Yuheng Zhang,Ruoxi Jia,Hengzhi Pei,Wenxiao Wang,Bo Li,Dawn Song

DOI: https://doi.org/10.1109/CVPR42600.2020.00033

2020-01-01

Abstract:This paper studies model-inversion attacks, in which the access to a model is abused to infer information about the training data. Since its first introduction by [7], such attacks have raised serious concerns given that training data usually contain privacy-sensitive information. Thus far, successful model-inversion attacks have only been demonstrated on simple models, such as linear regression and logistic regression. Previous attempts to invert neural networks, even the ones with simple architectures, have failed to produce convincing results. We present a novel attack method, termed the generative model-inversion attack, which can invert deep neural networks with high success rates. Rather than reconstructing private training data from scratch, we leverage partial public information, which can be very generic, to learn a distributional prior via generative adversarial networks (GANs) and use it to guide the inversion process. Moreover, we theoretically prove that a model's predictive power and its vulnerability to inversion attacks are indeed two sides of the same coin-highly predictive models are able to establish a strong correlation between features and labels, which coincides exactly with what an adversary exploits to mount the attacks. Our extensive experiments demonstrate that the proposed attack improves identification accuracy over the existing work by about 75% for reconstructing face images from a state-of-the-art face recognition classifier. We also show that differential privacy, in its canonical form, is of little avail to defend against our attacks.

Yanru Xiao,Cong Wang,Xing Gao

DOI: https://doi.org/10.1109/cvpr42600.2020.00967

2020-01-01

Computer Vision and Pattern Recognition

Abstract:With the rapid growth of visual content, deep learning to hash is gaining popularity in the image retrieval community recently. Although it greatly facilitates search efficiency, privacy is also at risks when images on the web are retrieved at a large scale and exploited as a rich mine of personal information. An adversary can extract private images by querying similar images from the targeted category for any usable model. Existing methods based on image processing preserve privacy at a sacrifice of perceptual quality. In this paper, we propose a new mechanism based on adversarial examples to "stash'' private images in the deep hash space while maintaining perceptual similarity. We first find that a simple approach of hamming distance maximization is not robust against brute-force adversaries. Then we develop a new loss function by maximizing the hamming distance to not only the original category, but also the centers from all the classes, partitioned into clusters of various sizes. The extensive experiment shows that the proposed defense can harden the attacker's efforts by 2-7 orders of magnitude, without significant increase of computational overhead and perceptual degradation. We also demonstrate 30-60% transferability in hash space with a black-box setting. The code is available at: https://github.com/sugarruy/hashstash

Cheng Xiong,Guorui Feng,Xinran Li,Xinpeng Zhang,Chuan Qin

DOI: https://doi.org/10.1145/3503161.3548247

2022-01-01

Abstract:With the rapid development of neural network, a vast number of neural network models have been developed in recent years, which condense numerous manpower and hardware resource. However, the original models are at risk of being pirated by the adversary to obtain illegal profits. On the other hand, malicious tampering on models, such as implanting the vulnerability and backdoor, may cause catastrophic consequences. We propose a model hash generator method to protect neural network models. Detailedly, our model hash sequence is composed of two parts: one is the model piracy identification hash, which is based on the dynamic convolution and a dual-branch network; the other is the model tampering localization hash, which can help the model owner to accurately detect the tampered locations for further recovery. Experimental results demonstrate the effectiveness of the proposed method for neural network model protection.

Haozhe Chen,Hang Zhou,Jie Zhang,Dongdong Chen,Weiming Zhang,Kejiang Chen,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1145/3572777

