Kejun Zhang,Yu Liang,Jianyi Zhang,Zhiqiang Wang,Xinxin Li

DOI: https://doi.org/10.1109/access.2019.2939812

IF: 3.9

2019-01-01

IEEE Access

Abstract:Fake or tampered images pose a real problem in today's life. It is easy to unknowingly be drawn to an interesting image that is false. Recently, with the emergence of generative adversarial networks (GANs), it becomes much more easy to generate high-quality fake images in a very realistic way. However, the current digital image forensics algorithms mainly focus on the detection of traditional tampered images or need prior knowledge of the network structure of GANs. Hence, verifying the authenticity of an image is very challenging. In this paper, we propose a general method for simultaneously detecting tampered images, and GANs generated images. First, we use the Scharr operator to extract the edge information of the image. Then, we converted the edge image information matrix into the gray level co-occurrence matrix (GLCM) to scale the image without loss of image information. Finally, GLCM was fed into the deep neural network designed based on depthwise separable convolution for training. Compared with other methods, our model achieves a higher macro average of F1 score of 0.9865. Meanwhile, our method has better performance in detecting tampered images and has strong generalization ability for many GANs models.

Yujia Liu,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1155/2017/1897438

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online image sharing in social platforms can lead to undesired privacy disclosure. For example, some enterprises may detect these large volumes of uploaded images to do users’ in-depth preference analysis for commercial purposes. And their technology might be today’s most powerful learning model, deep neural network (DNN). To just elude these automatic DNN detectors without affecting visual quality of human eyes, we design and implement a novel Stealth algorithm, which makes the automatic detector blind to the existence of objects in an image, by crafting a kind of adversarial examples. It is just like all objects disappear after wearing an “invisible cloak” from the view of the detector. Then we evaluate the effectiveness of Stealth algorithm through our newly defined measurement, named privacy insurance. The results indicate that our scheme has considerable success rate to guarantee privacy compared with other methods, such as mosaic, blur, and noise. Better still, Stealth algorithm has the smallest impact on image visual quality. Meanwhile, we set a user adjustable parameter called cloak thickness for regulating the perturbation intensity. Furthermore, we find that the processed images have transferability property; that is, the adversarial images generated for one particular DNN will influence the others as well.

Xiuli Chai,Zhen Chen,Zhihua Gan,Yushu Zhang,Yong Tan

DOI: https://doi.org/10.1109/icspcc59353.2023.10400335

2023-01-01

Abstract:Nowadays, large numbers of private images are stored in the cloud, which may be recognized by unauthorized models, seriously threatening users' privacy security. Although adversarial example (AE) can mislead unauthorized models to protect image privacy, the irreversible perturbations added to images can also mislead the authorized models. Reversible adversarial example (RAE) provides an effective solution that misleads unauthorized models without affecting authorized ones. However, existing RAE generation methods have low attack ability and imperfect image recovery, which makes them unsatisfactory. This paper proposes an RAE generation method that is RAE based on Thumbnail Preserving Encryption (RAE-TPE), where the semantic information of the images is unchanged but the generated RAEs successfully fool traditional classification models. Through decryption, the images can be recovered losslessly. Additionally, we present a novel optimization algorithm called dual annealing evolution (DAE) to enhance the RAEs' visual quality and attack ability. The experimental results on the ImageNet dataset demonstrate that RAEs generated by RAE-TPE show excellent attack ability and robustness.

