Can you reconstruct a Tensorflow neural network from the weights file (.h5) only?
Question:
If you want to keep your Neural Network architecture secret and still want to use it in an application, would somebody to be able to reverse engineer the Neural Network from the weights file (.h5) only?
The weights are an output of model.save_weights()
and are loaded back into the model with model.load_weights()
. All other application code is properly encrypted in this case.
Answers:
I would say no.
As an incomplete example: Assume you are given three weight matrices. Even if you are somehow able to guess that they are for simple convolution operations, you would still not know
- how they are organized in the computational graph. Consider input
x
, it could be conv(conv(conv(x))), or conv(conv(x)+conv(x)) or many more options
- Any other settings like stride that drastically changes the output, but are impossible to deduce from your weights
- probably more reasons
Note:
Why not encrypt your weights file as well? You already seem to have a secret key mechanism to encrypt your model
If you want to keep your Neural Network architecture secret and still want to use it in an application, would somebody to be able to reverse engineer the Neural Network from the weights file (.h5) only?
The weights are an output of model.save_weights()
and are loaded back into the model with model.load_weights()
. All other application code is properly encrypted in this case.
I would say no.
As an incomplete example: Assume you are given three weight matrices. Even if you are somehow able to guess that they are for simple convolution operations, you would still not know
- how they are organized in the computational graph. Consider input
x
, it could be conv(conv(conv(x))), or conv(conv(x)+conv(x)) or many more options - Any other settings like stride that drastically changes the output, but are impossible to deduce from your weights
- probably more reasons
Note:
Why not encrypt your weights file as well? You already seem to have a secret key mechanism to encrypt your model