Deep neural network model authorization control method based on blockchain and dynamic scoring

By using blockchain and smart contract mechanisms for trusted verification and recording, and combining dynamic scoring mechanisms to regulate model output, the problem of tracing and quantifying user behavior in black-box access scenarios of deep neural network models is solved, achieving effective restriction of unauthorized access and improved security.

CN122197087APending Publication Date: 2026-06-12NANJING UNIV OF AERONAUTICS & ASTRONAUTICS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANJING UNIV OF AERONAUTICS & ASTRONAUTICS
Filing Date
2026-02-26
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing deep neural network models lack the ability to continuously trace user identity information and calling behavior in black-box access scenarios, and lack a quantitative evaluation mechanism based on user behavior characteristics, making it difficult to restrict model output in a timely manner when unauthorized access occurs.

Method used

By using blockchain and smart contract mechanisms for trusted verification and recording, and combining user authorization status, access frequency, and query data distribution to build a dynamic scoring mechanism, the model output strategy is adaptively adjusted to effectively restrict unauthorized access.

Benefits of technology

Without modifying the model structure, it achieves immediate restriction on unauthorized access, improves the security and reliability of model access, and reduces the risk of attackers leaking model information.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122197087A_ABST
    Figure CN122197087A_ABST
Patent Text Reader

Abstract

The application discloses a kind of deep neural network model authorization control method based on block chain and dynamic score, belong to information security and artificial intelligence security field.The application carries out threefold check to the model call request of user by smart contract, and record the check result and call behavior in block chain.Model server considers from authorization state, access frequency and query data distribution three aspects according to historical behavior record in block chain account book, constructs multi-factor dynamic scoring mechanism.Model server selects different model output according to the interval where user score is located, so as to realize the active authorization control of deep neural network model copyright.The method of the application ensures that authorized users obtain normal model performance, and unauthorized users only obtain model performance close to random level.In addition, the method shows strong robustness to fake certificate attack, replay attack and query distribution disguise attack.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention patent belongs to the field of computer information security and artificial intelligence model security, and relates to a deep neural network model authorization control method based on blockchain and dynamic scoring. Background Technology

[0002] Deep Neural Networks (DNNs) have been widely applied in computer vision, natural language processing, autonomous driving, and smart healthcare due to their excellent feature representation and pattern recognition capabilities. Because high-performance DNN models typically require significant computational and human resources for data acquisition and model training, they have gradually become intellectual property with substantial commercial value. In practical application deployment, DNN models often provide inference services to external systems through black-box interfaces. However, unauthorized model invocation and attacks based on high-frequency queries for model extraction still exist, posing a serious threat to the legitimate rights and interests of model owners.

[0003] To verify the ownership and origin of DNN models, existing research has proposed introducing watermarking mechanisms during the model training phase. By embedding specific identifiers into the model's internal structure or output, watermarking can be verified while maintaining basic task accuracy. This type of watermarking method retains detectability even in the face of attacks such as fine-tuning, pruning, or model distillation, thus enabling it to be used to determine model ownership in copyright disputes.

[0004] However, existing DNN watermarking schemes still have certain limitations in practical applications. On the one hand, most methods focus on copyright verification after infringement has occurred, making it difficult to immediately restrict model output when unauthorized access occurs. On the other hand, some schemes rely on specific trigger samples or additional network structures, which not only have high implementation costs but also significantly reduce verification reliability when subjected to attacks such as watermark removal or forged trigger samples. Furthermore, in watermarking methods proposed for black-box service scenarios, the trigger samples often differ from the distribution of real task data. Attackers can circumvent the trigger conditions through input filtering or preprocessing, thereby weakening the effectiveness of watermark verification.

[0005] Unlike watermarking schemes that rely on post-verification, proactive authorization control methods introduce access restrictions during the model inference phase. This prevents unauthorized users from obtaining high-precision inference results when accessing model services, thereby mitigating the risk of leakage of valid model information during unauthorized access. Existing research has used key- or authorization parameter-based control methods to ensure that the model outputs inference results close to its original performance only when specific authorization conditions are met, while unauthorized access only yields approximately random outputs.

[0006] However, the aforementioned proactive authorization control schemes still have shortcomings in actual deployment. Existing methods generally lack the ability to systematically record and continuously track user call behavior, making it difficult to identify abnormal call behavior in a timely manner during model service and to provide effective tracing evidence after an attack occurs.