Runyi Li,Xuanyu Zhang,Zhipei Xu,Yongbing Zhang,Jian Zhang

DOI: https://doi.org/10.48550/arxiv.2405.16596

2024-01-01

Abstract:With the advent of personalized generation models, users can more readilycreate images resembling existing content, heightening the risk of violatingportrait rights and intellectual property (IP). Traditional post-hoc detectionand source-tracing methods for AI-generated content (AIGC) employ proactivewatermark approaches; however, these are less effective against personalizedgeneration models. Moreover, attribution techniques for AIGC rely on passivedetection but often struggle to differentiate AIGC from authentic images,presenting a substantial challenge. Integrating these two processes into acohesive framework not only meets the practical demands for protection andforensics but also improves the effectiveness of attribution tasks. Inspired bythis insight, we propose a unified approach for image copyright source-tracingand attribution, introducing an innovative watermarking-attribution method thatblends proactive and passive strategies. We embed copyright watermarks intoprotected images and train a watermark decoder to retrieve copyrightinformation from the outputs of personalized models, using this watermark as aninitial step for confirming if an image is AIGC-generated. To pinpoint specificgeneration techniques, we utilize powerful visual backbone networks forclassification. Additionally, we implement an incremental learning strategy toadeptly attribute new personalized models without losing prior knowledge,thereby enhancing the model's adaptability to novel generation methods. We haveconducted experiments using various celebrity portrait series sourced online,and the results affirm the efficacy of our method in source-tracing andattribution tasks, as well as its robustness against knowledge forgetting.

Peifei Zhu,Tsubasa Takahashi,Hirokatsu Kataoka

2024-04-19

Abstract:Diffusion Models (DMs) have shown remarkable capabilities in various image-generation tasks. However, there are growing concerns that DMs could be used to imitate unauthorized creations and thus raise copyright issues. To address this issue, we propose a novel framework that embeds personal watermarks in the generation of adversarial examples. Such examples can force DMs to generate images with visible watermarks and prevent DMs from imitating unauthorized images. We construct a generator based on conditional adversarial networks and design three losses (adversarial loss, GAN loss, and perturbation loss) to generate adversarial examples that have subtle perturbation but can effectively attack DMs to prevent copyright violations. Training a generator for a personal watermark by our method only requires 5-10 samples within 2-3 minutes, and once the generator is trained, it can generate adversarial examples with that watermark significantly fast (0.2s per image). We conduct extensive experiments in various conditional image-generation scenarios. Compared to existing methods that generate images with chaotic textures, our method adds visible watermarks on the generated images, which is a more straightforward way to indicate copyright violations. We also observe that our adversarial examples exhibit good transferability across unknown generative models. Therefore, this work provides a simple yet powerful way to protect copyright from DM-based imitation.

Computer Vision and Pattern Recognition,Artificial Intelligence

Mingfu Xue,Shichang Sun,Zhiyu Wu,Can He,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1016/j.jisa.2021.102993

IF: 4.96

2021-12-01

Journal of Information Security and Applications

Abstract:People are always interested in sharing photos on social platforms. However, undesirable privacy leakage may occur due to such online photo sharing. Advanced deep neural network (DNN) based object detectors can easily steal users’ personal information exposed in shared photos. In this paper, we propose a novel adversarial example based privacy-preserving technique for social images against object detectors-based privacy stealing. Specifically, we propose an Object Disappearance Algorithm to craft two kinds of adversarial social images to fool the object detector. One can hide all the objects in the social images from being detected by an object detector, and the other can make the customized sensitive objects be misclassified by the object detector. Experimental results show that, the proposed method can effectively protect the privacy of social images, while the quality of these images is not affected. The privacy-preserving success rates of the proposed method on MS-COCO and PASCAL VOC 2007 datasets are high up to 96.1% and 99.3%, respectively, and the privacy leakage rates on these two datasets are as low as 0.57% and 0.07%, respectively. Compared with common image processing methods (low brightness, noise, blur, mosaic and JPEG compression) and the existing work, the proposed method can achieve much more powerful performance in protecting the privacy of social images, while not affecting the quality of social images.