IF: 4.094

2023-01-01

ACM Transactions on Multimedia Computing Communications and Applications

Abstract:In recent years, many model intellectual property (IP) proof methods for IP protection have been proposed, such as model watermarking and model fingerprinting. However, with the increasing number of models transmitted and deployed on the Internet, quickly finding the suspect model among thousands of models on model-sharing platforms such as GitHub is in great demand, which concurrently triggers the new security problem of model copy detection for IP protection. As an important part of the model IP protection system, the model copy detection task has not received enough attention. Due to the high computational complexity, both model watermarking and model fingerprinting lack the capability to efficiently find suspected infringing models among tens of millions of models. In this article, inspired by the hash-based image retrieval methods, we introduce a novel model copy detection mechanism: perceptual hashing for convolutional neural networks (CNNs). The proposed perceptual hashing algorithm can convert the weights of CNNs to fixed-length binary hash codes so that the lightly modified version has the similar hash code as the original model. By comparing the similarity of a pair of hash codes between a query model and a test model in the model library, similar versions of a query model can be retrieved efficiently. To the best of our knowledge, this is the first perceptual hashing algorithm for deep neural network models. Specifically, we first select the important model weights based on the model compression theory, then calculate the normal test statistics (NTS) on the segments of important weights, and finally encode the NTS features into hash codes. The experiment performed on a model library containing 3,565 models indicates that our perceptual hashing scheme has a superior copy detection performance.

Xiaoxuan Lou,Shangwei Guo,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1109/tcsvt.2022.3184644

IF: 5.859

2022-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep Neural Networks (DNN) are gaining higher commercial values in computer vision applications, e.g., image classification, video analytics, etc. This calls for urgent demands of the intellectual property (IP) protection of DNN models. In this paper, we present a novel watermarking scheme to achieve the ownership verification of DNN architectures. Existing works all embedded watermarks into the model parameters while treating the architecture as public property. These solutions were proven to be vulnerable by an adversary to detect or remove the watermarks. In contrast, we claim the model architectures as an important IP for model owners, and propose to implant watermarks into the architectures. We design new algorithms based on Neural Architecture Search (NAS) to generate watermarked architectures, which are unique enough to represent the ownership, while maintaining high model usability. Such watermarks can be extracted via side-channel-based model extraction techniques with high fidelity. We conduct comprehensive experiments on watermarked CNN models for image classification tasks and the experimental results show our scheme has negligible impact on the model performance, and exhibits strong robustness against various model transformations and adaptive attacks.

Lin Huang,Yitong Tao,Chuan Qin,Xinpeng Zhang

DOI: https://doi.org/10.1109/lsp.2024.3465898

2024-10-04

IEEE Signal Processing Letters

Abstract:How to protect the intellectual property (IP) of neural network models has become a hot topic in current research. Model hashing as an important model protection scheme, which achieves model IP protection by extracting model feature-based, compact hash codes and calculating the hash distance between original and suspicious models. To realize model IP protection across platforms and environments, we propose a robust hashing scheme for neural network models via heterogeneous graph representation, which can effectively detect the illegal copy of neural network models and doesn't degrade the model performance. Specifically, we first convert the neural network model into a heterogeneous graph and analyze its node attribute data. Then, a graph embedding learning method is used to extract the feature vectors of the model based on different attribute data of graph nodes. Finally, the hash code that can be used for model copy detection is generated based on the designed hash networks with quantization and triplet losses. Experimental results show that our scheme not only exhibits satisfactory robustness to different types of robustness graph attacks but also achieves satisfactory performances of discrimination and generalizability.

engineering, electrical & electronic

Zhiying Zhu,Hang Zhou,Siyuan Xing,Zhenxing Qian,Sheng Li,Xinpeng Zhang

DOI: https://doi.org/10.3390/sym14040810

2022-01-01

Symmetry

Abstract:In recent years, advances in deep learning have boosted the practical development, distribution and implementation of deep neural networks (DNNs). The concept of symmetry is often adopted in a deep neural network to construct an efficient network structure tailored for a specific task, such as the classic encoder-decoder structure. Massive DNN models are diverse in category, quantity and open source frameworks for implementation. Therefore, the retrieval of DNN models has become a problem worthy of attention. To this end, we propose a new idea of generating perceptual hashes of DNN models, named HNN-Net (Hash Neural Network), to index similar DNN models by similar hash codes. The proposed HNN-Net is based on neural graph networks consisting of two stages: the graph generator and the graph hashing. In the graph generator stage, the target DNN model is first converted and optimized into a graph. Then, it is assigned with additional information extracted from the execution of the original model. In the graph hashing stage, it learns to construct a compact binary hash code. The constructed hash function can well preserve the features of both the topology structure and the semantics information of a neural network model. Experimental results demonstrate that the proposed scheme is effective to represent a neural network with a short hash code, and it is generalizable and efficient on different models.