[0007] To address the aforementioned issues, this invention proposes a proactive copyright protection method for deep learning models applicable to black-box access scenarios. This method utilizes blockchain and smart contract mechanisms to perform trusted verification and immutable recording of model call requests. During the model inference phase, it constructs a dynamic scoring mechanism by incorporating multi-dimensional behavioral characteristics such as user authorization status, access frequency, and query data distribution. This adaptively adjusts the model output strategy, enabling authorized users to obtain inference results close to the original model performance, while authorized users with abnormal behavior only receive restricted model output, and unauthorized users only receive random model output. Proactive authorization control of DNN models is achieved without modifying the model structure. Summary of the Invention

[0008] Purpose of the Invention: In black-box access scenarios, deep learning models are vulnerable to model extraction attacks. Existing proactive authorization control schemes typically lack the ability to continuously trace user identity information and invocation behavior, and also lack a quantitative evaluation mechanism based on user behavior characteristics. To address these issues, this invention proposes a deep neural network model authorization control method based on blockchain and dynamic scoring. By performing on-chain trusted verification and recording of invocation requests, and combining this with user behavior characteristics to dynamically adjust the model output, unauthorized access behavior can be effectively restricted without modifying the model structure.

[0009] Technical solution: The technical solution adopted in this invention is as follows:

[0010] A method for authorization control based on a deep neural network model using blockchain and dynamic scoring includes the following steps:

[0011] (1) On-chain trusted verification stage: When the deep learning model API port receives a user's call request, it submits the corresponding request information to the smart contract. The smart contract performs legality verification, uniqueness verification and signature validity verification on the authorization certificate, one-time random number and digital signature respectively to determine whether the source of the call request is trustworthy, and writes the corresponding verification results into the blockchain ledger for immutable storage.

[0012] (2) Behavior Recording and Scoring Calculation: The smart contract records the user ID, timestamp, user authorization status, and verification results in the blockchain ledger, thereby forming a traceable user behavior history. The model server generates access frequency scores and query data distribution scores based on the user's historical call information, and determines the authorization status score by combining the user authorization status stored in the blockchain ledger, thus constructing the user behavior feature input required for the dynamic scoring mechanism.

[0013] (3) Multi-factor dynamic scoring stage: By introducing three types of behavioral characteristics, namely user authorization status, access frequency and query data distribution, a multi-factor dynamic scoring mechanism is constructed. Each scoring factor is weighted and quantified to obtain a dynamic score Score(u), which is used to reflect the user's behavioral risk level in the current stage and to distinguish authorized users, authorized users with attack behavior and unauthorized users with attack behavior.

[0014] (4) Authorization Control Phase: The authorization control module selects the corresponding model output strategy based on the interval in which the dynamic score Score(u) falls.

[0015] (4-1) When Score(u) is in the high threshold range [T h When [1], the model directly outputs the actual inference results to ensure normal use by authorized users.

[0016] (4-2) When Score(u) is in the middle interval [T] l T h When this happens, the model outputs a perturbation of the candidate class. The system randomly selects one class from the top-3 classes currently predicted by the model as the model output, thereby weakening the attacker's ability to infer the model's decision boundary.

[0017] (4-3) When Score(u) is in the low threshold range [0, T] l When this happens, the model outputs a random category result to further reduce the likelihood that unauthorized users will obtain valid reasoning information.

[0018] Furthermore, the on-chain trusted verification in step (1) includes: the smart contract first verifies the legality of the authorization certificate L to determine whether it belongs to the set of valid authorization certificates maintained on the chain; then it verifies the uniqueness of the one-time random number nonce attached to the call request and checks whether the random number has been recorded in the random number history set; finally, it verifies whether the digital signature S is consistent with the data (D+nonce) through the on-chain public key pk to detect whether the call request has been tampered with during transmission.

[0019] Beneficial effects: Compared with the prior art, the present invention has the following advantages:

[0020] 1. By leveraging the immutability and traceability of blockchain, user ID, timestamp, user authorization status, and verification results are completely written onto the chain, enabling trusted verification and non-repudiation of call requests, effectively resisting forged certificate attacks and replay attacks, and improving overall access security.

[0021] 2. A multi-factor dynamic scoring mechanism is constructed based on multiple factors such as authorization status, access frequency, and query data distribution. A configurable weight allocation and threshold adaptive adjustment strategy are adopted to quantitatively evaluate user behavior, thereby achieving differentiated control of model output.

[0022] 3. The model output strategy is adaptively adjusted based on the dynamic rating results. Perturbations or randomizations are output to users with low ratings, which can significantly reduce the performance of attackers building alternative models. At the same time, the inference performance of authorized users with high ratings is maintained close to that of the original model, thereby ensuring the performance of normal users.