computer science, information systems

Tong Qiao,Yuyan Ma,Ning Zheng,Hanzhou Wu,Yanli Chen,Ming Xu,Xiangyang Luo

DOI: https://doi.org/10.1016/j.cose.2023.103102

2023-01-15

Abstract:With the advance of deep learning, it definitely has achieved the unprecedented success in the community of artificial intelligence. However, the issue of the intellectual property (IP) protection towards deep learning model is usually ignored, which largely threats the interests of the model owner. Currently, although a few schemes of model watermarking have been continuously proposed, in order to protect the specific neural network designed for detection or classification task, most of them are hardly directly applicable to generative adversarial networks (GAN). To our knowledge, the GAN model has plays more and more important role in the computer vision, such as image-to-image translation, text-to-image translation, image inpainting and etc., which remarkably improves the capability of image generation. Similarly, the malicious attackers possibly steal a trained GAN model to infringe the IP of the true model owner. To address that challenging issue, it is proposed to establish the framework of model watermarking towards GAN model. In particular, we first establish the trigger set by combining the watermark label with the verification image. Next, the watermarked generator is efficiently trained on the premise of preserving the original model performance. Finally, only relying on the correct watermark label, the synthetic watermark can be successfully triggered by the model owner for IP protection. The extensive experiments have verified the effectiveness and generalization of our designed method, which can easily be applicable to the benchmark GAN models such as WGAN-GP, ProGAN and StyleGAN2. Moreover, our proposed model watermark is robust enough to resist against the mainstream attacks, such as parameter fine-tuning and model pruning.

computer science, information systems

Xuefeng Fan,Dahao Fu,Hangyu Gui,Xinpeng Zhang,Xiaoyi Zhou

2023-11-28

Abstract:Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventors. The copyright protection of DNN models by neural network watermarking has been studied, but the establishment of a traceability mechanism for determining the authorized users of a leaked model is a new problem driven by the demand for AI services. Because the existing traceability mechanisms are used for models without watermarks, a small number of false-positives are generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. Therefore, based on the idea of black-box neural network watermarking with the video framing and image perceptual hash algorithm, a passive copyright protection and traceability framework PCPT is proposed that uses an additional class of DNN models, improving the existing traceability mechanism that yields a small number of false-positives. Based on an authorization control strategy and image perceptual hash algorithm, a DNN model active copyright protection and traceability framework ACPT is proposed. This framework uses the authorization control center constructed by the detector and verifier. This approach realizes stricter authorization control, which establishes a strong connection between users and model owners, improves the framework security, and supports traceability verification.

Cryptography and Security,Artificial Intelligence

Ding Sheng Ong,Chee Seng Chan,Kam Woh Ng,Lixin Fan,Qiang Yang

DOI: https://doi.org/10.48550/arXiv.2102.04362

2021-03-01

Abstract:Ever since Machine Learning as a Service (MLaaS) emerges as a viable business that utilizes deep learning models to generate lucrative revenue, Intellectual Property Right (IPR) has become a major concern because these deep learning models can easily be replicated, shared, and re-distributed by any unauthorized third parties. To the best of our knowledge, one of the prominent deep learning models - Generative Adversarial Networks (GANs) which has been widely used to create photorealistic image are totally unprotected despite the existence of pioneering IPR protection methodology for Convolutional Neural Networks (CNNs). This paper therefore presents a complete protection framework in both black-box and white-box settings to enforce IPR protection on GANs. Empirically, we show that the proposed method does not compromise the original GANs performance (i.e. image generation, image super-resolution, style transfer), and at the same time, it is able to withstand both removal and ambiguity attacks against embedded watermarks.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition

Yunming Zhang,Dengpan Ye,Sipeng Shen,Caiyun Xie,Ziyi Liu,Jiacheng Deng,Long Tang

2024-04-23

Abstract:The wide deployment of Face Recognition (FR) systems poses risks of privacy leakage. One countermeasure to address this issue is adversarial attacks, which deceive malicious FR searches but simultaneously interfere the normal identity verification of trusted authorizers. In this paper, we propose the first Double Privacy Guard (DPG) scheme based on traceable adversarial watermarking. DPG employs a one-time watermark embedding to deceive unauthorized FR models and allows authorizers to perform identity verification by extracting the watermark. Specifically, we propose an information-guided adversarial attack against FR models. The encoder embeds an identity-specific watermark into the deep feature space of the carrier, guiding recognizable features of the image to deviate from the source identity. We further adopt a collaborative meta-optimization strategy compatible with sub-tasks, which regularizes the joint optimization direction of the encoder and decoder. This strategy enhances the representation of universal carrier features, mitigating multi-objective optimization conflicts in watermarking. Experiments confirm that DPG achieves significant attack success rates and traceability accuracy on state-of-the-art FR models, exhibiting remarkable robustness that outperforms the existing privacy protection methods using adversarial attacks and deep watermarking, or simple combinations of the two. Our work potentially opens up new insights into proactive protection for FR privacy.