Yakup Kutlu,Apdullah Yayık

DOI: https://doi.org/10.48550/arXiv.1703.00726

2017-03-02

Abstract:Many different approaches for neural network based hash functions have been proposed. Statistical analysis must correlate security of them. This paper proposes novel neural hashing approach for gray scale image authentication. The suggested system is rapid, robust, useful and secure. Proposed hash function generates hash values using neural network one-way property and non-linear techniques. As a result security and performance analysis are performed and satisfying results are achieved. These features are dominant reasons for preferring against traditional ones.

Cryptography and Security

Xiaoyu You,Mi Zhang,Jianwei Xu,Min Yang

DOI: https://doi.org/10.1109/icws62655.2024.00069

2024-01-01

Abstract:Deep hashing models have revolutionized traditional hashing methods by delivering superior performance, and have been applied in real-world applications such as Pinterest and Amazon, which are known as deep hashing-based retrieval systems. Behind their revolutionary representation capability, the requirements for training a deep hashing model expose it to the risks of potential model stealing attacks - a cheap way to mimic the well-trained hashing performance while circumventing the demanding requirements. Since the attacker is able to obtain the outputs of deep hashing models by querying the retrieval systems, the conventional stealing attacks relying on matching exact outputs can not be applied in this problem. In this paper, we propose a contrastive-based and GAN-enhanced stealing framework to leverage the informative knowledge of retrieved data. Our empirical results demonstrate that our stealing framework can train a substitute hashing model with a retrieval accuracy ranging from 80% to 110% of the target hashing model while utilizing significantly fewer training resources. Furthermore, we conduct attacks on the target hashing model using adversarial examples generated by the stolen model, resulting in an attack success rate that can be 3 times higher compared to attacks conducted without the substitute model. Finally, we leverage existing defense strategies to mitigate our attack, resulting in a stealing effectiveness decrease of no more than 4%.

Yuling Cai,Fan Xiang,Guozhu Meng,Yinzhi Cao,Kai Chen

2024-05-24

Abstract:Model stealing, i.e., unauthorized access and exfiltration of deep learning models, has become one of the major threats. Proprietary models may be protected by access controls and encryption. However, in reality, these measures can be compromised due to system breaches, query-based model extraction or a disgruntled insider. Security hardening of neural networks is also suffering from limits, for example, model watermarking is passive, cannot prevent the occurrence of piracy and not robust against transformations. To this end, we propose a native authentication mechanism, called AuthNet, which integrates authentication logic as part of the model without any additional structures. Our key insight is to reuse redundant neurons with low activation and embed authentication bits in an intermediate layer, called a gate layer. Then, AuthNet fine-tunes the layers after the gate layer to embed authentication logic so that only inputs with special secret key can trigger the correct logic of AuthNet. It exhibits two intuitive advantages. It provides the last line of defense, i.e., even being exfiltrated, the model is not usable as the adversary cannot generate valid inputs without the key. Moreover, the authentication logic is difficult to inspect and identify given millions or billions of neurons in the model. We theoretically demonstrate the high sensitivity of AuthNet to the secret key and its high confusion for unauthorized samples. AuthNet is compatible with any convolutional neural network, where our extensive evaluations show that AuthNet successfully achieves the goal in rejecting unauthenticated users (whose average accuracy drops to 22.03%) with a trivial accuracy decrease (1.18% on average) for legitimate users, and is robust against model transformation and adaptive attacks.

Cryptography and Security

Ke Wu,Zichi Wang,Xinpeng Zhang,Zhenjun Tang

DOI: https://doi.org/10.1117/1.jei.32.2.023016

IF: 0.829

2023-01-01

Journal of Electronic Imaging

Abstract:Conventional deep neural networks (DNNs) have been shown to be vulnerable to images with adversarial perturbations, referred to as adversarial examples. In this study, we propose a method to protect neural networks against adversarial examples using perceptual image hashing. Because perceptual hashing is robust to adversarial perturbations, we combine hash sequences of input images with the parameters of a neural network in an image-hash processing network. Thus, outputs of the neural network are affected by image hashes, which render the model robust to adversarial examples to some extent. Thus, the proposed approach provides a defense against adversarial examples. The experiment was conducted on the CIFAR-10 dataset, and we used ResNet-18 as our target network. To verify our method, we tested our defense network using several common white-box attacks and black-box attacks. The results show that it achieved a significant improvement in the classification accuracy for adversarial examples.

