Deep neural network (DNN) models are vulnerable to unauthorized use, and existing watermarking techniques only enable passive intellectual property (IP) verification, lacking proactive protection. Method: This paper proposes an active “permission backdoor” mechanism that embeds hardware fingerprints or other legitimate triggers into the model, ensuring normal inference only in authorized environments—otherwise, performance degrades significantly. We innovatively integrate access control with provably robust defenses (e.g., randomized smoothing, interval-bound propagation) to construct the first backdoor-based authorization framework featuring conditional activation and provable resistance against backdoor removal. Contribution/Results: The method is architecture- and dataset-agnostic, achieving >98% accuracy under authorized triggers and <10% accuracy without triggers on benchmarks including CIFAR-10 and ImageNet. Crucially, it provides formal guarantees on backdoor persistence, substantially enhancing the proactivity and trustworthiness of DNN model IP protection.

Deep Neural Networks (DNNs), as valuable intellectual property, face unauthorized use. Existing protections, such as digital watermarking, are largely passive; they provide only post-hoc ownership verification and cannot actively prevent the illicit use of a stolen model. This work proposes a proactive protection scheme, dubbed ``Authority Backdoor," which embeds access constraints directly into the model. In particular, the scheme utilizes a backdoor learning framework to intrinsically lock a model's utility, such that it performs normally only in the presence of a specific trigger (e.g., a hardware fingerprint). But in its absence, the DNN's performance degrades to be useless. To further enhance the security of the proposed authority scheme, the certifiable robustness is integrated to prevent an adaptive attacker from removing the implanted backdoor. The resulting framework establishes a secure authority mechanism for DNNs, combining access control with certifiable robustness against adversarial attacks. Extensive experiments on diverse architectures and datasets validate the effectiveness and certifiable robustness of the proposed framework.