

10.1109/ICSE-SEIP66354.2025.00062

Cite this

Zhang, J., Wang, Z., Wu, D., Wang, P., & Zhong, R. (2025). FlatD: Protecting Deep Neural Network Program from Reversing Attacks. In Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 (2025 ed., pp. 641-652). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICSE-SEIP66354.2025.00062

@inproceedings{942144c3951e4664b864bcdabe38a9c6,

title = "FlatD: Protecting Deep Neural Network Program from Reversing Attacks",

abstract = "The emergence of Deep Learning compilers provides automated optimization and compilation across Deep Learning frameworks and hardware platforms, which enhances the performance of AI service and benefits the deployment to edge devices and low-power processors. However, deep neural network (DNN) programs generated by Deep Learning compilers introduce a new attack interface. They are targeted by new model extraction attacks that can fully or partially rebuild the DNN model by reversing the DNN programs. Unfortunately, no defense countermeasure is designed to hinder this kind of attack. To address the issue, we investigate all of the state-of-the-art reversing-based model extraction attacks and identify an essential component shared across the frameworks. Based on this observation, we propose FlatD, the first defense framework for DNN programs toward reversing-based model extraction attacks. FlatD manipulates and conceals the original Control Flow Graphs of DNN programs based on Control Flow Flattening. Unlike traditional Control Flow Flattening, FlatD ensures the DNN programs are challenging for attackers to recover their Control Flow Graphs and gain necessary information statically. Our evaluation shows that, compared to the traditional Control Flow Flattening (O-LLVM), FlatD provides more effective and stealthy protection to DNN programs with similar performance and lower scale.",

author = "Jinquan Zhang and Zihao Wang and Dinghao Wu and Pei Wang and Rui Zhong",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 ; Conference date: 27-04-2025 Through 03-05-2025",

year = "2025",

doi = "10.1109/ICSE-SEIP66354.2025.00062",

language = "English (US)",

pages = "641--652",

booktitle = "Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering",

publisher = "Institute of Electrical and Electronics Engineers",

edition = "2025",

}

Zhang, J, Wang, Z, Wu, D, Wang, P & Zhong, R 2025, FlatD: Protecting Deep Neural Network Program from Reversing Attacks. in Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025 edn, Institute of Electrical and Electronics Engineers, pp. 641-652, 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025, Ottawa, Canada, 4/27/25. https://doi.org/10.1109/ICSE-SEIP66354.2025.00062

FlatD: Protecting Deep Neural Network Program from Reversing Attacks. / Zhang, Jinquan; Wang, Zihao; Wu, Dinghao et al.
Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025. ed. Institute of Electrical and Electronics Engineers, 2025. p. 641-652.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - FlatD

T2 - 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025

AU - Zhang, Jinquan

AU - Wang, Zihao

AU - Wu, Dinghao

AU - Wang, Pei

AU - Zhong, Rui

PY - 2025

Y1 - 2025

N2 - The emergence of Deep Learning compilers provides automated optimization and compilation across Deep Learning frameworks and hardware platforms, which enhances the performance of AI service and benefits the deployment to edge devices and low-power processors. However, deep neural network (DNN) programs generated by Deep Learning compilers introduce a new attack interface. They are targeted by new model extraction attacks that can fully or partially rebuild the DNN model by reversing the DNN programs. Unfortunately, no defense countermeasure is designed to hinder this kind of attack. To address the issue, we investigate all of the state-of-the-art reversing-based model extraction attacks and identify an essential component shared across the frameworks. Based on this observation, we propose FlatD, the first defense framework for DNN programs toward reversing-based model extraction attacks. FlatD manipulates and conceals the original Control Flow Graphs of DNN programs based on Control Flow Flattening. Unlike traditional Control Flow Flattening, FlatD ensures the DNN programs are challenging for attackers to recover their Control Flow Graphs and gain necessary information statically. Our evaluation shows that, compared to the traditional Control Flow Flattening (O-LLVM), FlatD provides more effective and stealthy protection to DNN programs with similar performance and lower scale.

AB - The emergence of Deep Learning compilers provides automated optimization and compilation across Deep Learning frameworks and hardware platforms, which enhances the performance of AI service and benefits the deployment to edge devices and low-power processors. However, deep neural network (DNN) programs generated by Deep Learning compilers introduce a new attack interface. They are targeted by new model extraction attacks that can fully or partially rebuild the DNN model by reversing the DNN programs. Unfortunately, no defense countermeasure is designed to hinder this kind of attack. To address the issue, we investigate all of the state-of-the-art reversing-based model extraction attacks and identify an essential component shared across the frameworks. Based on this observation, we propose FlatD, the first defense framework for DNN programs toward reversing-based model extraction attacks. FlatD manipulates and conceals the original Control Flow Graphs of DNN programs based on Control Flow Flattening. Unlike traditional Control Flow Flattening, FlatD ensures the DNN programs are challenging for attackers to recover their Control Flow Graphs and gain necessary information statically. Our evaluation shows that, compared to the traditional Control Flow Flattening (O-LLVM), FlatD provides more effective and stealthy protection to DNN programs with similar performance and lower scale.

UR - https://www.scopus.com/pages/publications/105016180352

UR - https://www.scopus.com/pages/publications/105016180352#tab=citedBy

U2 - 10.1109/ICSE-SEIP66354.2025.00062

DO - 10.1109/ICSE-SEIP66354.2025.00062

M3 - Conference contribution

AN - SCOPUS:105016180352

SP - 641

EP - 652

BT - Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering

PB - Institute of Electrical and Electronics Engineers

Y2 - 27 April 2025 through 3 May 2025

ER -

FlatD: Protecting Deep Neural Network Program from Reversing Attacks

Abstract

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this