Deep neural networks (DNNs) have become valuable intellectual property of model owners, due to the substantial resources required for their development. To protect these assets in the deployed environment, recent research has proposed model usage control mechanisms to ensure models cannot be used without proper authorization. These methods typically lock the utility of the model by embedding an access key into its parameters. However, they often assume static deployment, and largely fail to withstand continual post-deployment model updates, such as fine-tuning or task-specific adaptation. In this paper, we propose ADALOC, to endow key-based model usage control with adaptability during model evolution. It strategically selects a subset of weights as an intrinsic access key, which enables all model updates to be confined to this key throughout the evolution lifecycle. ADALOC enables using the access key to restore the keyed model to the latest authorized states without redistributing the entire network (i.e., adaptation), and frees the model owner from full re-keying after each model update (i.e., lock preservation). We establish a formal foundation to underpin ADALOC, providing crucial bounds such as the errors introduced by updates restricted to the access key. Experiments on standard benchmarks, such as CIFAR-100, Caltech-256, and Flowers-102, and modern architectures, including ResNet, DenseNet, and ConvNeXt, demonstrate that ADALOC achieves high accuracy under significant updates while retaining robust protections. Specifically, authorized usages consistently achieve strong task-specific performance, while unauthorized usage accuracy drops to near-random guessing levels (e.g., 1.01% on CIFAR-100), compared to up to 87.01% without ADALOC. This shows that ADALOC can offer a practical solution for adaptive and protected DNN deployment in evolving real-world scenarios.

翻译：深度神经网络（DNNs）因其开发所需的大量资源，已成为模型所有者宝贵的知识产权资产。为在部署环境中保护这些资产，近期研究提出了模型使用控制机制，以确保模型未经适当授权无法被使用。这些方法通常通过将访问密钥嵌入模型参数中来锁定模型的效用。然而，它们通常假设静态部署，且大多无法抵御部署后的持续模型更新，如微调或任务特定适应。本文提出ADALOC，旨在为基于密钥的模型使用控制赋予模型演化过程中的适应性。它策略性地选择一部分权重作为内在访问密钥，使得所有模型更新在整个演化生命周期内均被限制于此密钥范围内。ADALOC允许使用访问密钥将密钥化模型恢复至最新授权状态，而无需重新分发整个网络（即适应），并免除模型所有者在每次模型更新后进行完全重新加密（即锁定保持）。我们建立了支撑ADALOC的形式化基础，提供了关键界限，如受限于访问密钥的更新引入的误差。在标准基准测试（如CIFAR-100、Caltech-256和Flowers-102）及现代架构（包括ResNet、DenseNet和ConvNeXt）上的实验表明，ADALOC在显著更新下实现了高精度，同时保持了强大的保护能力。具体而言，授权使用始终获得强劲的任务特定性能，而未授权使用的准确率降至接近随机猜测水平（例如CIFAR-100上为1.01%），相比之下，未使用ADALOC时准确率最高可达87.01%。这表明ADALOC可为动态现实场景中的自适应且受保护的DNN部署提供实用解决方案。