Xiaohan Sun,Jiting Zhou

DOI: https://doi.org/10.1109/ACCESS.2022.3221980

IF: 3.9

IEEE Access

Abstract:At present, most of the perceptual hash methods for image copyright protection rely on manually designed feature extraction and mapping, whose detection accuracy is insufficient. Some schemes based on deep learning are designed to consider a limited variety of content retention operations, which are not enough to deal with the increasingly severe situation of image copyright protection. In response to this situation, a novel Convolutional Neural Network (CNN)-based perceptual image hashing scheme is introduced in this paper. In this scheme, the training images are classified according to their original images and a Hadamard matrix is used to generate a hash center for each class in Hamming space. Then the Convolution Neural Network learns the feature extraction process of the image automatically, constrained by central quantization and distinct quantization, so that the hash code of each image converges to the hash center of their class, and generates the final hash sequence. The proposed scheme can successfully strike a balance between perceived robustness and discrimination capacity. Based on the test results on large-scale test sets, $F_{1}$ scores, equal error rate (EER) and receiver operating characteristic (ROC) curves demonstrate the superiority of our scheme compared with some state-of-the-art schemes.

Computer Science

Chuan Qin,Enli Liu,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/TCSVT.2020.3047142

IF: 5.859

2021-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In this paper, a novel perceptual image hashing scheme based on convolutional neural network (CNN) with multiple constraints is proposed, in which our deep hashing network learns the process of features extraction automatically according to the training target and then generates the final hash sequence. The combination of convolutional and pooling layers is to reduce the size of input image while deepening the channels. Then, we construct two pairs of constraints and integrate them into an overall constraint function through a strategy of weight allocation. In order to guarantee the robustness and discrimination of deep hashing network simultaneously, a new training method is developed to adjust the training set structure dynamically according to the changes of constraint values. Experimental results show that the proposed deep hashing network can achieve a satisfactory balance between perceptual robustnzess and discrimination while maintaining security. Based on the large-scale test set, receiver operating characteristic (ROC) curves, F-1 scores and equal error rate (EER) demonstrate the superiority of our scheme in terms of content authentication compared with some state-of-the-art schemes.

Lukas Struppek,Dominik Hintersdorf,Daniel Neider,Kristian Kersting

DOI: https://doi.org/10.1145/3531146.3533073

2024-07-16

Abstract:Apple recently revealed its deep perceptual hashing system NeuralHash to detect child sexual abuse material (CSAM) on user devices before files are uploaded to its iCloud service. Public criticism quickly arose regarding the protection of user privacy and the system's reliability. In this paper, we present the first comprehensive empirical analysis of deep perceptual hashing based on NeuralHash. Specifically, we show that current deep perceptual hashing may not be robust. An adversary can manipulate the hash values by applying slight changes in images, either induced by gradient-based approaches or simply by performing standard image transformations, forcing or preventing hash collisions. Such attacks permit malicious actors easily to exploit the detection system: from hiding abusive material to framing innocent users, everything is possible. Moreover, using the hash values, inferences can still be made about the data stored on user devices. In our view, based on our results, deep perceptual hashing in its current form is generally not ready for robust client-side scanning and should not be used from a privacy perspective.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Xuefeng Fan,Dahao Fu,Hangyu Gui,Xinpeng Zhang,Xiaoyi Zhou

2023-11-28

Abstract:Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventors. The copyright protection of DNN models by neural network watermarking has been studied, but the establishment of a traceability mechanism for determining the authorized users of a leaked model is a new problem driven by the demand for AI services. Because the existing traceability mechanisms are used for models without watermarks, a small number of false-positives are generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. Therefore, based on the idea of black-box neural network watermarking with the video framing and image perceptual hash algorithm, a passive copyright protection and traceability framework PCPT is proposed that uses an additional class of DNN models, improving the existing traceability mechanism that yields a small number of false-positives. Based on an authorization control strategy and image perceptual hash algorithm, a DNN model active copyright protection and traceability framework ACPT is proposed. This framework uses the authorization control center constructed by the detector and verifier. This approach realizes stricter authorization control, which establishes a strong connection between users and model owners, improves the framework security, and supports traceability verification.

