To address the vulnerability of deep neural network (DNN) models to intellectual property (IP) theft and unauthorized reuse, this paper proposes IDEA, an active IP protection framework that formulates authorization verification as an inverse domain adaptation task. Its core contribution is the novel Inverse Domain Expert Adaptation architecture, integrating steganographic key embedding, mutual information minimization for suppressing counterfeit experts, and multi-layer attention-guided contrastive representation distillation—enabling key-driven functional activation and fine-grained infringement tracing. Extensive experiments across five benchmark datasets and four mainstream DNN architectures demonstrate that IDEA achieves >99.2% authorization verification accuracy and >96.5% infringement tracing success rate. Moreover, it exhibits strong robustness against common model tampering attacks, including pruning, quantization, and adversarial perturbations.

Illegitimate reproduction, distribution and derivation of Deep Neural Network (DNN) models can inflict economic loss, reputation damage and even privacy infringement. Passive DNN intellectual property (IP) protection methods such as watermarking and fingerprinting attempt to prove the ownership upon IP violation, but they are often too late to stop catastrophic damage of IP abuse and too feeble against strong adversaries. In this paper, we propose IDEA, an Inverse Domain Expert Adaptation based proactive DNN IP protection method featuring active authorization and source traceability. IDEA generalizes active authorization as an inverse problem of domain adaptation. The multi-adaptive optimization is solved by a mixture-of-experts model with one real and two fake experts. The real expert re-optimizes the source model to correctly classify test images with a unique model user key steganographically embedded. The fake experts are trained to output random prediction on test images without or with incorrect user key embedded by minimizing their mutual information (MI) with the real expert. The MoE model is knowledge distilled into a unified protected model to avoid leaking the expert model features by maximizing their MI with additional multi-layer attention and contrastive representation loss optimization. IDEA not only prevents unauthorized users without the valid key to access the functional model, but also enable the model owner to validate the deployed model and trace the source of IP infringement. We extensively evaluate IDEA on five datasets and four DNN models to demonstrate its effectiveness in authorization control, culprit tracing success rate, and robustness against various attacks.