[0023] 4. Without modifying the deep learning model structure or retraining the model, this invention can be directly applied to the model inference stage, possessing good versatility, scalability, and practical deployment value. Attached Figure Description

[0024] Figure 1 This is an overall framework diagram of the present invention.

[0025] Figure 2 This is a schematic diagram of the process of the present invention. Detailed Implementation

[0026] The technical solution of the present invention will be further described below with reference to the accompanying drawings.

[0027] This invention provides an authorization control method for a deep neural network model based on blockchain and dynamic scoring. Its overall structure consists of three core parts: an on-chain verification module, a dynamic scoring module, and an authorization control module.

[0028] 1. The on-chain verification module of this invention is deployed in a smart contract environment to perform multiple verifications on each user's model call request. The verifications include legality verification, uniqueness verification, and signature validity verification. Its operation flow is as follows:

[0029] (1) During the system initialization phase, the smart contract pre-maintains a set of authorization credentials, a list of public keys, and a historical set of random numbers. When a user initiates a model call request, the smart contract generates a one-time random number and returns it to the user. The user uses their private key to sign the message formed by combining the one-time random number with the data to be queried, thereby generating the corresponding digital signature. The user then submits the authorization credentials, the data to be queried, the one-time random number, and the digital signature to the smart contract.

[0030] (2) After receiving the call request information submitted by the user, the smart contract performs multiple checks in sequence, including verifying whether the authorization certificate belongs to the set of valid certificates, detecting whether the one-time random number already exists in the random number history set, and verifying the consistency between the digital signature and the corresponding message using the public key stored on the chain.

[0031] (3) When any verification fails, the smart contract will reject the current call request and terminate the subsequent process; when all verifications pass, the smart contract will write the user ID, timestamp, user authorization status and verification results into the blockchain ledger as the basis for subsequent behavior recording and dynamic scoring.

[0032] 2. The dynamic scoring module of this invention is used to quantitatively assess the credibility of user behavior. This module is activated after on-chain verification is completed, and its input consists of user behavior information recorded on the chain and the current query data. To ensure that the scoring results accurately reflect the user's access risk, this invention divides the scoring factors into three categories: authorization status score, access frequency score, and query data distribution score, and generates the final score through a weighted average.

[0033] The authorization status score L(u) indicates whether a user possesses valid authorization credentials. If the user is authorized, L(u) = 1. If the user is unauthorized, L(u) = 0.

[0034] The access frequency score F(u) reflects the user's call activity level within a given unit of time. The access frequency function freq(u,t) is defined as the number of calls made by the user within a time window Δt. The specific forms of F(u) and freq(u,t) are as follows: Where t is the timestamp of the current call request, and N u (t-Δt, t) represents the number of times the user calls the model within the time interval [t-Δt, t], and thres is the system's preset access frequency threshold (e.g., 20 times / minute).

[0035] The query data distribution score A(u) measures the degree of deviation between the user query data distribution and the normal distribution, and is used to characterize common distribution anomalies in model extraction attacks. A(u) is specifically expressed as: Where k is the number of samples identified as attack samples, N is the total number of samples submitted by users, and α is the attack attenuation coefficient.

[0036] This invention uses a weighted approach to perform linear calculations on the above three factors to obtain the user score Score(u), and its calculation formula is as follows: Score(u) = WL ·L(u)+W F ·F(u)+W A ·A(u), Among them W L W F W A The weights of the three factors satisfy: W L +W F +W A =1, The weights can be flexibly adjusted according to the actual deployment environment, thereby creating different emphases among the three characteristics: authorization status, access frequency, and query data distribution.

[0037] 3. The authorized control module of the present invention adaptively selects the model output strategy according to the interval in which the score Score(u) is located. This module has a preset high threshold T. h With low threshold T l Users are divided into three access levels:

[0038] (1) When Score(u)≥T h At that time, the authorization control module directly returns the inference result O calculated by the model based on the original parameters. real At this point, the authorization control module does not perform any perturbation or randomization during the inference process to ensure that authorized users obtain inference results consistent with the original model.

[0039] (2) When T l ≤Score(u)<T h At this time, the authorization control module does not directly return the model's final predicted class. Instead, it reads the model's predicted probability vector for the current input, randomly selects one class from the top-3 classes with the highest probability, and generates a candidate class perturbation output O. cand .

[0040] (3) When Score(u)≤T l At that time, the authorization control module randomly selects category labels from the complete category set C to generate random output O. λ .

