Yuheng Zhang,Ruoxi Jia,Hengzhi Pei,Wenxiao Wang,Bo Li,Dawn Song

DOI: https://doi.org/10.1109/CVPR42600.2020.00033

2020-01-01

Abstract:This paper studies model-inversion attacks, in which the access to a model is abused to infer information about the training data. Since its first introduction by [7], such attacks have raised serious concerns given that training data usually contain privacy-sensitive information. Thus far, successful model-inversion attacks have only been demonstrated on simple models, such as linear regression and logistic regression. Previous attempts to invert neural networks, even the ones with simple architectures, have failed to produce convincing results. We present a novel attack method, termed the generative model-inversion attack, which can invert deep neural networks with high success rates. Rather than reconstructing private training data from scratch, we leverage partial public information, which can be very generic, to learn a distributional prior via generative adversarial networks (GANs) and use it to guide the inversion process. Moreover, we theoretically prove that a model's predictive power and its vulnerability to inversion attacks are indeed two sides of the same coin-highly predictive models are able to establish a strong correlation between features and labels, which coincides exactly with what an adversary exploits to mount the attacks. Our extensive experiments demonstrate that the proposed attack improves identification accuracy over the existing work by about 75% for reconstructing face images from a state-of-the-art face recognition classifier. We also show that differential privacy, in its canonical form, is of little avail to defend against our attacks.

Lin Huang,Yitong Tao,Chuan Qin,Xinpeng Zhang

DOI: https://doi.org/10.1109/lsp.2024.3465898

2024-10-04

IEEE Signal Processing Letters

Abstract:How to protect the intellectual property (IP) of neural network models has become a hot topic in current research. Model hashing as an important model protection scheme, which achieves model IP protection by extracting model feature-based, compact hash codes and calculating the hash distance between original and suspicious models. To realize model IP protection across platforms and environments, we propose a robust hashing scheme for neural network models via heterogeneous graph representation, which can effectively detect the illegal copy of neural network models and doesn't degrade the model performance. Specifically, we first convert the neural network model into a heterogeneous graph and analyze its node attribute data. Then, a graph embedding learning method is used to extract the feature vectors of the model based on different attribute data of graph nodes. Finally, the hash code that can be used for model copy detection is generated based on the designed hash networks with quantization and triplet losses. Experimental results show that our scheme not only exhibits satisfactory robustness to different types of robustness graph attacks but also achieves satisfactory performances of discrimination and generalizability.

engineering, electrical & electronic

Xinran Li,Zichi Wang,Guorui Feng,Xinpeng Zhang,Chuan Qin

DOI: https://doi.org/10.1109/mmsp55362.2022.9949087

2022-01-01

Abstract:A lot of excellent neural network models are valuable wealth to the field of artificial intelligence, which may be plagiarized and distributed without authorization. For this reason, few research establishments and industries reveal the internals of their neural network models. To authenticate suspicious pirated models, this letter proposes a gray-box hashing method for the neural network models that designed for image classification. In the proposed method, the hash sequence of original model can be extracted without knowing both the structure and weight parameters except the vectors in output layer. To the best of our knowledge, this is the first work focusing on gray-box perceptual model hashing to identify and authenticate neural network models. Experimental results show that our method performs satisfactory perceptual robustness and discrimination capability, and can effectively classify perceptual similar versions of the original model and distinct models.

Ge Ren,Jun Wu,Gaolei Li,Shenghong Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tdsc.2022.3222972

