Authorize-on-Demand: Dynamic Authorization with Legality-Aware Intellectual Property Protection for VLMs

Imagine you've spent years and a fortune building a super-smart robot chef (a Vision-Language Model). This chef can look at a picture of a dish and tell you exactly what it is, or even write a recipe for it. Because this chef is so valuable, you want to sell its services, but you have two big worries:

Theft: You don't want someone to steal your chef's brain and use it to cook for free.
Safety: You don't want your chef trying to cook in a kitchen it wasn't trained for (like a nuclear power plant), where it might make dangerous mistakes.

The Old Way: The "Static Bouncer"

Previously, developers tried to protect their models like a bouncer at a club with a fixed guest list.

If you trained the model to recognize "Dogs," it would only let "Dogs" in.
The Problem: If you later wanted to add "Cats" to the menu, the old bouncer couldn't handle it. You'd have to fire the whole team, rebuild the club from scratch, and retrain everyone. It was expensive, slow, and rigid.
The Danger: If a stranger tried to sneak in with a picture of a "Toaster," the old model might just guess "Dog" with high confidence because it didn't know how to say "I don't know." This is dangerous and confusing.

The New Way: "Authorize-on-Demand" (AoD-IP)

The paper proposes a new system called AoD-IP. Think of this as giving your robot chef a smart, magical keyring and a dual-purpose brain.

1. The Magic Keyring (Dynamic Authorization)

Instead of a fixed guest list, the model owner holds a set of digital keys (called "credential tokens").

The Scenario: You train the model once. Then, you give a client a "Dog Key." Now, the model only works for pictures of dogs.
The Magic: Later, if that client wants to add "Cats," you don't need to rebuild the model. You just hand them a "Cat Key." The model instantly unlocks the ability to recognize cats.
The Metaphor: Imagine a hotel where the front desk doesn't need to rebuild the building every time a new guest arrives. Instead, they just hand out a new room key that opens the specific door the guest is allowed to enter. If you try to use a "Dog Key" to open a "Cat Door," it simply won't turn.

2. The Dual-Purpose Brain (Legality-Aware Output)

The old models just gave an answer (e.g., "That's a Dog"). The new model has a two-track brain:

Track A (The Chef): "What is this?" (e.g., "It's a Dog.")
Track B (The Security Guard): "Is this person allowed to ask me this?"
How it works: If a stranger tries to use the model with a picture of a toaster and no key, the Security Guard immediately slams the brakes. The model doesn't guess "Dog"; it says, "Access Denied." It knows it's being used illegally and refuses to play along.

Why is this a Big Deal?

Flexibility: It's like upgrading your phone's software without buying a new phone. You can add new "authorized" tasks on the fly without expensive retraining.
Safety: It prevents the model from hallucinating (making up answers) when used in unauthorized ways. It effectively says, "I don't know, and I'm not allowed to guess."
Protection: It stops thieves from stealing the model's "brain power." Even if they have the model, without the specific "key" for a new task, the model is useless to them.

The "Extended Domain" Trick

To make sure this system is tough, the researchers trained the model with a special "dummy" category. They showed the model pictures that were slightly weird or mixed up (like a dog with cat ears). This taught the model to be very strict: "If the picture doesn't perfectly match the key I'm holding, I'm not going to answer." This makes it very hard for hackers to trick the system.

In a Nutshell

AoD-IP turns a rigid, static model into a flexible, secure service. It's like giving a super-intelligent assistant a set of master keys that can be swapped out instantly. If you have the right key, you get a perfect answer. If you don't, the assistant politely (but firmly) tells you to go away, protecting the owner's investment and keeping the real world safe from bad guesses.

1. Problem Statement

The rapid adoption of Vision-Language Models (VLMs) like CLIP has created a critical need for robust Intellectual Property (IP) protection. Existing protection strategies suffer from two major limitations:

Static Authorization: Current methods (e.g., CUTI-Domain, CUPI-Domain) define authorized domains statically during training. If a user needs to deploy the model in a new domain, the entire model must be retrained, which is computationally expensive and inflexible.
Opaque Responses: Existing methods often lack a mechanism to explicitly signal when an input is unauthorized. They may produce high-confidence but incorrect predictions on unauthorized data, leading to safety risks and potential IP leakage.
Post-hoc vs. Active Prevention: Many existing techniques (watermarking, fingerprinting) focus on proving ownership after a leak occurs (post-hoc) rather than preventing unauthorized usage during inference.

2. Methodology: AoD-IP Framework

The authors propose AoD-IP, a framework that enables Authorize-on-Demand and Legality-Aware protection. The core architecture consists of a frozen VLM backbone (e.g., CLIP) augmented with lightweight, trainable modules.

