SwitchNet: protecting neural networks by structure obfuscation and switch-controlled inference

Abstract Training deep learning models requires substantial financial and human resources, so once deployed in untrusted environments, these models immediately attract the attention of attackers who seek to steal and misuse them. Traditional model protection methods are ineffective in addressing model accuracy, performance, and proactive defense. To this end, we present an active defensive approach SwitchNet by obfuscating model structure and proposing a switch-controlled mechanism to manage model inference. Specifically, SwitchNet learns the weight distribution of the original model and then constructs confusion layers that are strategically inserted into the original model for structure obfuscation. Each of the model layers is equipped with a switch, which is controlled by a switching policy network. We train this policy network with an adaptive pattern as a “secret key” that can accurately control the switch states, and thereby the model inference process. We conduct a comprehensive theoretical analysis of the perturbation boundary and certify that SwitchNet maintains high robustness under $$\ell _\infty$$ ℓ ∞ perturbations, with certified accuracy exceeding 80% at $$\epsilon = 0.0048$$ ϵ = 0.0048 (CROWN). In addition, we perform extensive experiments on both classical convolutional networks and Vision Transformers. The results show that SwitchNet effectively preserves model accuracy for legitimate users (with only a 0.35% drop), while reducing the accuracy for unauthorized users to near-random guessing. Compared to the state-of-the-art, our approach reduces inference and construction overhead by 20.89% and 12.08%, respectively. Furthermore, SwitchNet proves to be stealthy and resilient against various attacks aimed at detecting or compromising the protection mechanism.