Cryptography and Security,Computer Vision and Pattern Recognition,Image and Video Processing

Qi Tian,Kun Kuang,Kelu Jiang,Furui Liu,Zhihua Wang,Fei Wu

DOI: https://doi.org/10.48550/arxiv.2212.01767

2022-01-01

Abstract: The success of deep learning is partly attributed to the availability of massive data downloaded freely from the Internet. However, it also means that users' private data may be collected by commercial organizations without consent and used to train their models. Therefore, it's important and necessary to develop a method or tool to prevent unauthorized data exploitation. In this paper, we propose ConfounderGAN, a generative adversarial network (GAN) that can make personal image data unlearnable to protect the data privacy of its owners. Specifically, the noise produced by the generator for each image has the confounder property. It can build spurious correlations between images and labels, so that the model cannot learn the correct mapping from images to labels in this noise-added dataset. Meanwhile, the discriminator is used to ensure that the generated noise is small and imperceptible, thereby remaining the normal utility of the encrypted image for humans. The experiments are conducted in six image classification datasets, consisting of three natural object datasets and three medical datasets. The results demonstrate that our method not only outperforms state-of-the-art methods in standard settings, but can also be applied to fast encryption scenarios. Moreover, we show a series of transferability and stability experiments to further illustrate the effectiveness and superiority of our method.

Mingfu Xue,Shichang Sun,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

IF: 5.3

2022-03-24

Applied Intelligence

Abstract:Recently, the intellectual properties (IP) protection of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing DNN watermarking methods can only verify the ownership of the model after the piracy occurs, which cannot actively prevent the occurrence of the piracy and do not support users' identities management, thus can not satisfy the requirements of commercial DNN copyright management. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based DNN watermarking methods. In this paper, we propose an active intellectual properties protection technique for DNN models via stealthy backdoor and users' identities authentication. For the first time, we use a set of clean images (as the watermark key samples) to embed an additional class into the DNN for ownership verification, and use the image steganography to embed users' identity information into these watermark key images. Each user will be assigned with a unique identity image for identity authentication and authorization control. Since the backdoor instances are clean images outside the dataset, the backdoor trigger is visually imperceptible and concealed. In addition, we embed the watermark by exploiting an additional class outside the main tasks, which establishes a strong connection for watermark key samples and the corresponding label. As a result, the proposed method is concealed, robust, and can resist common attacks and query modification attack. Experimental results demonstrate that, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate on Fashion-MNIST and CIFAR-10 datasets. In addition, the proposed method is demonstrated to be robust against the model fine-tuning attack, model pruning attack, and query modification attack. Compared with three existing DNN watermarking methods, the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

computer science, artificial intelligence

Zhenfei Chen,Tianqing Zhu,Ping Xiong,Chenguang Wang,Wei Ren

DOI: https://doi.org/10.1002/int.22356

IF: 8.993

2021-01-05

International Journal of Intelligent Systems

Abstract:<p>The importance of protecting personal information, like, a person's address or health history, is well known and commonly discussed. However, images also contain sensitive information that can compromise a person's privacy or be used for nefarious purposes. To date, most methods for preserving privacy with images have relied on obfuscation techniques, such as pixelation, blurring, or masking parts of the image. However, new face‐recognition technologies driven by deep learning are showing cracks in the old techniques. Moreover, faceless recognition is presenting a whole new set of challenges for image privacy. The core of these issues it is how to ensure privacy while still being able to see and use the image. Our solution is a model based on a generative adversarial network that protects identity information while preserving face features of the original image as much as possible. The premise is to generate a fake image of a face that shares all the same attributes as the original image, for example, a brown‐eyed child smiling. With this strategy, the image remains useful, but no person or algorithm could determine the identity of the pictured individual. The framework consists of three parts: a detection module, an image creation module, and an image transformation module. The detection module extracts the attribute labels. The image creation module generates images of faces, and the image transformation module transforms the fake features to match the attributes in the original image. A comprehensive set of experiments shows the effectiveness of the proposed framework.</p>