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Artificial intelligence (AI)-based cybersecurity services offer significant promise in many scenarios, including malware detection, content supervision, and so on. Meanwhile, many commercial and government applications have raised the need for intellectual property protection of using deep neural network (DNN). Existing studies (e.g., watermarking techniques) on intellectual property protection only aim at inserting secret information into DNNs, allowing producers to detect whether the given DNN infringes on their own copyrights. However, since the availability protection of learning models is rarely considered, the piracy model can still work with high accuracy. In this paper, a novel model locking (M-LOCK) scheme for the DNN is proposed to enhance its availability protection, where the DNN produces poor accuracy if a specific token is absent, while it maps only the tokenized inputs into correct predictions. The proposed scheme performs the verification process during the DNN inference operation, actively protecting models' intellectual property copyright at each query. Specifically, to train the token-sensitive decision-making boundaries of DNNs, a data poisoning-based model manipulation (DPMM) method is also proposed, which minimizes the correlation between the dummy outputs and correct predictions. Extensive experiments demonstrate the proposed scheme could achieve high reliability and effectiveness across various benchmark datasets as well as typical model protection methods.

Yawen Huang,Hongying Zheng,Di Xiao

DOI: https://doi.org/10.1007/s10489-023-04797-w

IF: 5.3

2023-01-01

Applied Intelligence

Abstract:With the wide application of neural network, the trained neural network model has become an important asset to provide services for users, but it also faces the risk of malicious attack or illegal tampering. Therefore, especially in safety-critical fields such as military, medical, transportation, and legal, it is crucial to provide users with an integrity authentication mechanism. In this paper, we propose a method for tamper detection and location of convolutional neural networks based on fragile watermarking, which makes it possible to recover the original model as much as possible with the help of existing intact data. Specifically, we use the HRank-based neural network pruning method and the characteristics of single precision floating-point numbers to construct the host sequence, and use the block histogram shift method to embed the watermarking information. To ensure the security of the additional information required to extract the watermarking, we encrypt it using the Combined Logistic Tent Map algorithm. At the receiving end, only the authorized owner can extract the watermarking information from the marked model, and use the characteristics of Merkle Hash Tree to achieve efficient integrity authentication and fast tamper location. To demonstrate the effectiveness of the proposed method, we conduct experiments on two datasets using multiple pre-trained models. The results show that the embedded fragile watermarking can not only realize the integrity authentication of the model, but also realize the authorization verification and tamper location of the model without affecting the classification performance of the model.

Minghua Hou,Linlin Tang,Shuhan Qi,Yang Liu

DOI: https://doi.org/10.1109/ICDIS55630.2022.00019

2022-01-01

Abstract:Sharing neural network models in some platforms and communities has become a popular trend, but they will inevitably suffer from malicious theft of models, If the attacker knows the structure and weights of the model, the model can be easily modified, how to protect the intellectual property rights of the deep models has become a serious problem. The appearance of model watermarking provides a technical possibility for the intellectual property protection of neural network models, and it provides us a reliable method of verifying model ownership when the model's intellectual property rights are infringed. Based on previous work, this paper proposes a new watermarking method for image processing models, which embeds the watermark information into the two chroma channels of the YCbCr color space of image processing model's output images. The proposed method can verify the model ownership in black-box case, which has strong robustness and resistance to common model compression and model fine-tuning attacks.

Xuefeng Fan,Hangyu Gui,Xiaoyi Zhou

DOI: https://doi.org/10.48550/arxiv.2206.02541

2022-01-01

Abstract: Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventers. Currently, the copyright protection of DNN models by neural network watermarking has been studied, but the establishment of a traceability mechanism for determining the authorized users of a leaked model is a new problem driven by the demand for AI services. Because the existing traceability mechanisms are used for models without watermarks, a small number of false positives is generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. Therefore, based on the idea of black-box neural network watermarking with the video framing and image perceptual hash algorithm, this study proposes a passive copyright protection and traceability framework PCPT using an additional class of DNN models, improving the existing traceability mechanism that yields a small number of false positives. Based on the authorization control strategy and image perceptual hash algorithm, using the authorization control center constructed using the detector and verifier, a DNN model active copyright protection and traceability framework ACPT is proposed. It realizes stricter authorization control, which establishes a strong connection between users and model owners, and improves the framework security. The key sample that is simultaneously generated does not affect the quality of the original image and supports traceability verification.