[0041] Therefore, the model output O(u) of the authorized control module of this invention can be uniformly expressed as: This module achieves differentiated authorization control for different types of users without modifying the model structure through an adaptive output strategy.

[0042] This invention experimentally validates the proposed method on multiple publicly available standard datasets to verify its applicability under different data scales and model structures. The experiments used the MNIST, CIFAR-10, and ImageNet datasets, and employed AlexNet, ResNet18, and VGG16 as experimental models, respectively.

[0043] To verify the different user behavior patterns that may emerge in a black-box access scenario, the experiment divided users into three categories: authorized users, authorized users with malicious behavior, and unauthorized users with malicious behavior. Authorized users possess legitimate authorization credentials, their query data comes from normal samples, and they maintain a reasonable call frequency. Authorized users with malicious behavior also possess legitimate credentials, but their query data consists of synthetic samples, and their call frequency is relatively high. Unauthorized users with malicious behavior lack legitimate authorization credentials, their query data is also synthetic samples, and they maintain a high-frequency call behavior that exceeds normal limits.

[0044] Table 1 presents the model inference accuracy results for the three user groups on the MNIST, CIFAR-10, and ImageNet datasets. The experimental results show significant differences in model accuracy among different user categories under the same dataset conditions. Authorized users consistently maintain model accuracy close to the original task performance across all datasets, while unauthorized users exhibiting attack behavior achieve accuracy close to random guessing. Authorized users with attack behavior achieve model accuracy between these two user groups. The analysis of these three user groups demonstrates that the dynamic scoring mechanism exhibits good dynamic adaptability and attack defense effectiveness in user behavior classification and output strategy. Table 1. Model accuracy under different datasets and user behavior types.

[0045] To further evaluate the system's stability under different access scales, this invention simulated various user access scenarios for experimental analysis. In the experiments, the number of users was 200, 400, and 600, with each user querying 200 images per session. The experimental results show that as the number of users increases, the system maintains a high attack detection rate across all scenarios, consistently remaining above 98.00%. Simultaneously, the system's false positive rate remains consistently low, indicating that even with a larger user base, the proposed method can still effectively distinguish between different types of user behavior.

[0046] In query distribution spoofing attacks, attackers typically introduce a large number of forged samples unrelated to the target task during the query process to mask the abnormal query distribution features caused by model extraction attacks. To evaluate this type of attack, this invention designs a query distribution spoofing attack experiment, in which forged samples are generated by superimposing random noise on natural samples, and by adjusting the noise parameters, the distance distribution between the mixed query data is made to approximate a normal distribution, thereby reducing the probability of abnormal behavior being detected.

[0047] This invention proposes two strategies for inserting fake samples:

[0048] (1) Random noise generation strategy, i.e., generating noise following a Gaussian distribution N(0.5, 0.1). 2 The image is constructed by randomly generating pixel values, making each fake sample a meaningless random noise image. By adjusting the mean and variance of the noise, the distribution of the query data after mixing fake samples is made closer to a normal distribution, thereby reducing the possibility of being judged as an abnormal query by A(u).

[0049] (2) Local concentration perturbation strategy: This strategy uses the pixel mean of a batch of query data as the basis and applies Gaussian perturbation noise with controlled amplitude on the basis to generate local perturbation samples, so that the distribution of query data after mixing fake samples is close to the normal distribution.

[0050] To quantify the distribution of the query data, this invention employs the normality test statistic W(D) based on the minimum distance distribution (Shapiro-Wilk statistic).

[0051] Experimental results show that although the two forged sample insertion strategies alter the statistical distribution of the query data to varying degrees, the query data distribution detection A(u) in the dynamic scoring mechanism can still stably identify abnormal queries. Specifically, when the number of forged samples reaches 5 times the number of query samples, the system can achieve a 100% attack detection rate; when the number of forged samples increases to 10 times, the attack detection rate remains above 94%, indicating that the proposed method has good robustness under common query distribution spoofing attack strengths.

[0052] In summary, this invention proposes a deep neural network model authorization control method based on blockchain and dynamic scoring. This method ensures the credibility of call requests through immutable on-chain records without modifying the model structure, and constructs a multi-factor dynamic scoring mechanism based on behavioral characteristics such as user authorization status, access frequency, and query data distribution to calculate the user score Score(u). Then, the model output strategy is adaptively selected according to the interval in which the score(u) falls. This mechanism not only effectively guarantees the normal inference performance of authorized users but also restricts users with abnormal behavior from receiving only low-accuracy model inference results.

[0053] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.