computer science, artificial intelligence

Xuyang Ding,Shuai Zhang,Mengkai Song,Xiaocong Ding,Fagen Li

DOI: https://doi.org/10.1109/jiot.2020.3008232

IF: 10.6

2021-01-15

IEEE Internet of Things Journal

Abstract:Deep neural networks (DNNs) can be utilized maliciously for compromising the privacy stored in electronic devices, e.g., identifying the images stored in a mobile phone connected to the Internet of Things (IoT). However, recent studies demonstrated that DNNs are vulnerable to adversarial examples, which are artificially designed perturbations in the original samples for misleading DNNs. Adversarial examples can be used to protect the DNN-based privacy leakage in mobile phones by replacing the photos with adversarial examples. To avoid affecting the normal use of photos, the adversarial examples need to be highly similar to original images. To handle a large number of photos stored in the devices at a proper time, the time efficiency of a method needs to be high enough. Previous methods cannot do well on both sides. In this article, we propose a broad class of selective gradient sign iterative algorithms to make adversarial examples useful in protecting the privacy of photos in IoT devices. By neglecting the unimportant image pixels in the iterative process of attacks according to the sort of first-order partial derivative, we control the optimization direction meticulously to reduce image distortions of adversarial examples without leveraging high time-consuming tricks. Extensive experimental results show that the proposed methods successfully fool the neural network classifiers for the image classification task with a small change in the visual effects and consume little calculating time simultaneously.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ricardo Sanchez-Matilla,Chau Yi Li,Ali Shahin Shamsabadi,Riccardo Mazzon,Andrea Cavallaro

DOI: https://doi.org/10.48550/arXiv.2007.09766

2020-07-19

Computer Vision and Pattern Recognition

Abstract:Adversarial perturbations can be added to images to protect their content from unwanted inferences. These perturbations may, however, be ineffective against classifiers that were not {seen} during the generation of the perturbation, or against defenses {based on re-quantization, median filtering or JPEG compression. To address these limitations, we present an adversarial attack {that is} specifically designed to protect visual content against { unseen} classifiers and known defenses. We craft perturbations using an iterative process that is based on the Fast Gradient Signed Method and {that} randomly selects a classifier and a defense, at each iteration}. This randomization prevents an undesirable overfitting to a specific classifier or defense. We validate the proposed attack in both targeted and untargeted settings on the private classes of the Places365-Standard dataset. Using ResNet18, ResNet50, AlexNet and DenseNet161 {as classifiers}, the performance of the proposed attack exceeds that of eleven state-of-the-art attacks. The implementation is available at https://github.com/smartcameras/RP-FGSM/.

Yueyun Shang,Shunzhi Jiang,Dengpan Ye,Jiaqing Huang

DOI: https://doi.org/10.3390/math8091446

IF: 2.4

2020-08-28

Mathematics

Abstract:Steganography is a collection of techniques for concealing the existence of information by embedding it within a cover. With the development of deep learning, some novel steganography methods have appeared based on the autoencoder or generative adversarial networks. While the deep learning based steganography methods have the advantages of automatic generation and capacity, the security of the algorithm needs to improve. In this paper, we take advantage of the linear behavior of deep learning networks in higher space and propose a novel steganography scheme which enhances the security by adversarial example. The system is trained with different training settings on two datasets. The experiment results show that the proposed scheme could escape from deep learning steganalyzer detection. Besides, the produced stego could extract secret image with less distortion.

mathematics

Zheng Li,Chengyu Hu,Yang Zhang,Shanqing Guo

DOI: https://doi.org/10.48550/arXiv.1903.01743

2019-03-05

Cryptography and Security

Abstract:Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity. To fill these gaps, in this paper, we propose a novel intellectual property protection (IPP) framework based on blind-watermark for watermarking deep neural networks that meet the requirements of security and feasibility. Our framework accepts ordinary samples and the exclusive logo as inputs, outputting newly generated samples as watermarks, which are almost indistinguishable from the origin, and infuses these watermarks into DNN models by assigning specific labels, leaving the backdoor as the basis for our copyright claim. We evaluated our IPP framework on two benchmark datasets and 15 popular deep learning models. The results show that our framework successfully verifies the ownership of all the models without a noticeable impact on their primary task. Most importantly, we are the first to successfully design and implement a blind-watermark based framework, which can achieve state-of-art performances on undetectability against evasion attack and unforgeability against fraudulent claims of ownership. Further, our framework shows remarkable robustness and establishes a clear association between the model and the author's identity.