Xuefeng Fan,Dahao Fu,Hangyu Gui,Xinpeng Zhang,Xiaoyi Zhou

2023-11-28

Abstract:Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventors. The copyright protection of DNN models by neural network watermarking has been studied, but the establishment of a traceability mechanism for determining the authorized users of a leaked model is a new problem driven by the demand for AI services. Because the existing traceability mechanisms are used for models without watermarks, a small number of false-positives are generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. Therefore, based on the idea of black-box neural network watermarking with the video framing and image perceptual hash algorithm, a passive copyright protection and traceability framework PCPT is proposed that uses an additional class of DNN models, improving the existing traceability mechanism that yields a small number of false-positives. Based on an authorization control strategy and image perceptual hash algorithm, a DNN model active copyright protection and traceability framework ACPT is proposed. This framework uses the authorization control center constructed by the detector and verifier. This approach realizes stricter authorization control, which establishes a strong connection between users and model owners, improves the framework security, and supports traceability verification.

Cryptography and Security,Artificial Intelligence

Dorjan Hitaj,Luigi V. Mancini

DOI: https://doi.org/10.48550/arXiv.1809.00615

2018-09-03

Abstract:Deep neural networks have had enormous impact on various domains of computer science, considerably outperforming previous state of the art machine learning techniques. To achieve this performance, neural networks need large quantities of data and huge computational resources, which heavily increases their construction costs. The increased cost of building a good deep neural network model gives rise to a need for protecting this investment from potential copyright infringements. Legitimate owners of a machine learning model want to be able to reliably track and detect a malicious adversary that tries to steal the intellectual property related to the model. Recently, this problem was tackled by introducing in deep neural networks the concept of watermarking, which allows a legitimate owner to embed some secret information(watermark) in a given model. The watermark allows the legitimate owner to detect copyright infringements of his model. This paper focuses on verifying the robustness and reliability of state-of- the-art deep neural network watermarking schemes. We show that, a malicious adversary, even in scenarios where the watermark is difficult to remove, can still evade the verification by the legitimate owners, thus avoiding the detection of model theft.

Cryptography and Security,Machine Learning

DAI Long,ZHANG Jing,FAN Xuefeng,ZHOU Xiaoyi

DOI: https://doi.org/10.11959/j.issn.2096−109x.2023009

2023-01-01

Abstract:With the rapid development of natural language processing techniques, the use of language models in text classification and sentiment analysis has been increasing.However, language models are susceptible to piracy and redistribution by adversaries, posing a serious threat to the intellectual property of model owners.Therefore, researchers have been working on designing protection mechanisms to identify the copyright information of language models.However, existing watermarking of language models for text classification tasks cannot be associated with the owner’s identity, and they are not robust enough and cannot regenerate trigger sets.To solve these problems, a new model, namely black-box watermarking scheme for text classification tasks, was proposed.It was a scheme that can remotely and quickly verify model ownership.The copyright message and the key of the model owner were obtained through the Hash-based Message Authentication Code (HMAC), and the message digest obtained by HMAC can prevent forgery and had high security.A certain amount of text data was randomly selected from each category of the original training set and the digest was combined with the text data to construct the trigger set, then the watermark was embedded on the language model during the training process.To evaluate the performance of the proposed scheme, watermarks were embedded on three common language models on the IMDB’s movie reviews and CNews text classification datasets.The experimental results show that the accuracy of the proposed watermarking verification scheme can reach 100% without affecting the original model.Even under common attacks such as model fine-tuning and pruning, the proposed watermarking scheme shows strong robustness and resistance to forgery attacks.Meanwhile, the embedding of the watermark does not affect the convergence time of the model and has high embedding efficiency.