Cryptography and Security,Artificial Intelligence

Yongwei Wang,Hamid Palangi,Z. Jane Wang,Haoqian Wang

DOI: https://doi.org/10.1016/j.image.2018.06.018

IF: 3.453

2018-01-01

Signal Processing Image Communication

Abstract:Image hashing has attracted increasing popularity in recent years. Some off-the-shelf image hashing methods are able to generate more compact and robust hashes for fast indexing and content-based similarity retrieval. However, the ability to infer original image contents from their real-valued image hashes has seldom been examined. Inherited from cryptographic hashing for image privacy protection, general image hashing is supposed to be a non-revertible function. Should there be a way to revert (or perceptually reconstruct) images from the corresponding real-valued image hashes? This paper explores the feasibility of perceptually image hashing reversion, and fill this gap by proposing a deep learning based framework, entitled RevHashNet. Given real-valued image hashes from certain image hashing methods, the proposed RevHashNet can automatically reconstruct perceptually similar images with respect to the original ones with high visual quality. Experiments and simulations on real image datasets support the de-hashing effectiveness of the proposed RevHashNet.

Weiheng Chai,Brian Testa,Huantao Ren,Asif Salekin,Senem Velipasalar

2024-02-15

Abstract:Deep neural networks are extensively applied to real-world tasks, such as face recognition and medical image classification, where privacy and data protection are critical. Image data, if not protected, can be exploited to infer personal or contextual information. Existing privacy preservation methods, like encryption, generate perturbed images that are unrecognizable to even humans. Adversarial attack approaches prohibit automated inference even for authorized stakeholders, limiting practical incentives for commercial and widespread adaptation. This pioneering study tackles an unexplored practical privacy preservation use case by generating human-perceivable images that maintain accurate inference by an authorized model while evading other unauthorized black-box models of similar or dissimilar objectives, and addresses the previous research gaps. The datasets employed are ImageNet, for image classification, Celeba-HQ dataset, for identity classification, and AffectNet, for emotion classification. Our results show that the generated images can successfully maintain the accuracy of a protected model and degrade the average accuracy of the unauthorized black-box models to 11.97%, 6.63%, and 55.51% on ImageNet, Celeba-HQ, and AffectNet datasets, respectively.

Computer Vision and Pattern Recognition,Machine Learning

Dingjie Xu,Sheng Chen,Changqing Zhu,Hui Li,Luanyun Hu,Na Ren

DOI: https://doi.org/10.1109/lgrs.2024.3407101

IF: 5.343

2024-06-19

IEEE Geoscience and Remote Sensing Letters

Abstract:For ensuring the integrity of high-resolution remote sensing (HRRS) images, the perceptual hash method offers a dual advantage. It preserves the nondestructive nature of the original image while also ensuring robustness to content-preserving operations. However, current deep learning-based HRRS image hashing methods for integrity authentication are notably limited as they terminate at the feature extraction stage and fail to achieve an end-to-end construction from image to hash value. Consequently, there is a looming risk of uncontrollability and unexpected events. To overcome this problem, this letter proposes a deep subject-sensitive hashing network (DSSHN), presenting a unified network for end-to-end feature extraction and hash construction. Improved convolutional block attention module (I-CBAM) helps the network to focus more on subject-sensitive features. A targeted training scheme ensures perceptual hash robustness. The experimental results reveal that the algorithm achieves the best tampering detection performance, with top AUC (0.994) and leading precision and recall rates.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Zihan Yuan,Xinpeng Zhang,Zichi Wang,Zhaoxia Yin

DOI: https://doi.org/10.1016/j.eswa.2023.121315

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:As an emerging digital product, artificial intelligence models face the risk of being modified. Malicious tampering will severely damage model functions, which is different from normal modifications. In addition, tampering localization for targeted repair can effectively reduce the cost. Therefore, it is crucial to achieve model content authentication and locate the tampering location. We proposed a novel semi-fragile neural network watermarking method in this paper to address these issues. Specifically, with the precondition of maintaining model performance, we proposed a method that generates a set of semi-fragile samples for a model to achieve the content authentication and tampering localization. The experiment results show that the content authentication of the model can be achieved by analyzing the output results of the model for the semi-fragile samples. When the model is processed normally, the output results are consistent with the expected label, while when the model is maliciously tampered with, the model produces unstable output. Furthermore, the tamper localization of the model can be further achieved through the information hidden in the semi-fragile samples, resulting in an average accuracy of more than 99.42%. In addition, our method is also effective for other deep neural networks.