A. Core Components

Dynamic Authorization Module:
- Projectors: Three lightweight projectors are introduced:
  - Image Projector ( $P_{img}$ ): Generates image tokens.
  - Domain Projector ( $P_{dom}$ ): Generates domain-discriminative tokens.
  - Encryption Projector ( $P_{enc}$ ): Generates a unique credential token ( $\tau^c_a$ ) specific to the authorized domain.
- Prompt Construction: During inference, the model constructs a text prompt by concatenating the credential token, image token, and domain token.
- Mechanism: The model only produces valid task predictions if the input data matches the credential token. If an adversary attempts to use the model on an unauthorized domain without the correct credential, or uses a credential with mismatched data, the model detects the inconsistency.
Extended Domain Simulation:
- To train the model to distinguish between authorized, extended, and unauthorized domains without retraining, the authors introduce an Extended Domain ( $x_e$ ).
- This domain is generated by applying random style perturbations (e.g., RandAugment) to the authorized data. This simulates "hard-to-distinguish" shifts and potential future authorized domains, teaching the model to remain robust against subtle variations while rejecting truly unauthorized inputs.
Dual-Path Inference Mechanism:
- Unlike standard models that output only a class prediction, AoD-IP employs a dual-path output:
  - Task Prediction ( $p$ ): The standard classification result.
  - Legality-Aware Signal ( $r$ ): A binary indicator (1 for authorized, 0 for unauthorized) derived from the model's confidence in the "unauthorized" class.
- If the input domain and the credential token do not match, the model is trained to output the "unauthorized" class, effectively flagging the input as illegal.

B. Training Strategy

The model is trained using a unified objective function ( $L$ ) that balances task accuracy and domain isolation:

Authorized Loss ( $L_a^{ce}$ ): Ensures high accuracy on the authorized domain.
Penalty Loss ( $L_{a \to u}^{ce}$ ): Penalizes the model if authorized samples are misclassified as unauthorized.
Unauthorized/Extended Loss ( $L_u^{ce}, L_e^{ce}$ ): Forces the model to classify unauthorized and extended domain samples as "unauthorized."
KL Divergence ( $L_{kl}$ ): Maximizes the separation between the feature representations of the authorized and extended domains to prevent feature overlap.

C. Inference & "Authorize-on-Demand"

Credential Keys: The model owner retains the encryption projector ( $P_{enc}$ ). To authorize a new domain, the owner generates a new credential token for that specific domain.
User Control: Users can switch authorized domains dynamically by requesting the corresponding credential token from the owner. No backbone retraining is required; the user simply swaps the "key" (token) to unlock the new domain.

3. Key Contributions

Dynamic Authorization: Introduced a novel "Authorize-on-Demand" paradigm where authorized domains can be added or switched post-training via lightweight credential tokens, eliminating the need for costly retraining.
Legality-Aware Output: Developed a dual-path inference mechanism that simultaneously provides task predictions and explicit legality verification, preventing silent failures on unauthorized data.
Novel Evaluation Metrics: Proposed new metrics to quantify IP protection effectiveness, including:
- $Drop_u$ : Accuracy drop on unauthorized domains (higher is better).
- $Drop_a$ : Accuracy drop on authorized domains (lower is better).
- $W_{u-a}$ : A weighted metric balancing protection strength and task performance.
- Legality Discrimination Accuracy ( $R_a, R_u$ ): Ability to correctly identify authorized vs. unauthorized inputs.
Comprehensive Validation: Extensive experiments on cross-domain benchmarks (Office-31, Office-Home-65, Mini-DomainNet) demonstrating superior performance over State-of-the-Art (SOTA) methods.

4. Experimental Results

The paper evaluates AoD-IP against methods like NTL, CUTI-Domain, CUPI-Domain, HNTL, and IP-CLIP.

Unauthorized Domain Suppression: AoD-IP achieves a massive accuracy drop on unauthorized domains (e.g., 74.57% average $Drop_u$ on Office-Home-65), effectively preventing model transfer. In contrast, unprotected models (SL-CLIP) maintain high accuracy on unauthorized data.
Authorized Domain Preservation: The method maintains high performance on authorized domains with minimal degradation (average $Drop_a$ of 0.13%), proving that protection does not come at the cost of utility.
Legality Detection: The model achieves >90% accuracy in distinguishing between authorized and unauthorized inputs across all benchmarks.
Comparison: AoD-IP consistently outperforms SOTA methods in the weighted metric $W_{u-a}$ , which balances protection and usability. For instance, on Office-Home-65, AoD-IP achieves a $W_{u-a}$ of 63.47%, significantly higher than competitors (e.g., HNTL at 33.03%).
Flexibility: The "Authorize-on-Demand" capability was demonstrated by successfully switching authorized domains during testing without retraining, maintaining high accuracy on the new domain while suppressing unauthorized access.

5. Significance

This work addresses a critical gap in the deployment of high-value VLMs. By shifting from static, retraining-heavy protection to a dynamic, key-based authorization system, AoD-IP offers a practical solution for real-world scenarios where deployment environments change frequently (e.g., medical imaging across different hospitals, industrial inspection across different factories).

The Legality-Aware feature is particularly significant for safety-critical applications, as it prevents the model from making confident but potentially dangerous predictions on data it was not authorized to process. This framework provides a blueprint for secure, flexible, and user-controlled AI deployment, ensuring that IP owners can monetize their models without compromising security or adaptability.