Zihan Yuan,Xinpeng Zhang,Zichi Wang,Zhaoxia Yin

DOI: https://doi.org/10.1016/j.eswa.2023.121315

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:As an emerging digital product, artificial intelligence models face the risk of being modified. Malicious tampering will severely damage model functions, which is different from normal modifications. In addition, tampering localization for targeted repair can effectively reduce the cost. Therefore, it is crucial to achieve model content authentication and locate the tampering location. We proposed a novel semi-fragile neural network watermarking method in this paper to address these issues. Specifically, with the precondition of maintaining model performance, we proposed a method that generates a set of semi-fragile samples for a model to achieve the content authentication and tampering localization. The experiment results show that the content authentication of the model can be achieved by analyzing the output results of the model for the semi-fragile samples. When the model is processed normally, the output results are consistent with the expected label, while when the model is maliciously tampered with, the model produces unstable output. Furthermore, the tamper localization of the model can be further achieved through the information hidden in the semi-fragile samples, resulting in an average accuracy of more than 99.42%. In addition, our method is also effective for other deep neural networks.

Erwan Le Merrer,Gilles Tredan

DOI: https://doi.org/10.48550/arXiv.1903.00317

2019-09-05

Abstract:Neural networks are powering the deployment of embedded devices and Internet of Things. Applications range from personal assistants to critical ones such as self-driving cars. It has been shown recently that models obtained from neural nets can be trojaned ; an attacker can then trigger an arbitrary model behavior facing crafted inputs. This has a critical impact on the security and reliability of those deployed devices. We introduce novel algorithms to detect the tampering with deployed models, classifiers in particular. In the remote interaction setup we consider, the proposed strategy is to identify markers of the model input space that are likely to change class if the model is attacked, allowing a user to detect a possible tampering. This setup makes our proposal compatible with a wide range of scenarios, such as embedded models, or models exposed through prediction APIs. We experiment those tampering detection algorithms on the canonical MNIST dataset, over three different types of neural nets, and facing five different attacks (trojaning, quantization, fine-tuning, compression and watermarking). We then validate over five large models (VGG16, VGG19, ResNet, MobileNet, DenseNet) with a state of the art dataset (VGGFace2), and report results demonstrating the possibility of an efficient detection of model tampering.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Peihao Li,Jie Huang,Huaqing Wu,Zeping Zhang,Chunyang Qi

DOI: https://doi.org/10.1016/j.neunet.2024.106199

IF: 7.8

2024-03-06

Neural Networks

Abstract:With the widespread application of deep neural networks (DNNs), the risk of privacy breaches against DNN models is constantly on the rise, resulting in an increasing need for intellectual property (IP) protection for such models. Although neural network watermarking techniques are widely used to safeguard the IP of DNNs, they can only achieve passive protection and cannot actively prevent unauthorized users from illicit use or embezzlement of the trained DNN models. Therefore, the development of proactive protection techniques to prevent IP infringement is imperative. To this end, we propose SecureNet, a key-based access license framework for DNN models. The proposed approach involves injecting license keys into the model through backdoor learning, enabling correct model functionality only when the appropriate license key is included in the input. To ensure the reusability of DNN models, we also propose a license key replacement algorithm. In addition, based on SecureNet, we designed defense mechanisms against adversarial attacks and backdoor attacks, respectively. Furthermore, we introduce a fine-grained authorization method that enables flexible granting of model permissions to different users. We have designed four license-key schemes with different privileges, tailored to various scenarios. We evaluated SecureNet on five benchmark datasets including MNIST, Cifar10, Cifar100, FaceScrub, and CelebA, and assessed its performance on six classic DNN models: LeNet-5, VGG16, ResNet18, ResNet101, NFNet-F5, and MobileNetV3. The results demonstrate that our approach outperforms the state-of-the-art model parameter encryption methods by at least 95% in terms of computational efficiency. Additionally, it provides effective defense against adversarial attacks and backdoor attacks without compromising the model's overall performance.

computer science, artificial intelligence,neurosciences

Haozhe Chen,Hang Zhou,Jie Zhang,Dongdong Chen,Weiming Zhang,Kejiang Chen,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1145/3572777