Claims

1. A method for authorization control based on a deep neural network model using blockchain and dynamic scoring, characterized in that, The method employs a smart contract-based call request verification mechanism during access to the deep learning model inference service to perform on-chain trusted verification of user call requests. After verification, it uses behavioral feature data formed by the user's historical call behavior to perform multi-factor dynamic scoring of user behavior, and adaptively controls the inference output of the deep learning model based on the scoring results. This ensures that authorized users receive normal inference results, while users with abnormal behavior only receive performance-limited model outputs, thereby achieving proactive authorization control of the deep learning model. The method includes the following steps: Step 1: After receiving a user's call request, the deep learning model API port sends the request information to the smart contract for on-chain verification. Step 2: The smart contract records the verification result and user information into the blockchain ledger, and sends the verification-passed call request to the deep learning model API port; Step 3: The deep learning model API port calculates the user's score based on the user behavior feature data recorded in the blockchain ledger through a multi-factor dynamic scoring mechanism, and sends the score result to the authorization control module. Step 4: The authorization control module determines the output of the deep learning model based on the score. It outputs the true inference result to authorized users and the performance-limited inference result to users with abnormal behavior, thereby realizing the proactive authorization control of the deep learning model.

2. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, In step 1, after receiving a user's call request, the deep learning model API port sends a one-time random number to the user. The user uses their private key to sign the message consisting of the one-time random number and the data to be queried, generating a corresponding digital signature. Then, the user sends the authorization certificate, the data to be queried, the one-time random number, and the digital signature to the smart contract for on-chain verification.

3. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, The on-chain verification in step 1 consists of three checks: a validity check for the authorization credential, a uniqueness check for the call request, and a signature validity check for the integrity of the request content. Specifically, the validity check determines whether the authorization credential belongs to the set of valid authorization credentials maintained on-chain; the uniqueness check detects whether the one-time random number already exists in the on-chain random number history; and the signature validity check verifies whether the digital signature matches the corresponding user message content, thereby ensuring the traceability and unforgeability of the call request source.

4. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, In step 2, the smart contract writes the user ID, timestamp, user authorization status, and verification result into the blockchain ledger. By recording the above information on the blockchain, the user's call behavior is stored immutably, and historical data is provided for the subsequent dynamic scoring process.

5. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, In step 2, the deep learning model API generates access frequency scores and query data distribution scores based on the user's historical call records. At the same time, it determines the authorization status score by combining the user authorization status stored in the blockchain ledger, thereby constructing the user behavior feature input required for the dynamic scoring mechanism.

6. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, The multi-factor dynamic scoring mechanism in step 3 uses the following scoring function: Score(u)=W L ·L(u)+W F ·F(u)+W A ·A(u), Where L(u) represents the user authorization status score, F(u) represents the access frequency score, A(u) represents the query data distribution score, and W... L W F With W A These are the weight parameters, and the sum of the three is 1.

7. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 6, characterized in that, The three scoring factors in the multi-factor dynamic scoring mechanism include: (7-1) The authorization status score L(u) is used to distinguish between authorized users and unauthorized users, where authorized users correspond to L(u) = 1 and unauthorized users correspond to L(u) = 0; (7-2) The access frequency score F(u), used to measure the reasonableness of a user's call frequency within a unit of time, is defined as: Where freq(u, t) is the number of times a user calls the model per unit time, and thres is the upper limit threshold for access frequency; (7-3) is used to reflect the degree of difference between the distribution of user query samples and the normal distribution, and is defined as: Where k is the number of samples identified as attack samples, N is the total number of samples submitted by users, and α is the attack attenuation coefficient.

8. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, In step 4, the output strategy of the deep learning model is determined based on the interval of the dynamic score Score(u). The high threshold T used to distinguish the output strategies of the three types of models is... h With low threshold T l Satisfying 0 < T l <T h <1, and T is defined based on the distribution characteristics of users' historical ratings. h With T l When Score(u) falls into the high threshold range [T] h When Score(u) is in the middle interval [T], the model outputs the true inference result; when Score(u) is in the middle interval [T], the model outputs the true inference result. l T h When Score(u) is in the low threshold range [0, T], the model outputs a perturbation of the candidate class; when Score(u) is in the low threshold range [0, T], the model outputs a perturbation of the candidate class. l When ), the model outputs a random category result.

9. The authorization control method for a deep neural network model based on blockchain and dynamic scoring according to claim 1, characterized in that, In step 4, the authorization control module determines the normal inference result of the model based on the user behavior score Score(u), while authorized users with aggressive behavior and unauthorized users with aggressive behavior obtain restricted inference results that have been perturbed and randomized, respectively.