Donghua Wang,Wen Yao,Tingsong Jiang,Weien Zhou,Lang Lin,Xiaoqian Chen

DOI: https://doi.org/10.1016/j.neunet.2024.106391

IF: 7.8

2024-05-17

Neural Networks

Abstract:Wide deployment of deep neural networks (DNNs) based applications (e.g., style transfer, cartoonish), stimulating the need for copyright protection of such application's production. Though some traditional visible copyright techniques exist, they often introduce undesired artifacts and compromise the aesthetic quality of the images. In this paper, we propose a novel invisible, robust copyright protection method, which is composed of two networks: the copyright encoder and the copyright decoder. The former projects the copyright information to the invisible perturbation with the drive of both the input of images and copyright information, thereby adding it to the image and yielding encoded images. The copyright decoder extracts copyright information from encoded images. Moreover, a robustness module is integrated to enhance the decoder's ability to decipher images against various distortions encountered on social media platforms. Furthermore, the loss function is intricately designed, taking into account both feature space and color space, to guarantee the quality of encoded and decoded copyright images. Extensively objective and subjective experiments validate the effectiveness of the proposed method. Additionally, the physical test is conducted by posting the encoded images to social media (e.g., Weibo and Twitter) and downloading them to verify the feasibility of the proposed method in practice.

computer science, artificial intelligence,neurosciences

Jaydeep Borkar,Pin-Yu Chen

DOI: https://doi.org/10.48550/arXiv.2105.09685

2021-05-20

Abstract:There has been a rise in the use of Machine Learning as a Service (MLaaS) Vision APIs as they offer multiple services including pre-built models and algorithms, which otherwise take a huge amount of resources if built from scratch. As these APIs get deployed for high-stakes applications, it's very important that they are robust to different manipulations. Recent works have only focused on typical adversarial attacks when evaluating the robustness of vision APIs. We propose two new aspects of adversarial image generation methods and evaluate them on the robustness of Google Cloud Vision API's optical character recognition service and object detection APIs deployed in real-world settings such as <a class="link-external link-http" href="http://sightengine.com" rel="external noopener nofollow">this http URL</a>, <a class="link-external link-http" href="http://picpurify.com" rel="external noopener nofollow">this http URL</a>, Google Cloud Vision API, and Microsoft Azure's Computer Vision API. Specifically, we go beyond the conventional small-noise adversarial attacks and introduce secret embedding and transparent adversarial examples as a simpler way to evaluate robustness. These methods are so straightforward that even non-specialists can craft such attacks. As a result, they pose a serious threat where APIs are used for high-stakes applications. Our transparent adversarial examples successfully evade state-of-the art object detections APIs such as Azure Cloud Vision (attack success rate 52%) and Google Cloud Vision (attack success rate 36%). 90% of the images have a secret embedded text that successfully fools the vision of time-limited humans but is detected by Google Cloud Vision API's optical character recognition. Complementing to current research, our results provide simple but unconventional methods on robustness evaluation.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Shichang Sun,Mingfu Xue,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

2021-04-19

Abstract:Recently, the research on protecting the intellectual properties (IP) of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing watermarking methods focus on verifying the copyright of the model, which do not support the authentication and management of users' fingerprints, thus can not satisfy the requirements of commercial copyright protection. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based watermarking methods. To address these challenges, in this paper, we propose a method to protect the intellectual properties of DNN models by using an additional class and steganographic images. Specifically, we use a set of watermark key samples to embed an additional class into the DNN, so that the watermarked DNN will classify the watermark key sample as the predefined additional class in the copyright verification stage. We adopt the least significant bit (LSB) image steganography to embed users' fingerprints into watermark key images. Each user will be assigned with a unique fingerprint image so that the user's identity can be authenticated later. Experimental results demonstrate that, the proposed method can protect the copyright of DNN models effectively. On Fashion-MNIST and CIFAR-10 datasets, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate. In addition, the proposed method is demonstrated to be robust to the model fine-tuning attack, model pruning attack, and the query modification attack. Compared with three existing watermarking methods (the logo-based, noise-based, and adversarial frontier stitching watermarking methods), the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

Artificial Intelligence