IF: 4.094

2023-01-01

ACM Transactions on Multimedia Computing Communications and Applications

Abstract:In recent years, many model intellectual property (IP) proof methods for IP protection have been proposed, such as model watermarking and model fingerprinting. However, with the increasing number of models transmitted and deployed on the Internet, quickly finding the suspect model among thousands of models on model-sharing platforms such as GitHub is in great demand, which concurrently triggers the new security problem of model copy detection for IP protection. As an important part of the model IP protection system, the model copy detection task has not received enough attention. Due to the high computational complexity, both model watermarking and model fingerprinting lack the capability to efficiently find suspected infringing models among tens of millions of models. In this article, inspired by the hash-based image retrieval methods, we introduce a novel model copy detection mechanism: perceptual hashing for convolutional neural networks (CNNs). The proposed perceptual hashing algorithm can convert the weights of CNNs to fixed-length binary hash codes so that the lightly modified version has the similar hash code as the original model. By comparing the similarity of a pair of hash codes between a query model and a test model in the model library, similar versions of a query model can be retrieved efficiently. To the best of our knowledge, this is the first perceptual hashing algorithm for deep neural network models. Specifically, we first select the important model weights based on the model compression theory, then calculate the normal test statistics (NTS) on the segments of important weights, and finally encode the NTS features into hash codes. The experiment performed on a model library containing 3,565 models indicates that our perceptual hashing scheme has a superior copy detection performance.

XiangRui Xu,YaQin Li,Cao Yuan

DOI: https://doi.org/10.48550/arXiv.1911.08053

2019-11-19

Abstract:Deep neural network (DNN) with the state of art performance has emerged as a viable and lucrative business service. However, those impressive performances require a large number of computational resources, which comes at a high cost for the model creators. The necessity for protecting DNN models from illegal reproducing and distribution appears salient now. Recently, trigger-set watermarking, breaking the white-box restriction, relying on adversarial training pre-defined (incorrect) labels for crafted inputs, and subsequently using them to verify the model authenticity, has been the main topic of DNN ownership verification. While these methods have successfully demonstrated robustness against removal attacks, few are effective against the tampering attacks from competitors forging the fake watermarks and dogging in the manager. In this paper, we put forth a new framework of the trigger-set watermark by embedding a unique Serial Number (relatedness less original labels) to the deep neural network for model ownership identification, which is both robust to model pruning and resist to tampering attacks. Experiment results demonstrate that the DNN Serial Number only incurs slight accuracy degradation of the original performance and is valid for ownership verification.

Computer Vision and Pattern Recognition

Yusheng Guo,Nan Zhong,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.2312.05262

2023-12-05

Abstract:Training a deep neural network (DNN) requires a high computational cost. Buying models from sellers with a large number of computing resources has become prevailing. However, the buyer-seller environment is not always trusted. To protect the neural network models from leaking in an untrusted environment, we propose a novel copyright protection scheme for DNN using an input-sensitive neural network (ISNN). The main idea of ISNN is to make a DNN sensitive to the key and copyright information. Therefore, only the buyer with a correct key can utilize the ISNN. During the training phase, we add a specific perturbation to the clean images and mark them as legal inputs, while the other inputs are treated as illegal input. We design a loss function to make the outputs of legal inputs close to the true ones, while the illegal inputs are far away from true results. Experimental results demonstrate that the proposed scheme is effective, valid, and secure.

Cryptography and Security,Machine Learning

Dong-Dong Wu,Chilin Fu,Weichang Wu,Wenwen Xia,Xiaolu Zhang,JUN ZHOU,Min-Ling Zhang

DOI: https://doi.org/10.1109/cvpr52733.2024.02294

2024-01-01

Abstract:With the escalating complexity and investment cost of training deep neural networks, safeguarding them from unauthorized usage and intellectual property theft has become imperative. Especially the rampant misuse of prediction APIs to replicate models without access to the original data or architecture poses grave security threats. Diverse defense strategies have emerged to address these vulnerabilities, yet these defenses either incur heavy inference overheads or assume idealized attack scenarios. To address these challenges, we revisit the utilization of noise transition matrix as an efficient perturbation technique, which injects noise into predicted posteriors in a linear manner and integrates seamlessly into existing systems with minimal overhead, for model stealing defense. Provably, with such perturbed posteriors, the attacker's cloning process degrades into learning from noisy data. Toward optimizing the noise transition matrix, we proposed a novel bi-level optimization training framework, which performs fidelity on the victim model while the surrogate model adversarially. Comprehensive experimental results demonstrate that our method effectively thwarts model stealing attacks and achieves minimal utility tradeoffs, outperforming existing state-of-the-art defenses.

Mingfu Xue,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1109/tai.2021.3133824

2021-01-01

IEEE Transactions on Artificial Intelligence

Abstract:The training and creation of deep learning model is usually costly, thus the trained model can be regarded as an intellectual property (IP) of the model creator. However, malicious users who obtain high-performance models may illegally copy, redistribute, or abuse the models without permission. To deal with such security threats, a few deep neural networks (DNN) IP protection methods have been proposed in recent years. This article attempts to provide a review of the existing DNN IP protection works and also an outlook. First, we propose the first taxonomy for DNN IP protection methods in terms of six attributesscenario, mechanism, capacity, type, function, and target models. Then, we present a survey on existing DNN IP protection works in terms of the above six attributes, especially focusing on the challenges these methods face, whether these methods can provide proactive protection, and their resistances to different levels of attacks. After that, we analyze the potential attacks on DNN IP protection methods from the aspects of model modifications, evasion attacks, and active attacks. Besides, a systematic evaluation method for DNN IP protection methods with respect to basic functional metrics, attack-resistance metrics, and customized metrics for different application scenarios is given. Finally, challenges and future research opportunities on DNN IP protection are presented.

Zhi Wang,Chaoge Liu,Xiang Cui

DOI: https://doi.org/10.1109/ISCC53001.2021.9631425

2021-08-05

Abstract:Delivering malware covertly and evasively is critical to advanced malware campaigns. In this paper, we present a new method to covertly and evasively deliver malware through a neural network model. Neural network models are poorly explainable and have a good generalization ability. By embedding malware in neurons, the malware can be delivered covertly, with minor or no impact on the performance of neural network. Meanwhile, because the structure of the neural network model remains unchanged, it can pass the security scan of antivirus engines. Experiments show that 36.9MB of malware can be embedded in a 178MB-AlexNet model within 1% accuracy loss, and no suspicion is raised by anti-virus engines in VirusTotal, which verifies the feasibility of this method. With the widespread application of artificial intelligence, utilizing neural networks for attacks becomes a forwarding trend. We hope this work can provide a reference scenario for the defense on neural network-assisted attacks.

Cryptography and Security,Artificial Intelligence

Ge Ren,Jun Wu,Gaolei Li,Shenghong Li

DOI: https://doi.org/10.48550/arXiv.2103.08472

2021-03-15

Abstract:The smartphone and laptop can be unlocked by face or fingerprint recognition, while neural networks which confront numerous requests every day have little capability to distinguish between untrustworthy and credible users. It makes model risky to be traded as a commodity. Existed research either focuses on the intellectual property rights ownership of the commercialized model, or traces the source of the leak after pirated models appear. Nevertheless, active identifying users legitimacy before predicting output has not been considered yet. In this paper, we propose Model-Lock (M-LOCK) to realize an end-to-end neural network with local dynamic access control, which is similar to the automatic locking function of the smartphone to prevent malicious attackers from obtaining available performance actively when you are away. Three kinds of model training strategy are essential to achieve the tremendous performance divergence between certified and suspect input in one neural network. Extensive experiments based on MNIST, FashionMNIST, CIFAR10, CIFAR100, SVHN and GTSRB datasets demonstrated the feasibility and effectiveness of the proposed scheme.

Human-Computer Interaction,Cryptography and Security,Machine Learning