Xinyun Chen,Wenxiao Wang,Yiming Ding,Chris Bender,R. Jia,Bo Li,D. Song

2019-01-01

Abstract:Deep neural networks have achieved tremendous success in various fields; however, training these models from scratch could be computationally expensive and requires a lot of training data. Therefore, recent work has explored different watermarking techniques to protect the pre-trained deep neural networks from potential copyright infringements. Although several existing techniques could effectively embed such watermarks into the DNNs, they could be vulnerable to adversaries who aim at removing the watermarks. In this work, we demonstrate that a carefullydesigned fine-tuning method enables the adversary with limited training data to effectively remove the watermarks, without compromising the model functionality. In particular, leveraging auxiliary unlabeled data significantly decreases the amount of labeled training data needed for effective watermark removal, even if the unlabeled data samples are not drawn from the same distribution as the benign data for model evaluation.

Xiaoxuan Lou,Shangwei Guo,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1109/tcsvt.2022.3184644

IF: 5.859

2022-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep Neural Networks (DNN) are gaining higher commercial values in computer vision applications, e.g., image classification, video analytics, etc. This calls for urgent demands of the intellectual property (IP) protection of DNN models. In this paper, we present a novel watermarking scheme to achieve the ownership verification of DNN architectures. Existing works all embedded watermarks into the model parameters while treating the architecture as public property. These solutions were proven to be vulnerable by an adversary to detect or remove the watermarks. In contrast, we claim the model architectures as an important IP for model owners, and propose to implant watermarks into the architectures. We design new algorithms based on Neural Architecture Search (NAS) to generate watermarked architectures, which are unique enough to represent the ownership, while maintaining high model usability. Such watermarks can be extracted via side-channel-based model extraction techniques with high fidelity. We conduct comprehensive experiments on watermarked CNN models for image classification tasks and the experimental results show our scheme has negligible impact on the model performance, and exhibits strong robustness against various model transformations and adaptive attacks.

Xiuli Chai,Zongwei Tang,Zhihua Gan,Yang Lu,Binjie Wang,Yushu Zhang

DOI: https://doi.org/10.1016/j.bspc.2023.105877

IF: 5.1

2024-01-01

Biomedical Signal Processing and Control

Abstract:The development of the Internet of Medical Things heavily relies on big data, and data security based on medical images has become a growing concern in society. Digital watermarking serves as a crucial technique for protecting and tracing medical image data copyright, as well as enabling forensic analysis. However, existing deep watermarking methods often neglect the protection of watermarks after extraction, leading to potential copyright disputes. To address this issue, this paper proposes SE-NDEND, a novel symmetric watermarking framework with neural network-based chaotic encryption for the Internet of Medical Things that significantly enhances the effectiveness and security of watermarking while maintaining robustness. Specifically, the SE-NDEND leverages neural networks to simulate chaotic systems and generate chaotic sequences, mitigating the complexity and high cost of implementing chaotic systems using hardware circuits. Moreover, we introduce a new noise layer with Moire ' distortion that interacts with the decoder, forming a symmetric network structure that bolsters the robustness of watermarking. Parameters are jointly trained and shared during the training process to counteract potential interference from the noise layer. Experimental results validate the effectiveness of SE-NDEND in enhancing copyright protection, traceability, and forensic capabilities, surpassing existing deep learning methods in terms of visual quality (with PSNR of 45.8492 dB and SSIM of 0.9874), security, and robustness. The proposed framework can find application in protecting medical image data in the Internet of Medical Things.

Tong Zhou,Yukui Luo,Shaolei Ren,Xiaolin Xu

2023-08-17

Abstract:As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: <a class="link-external link-https" href="https://github.com/Tongzhou0101/NNSplitter" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Zheng Li,Chengyu Hu,Yang Zhang,Shanqing Guo

DOI: https://doi.org/10.48550/arXiv.1903.01743

2019-03-05

Cryptography and Security

Abstract:Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity. To fill these gaps, in this paper, we propose a novel intellectual property protection (IPP) framework based on blind-watermark for watermarking deep neural networks that meet the requirements of security and feasibility. Our framework accepts ordinary samples and the exclusive logo as inputs, outputting newly generated samples as watermarks, which are almost indistinguishable from the origin, and infuses these watermarks into DNN models by assigning specific labels, leaving the backdoor as the basis for our copyright claim. We evaluated our IPP framework on two benchmark datasets and 15 popular deep learning models. The results show that our framework successfully verifies the ownership of all the models without a noticeable impact on their primary task. Most importantly, we are the first to successfully design and implement a blind-watermark based framework, which can achieve state-of-art performances on undetectability against evasion attack and unforgeability against fraudulent claims of ownership. Further, our framework shows remarkable robustness and establishes a clear association between the model and the author's identity.

Xiangyu Qi,Tinghao Xie,Ruizhe Pan,Jifeng Zhu,Yong Yang,Kai Bu

DOI: https://doi.org/10.1109/cvpr52688.2022.01299

2022-01-01

Abstract:One major goal of the AI security community is to securely and reliably produce and deploy deep learning models for real-world applications. To this end, data poisoning based backdoor attacks on deep neural networks (DNNs) in the production stage (or training stage) and corresponding defenses are extensively explored in recent years. Ironically, backdoor attacks in the deployment stage, which can often happen in unprofessional users’ devices and are thus arguably far more threatening in real-world scenarios, draw much less attention of the community. We attribute this imbalance of vigilance to the weak practicality of existing deployment-stage backdoor attack algorithms and the insufficiency of real-world attack demonstrations. To fill the blank, in this work, we study the realistic threat of deployment-stage backdoor attacks on DNNs. We base our study on a commonly used deployment-stage attack paradigm — adversarial weight attack, where adversaries selectively modify model weights to embed backdoor into deployed DNNs. To approach realistic practicality, we propose the first gray-box and physically realizable weights attack algorithm for backdoor injection, namely subnet replacement attack (SRA), which only requires architecture information of the victim model and can support physical triggers in the real world. Extensive experimental simulations and system-level real-world attack demonstrations are conducted. Our results not only suggest the effectiveness and practicality of the proposed attack algorithm, but also reveal the practical risk of a novel type of computer virus that may widely spread and stealthily inject backdoor into DNN models in user devices. By our study, we call for more attention to the vulnerability of DNNs in the deployment stage.

Ju Jia,Yueming Wu,Anran Li,Siqi Ma,Yang Liu

DOI: https://doi.org/10.1109/tdsc.2022.3194704

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, considerable progress has been made in providing solutions to prevent intellectual property (IP) theft for deep neural networks (DNNs) in ideal classification or recognition scenarios. However, little work has been dedicated to protecting the IP of DNN models in the context of transfer learning. Moreover, knowledge transfer is usually achieved through knowledge distillation or cross-domain distribution adaptation techniques, which will easily lead to the failure of the IP protection due to the high risk of the underlying DNN watermark being corrupted. To address this issue, we propose a subnetwork-lossless robust DNN watermarking (SRDW) framework, which can exploit out-of-distribution (OOD) guidance data augmentation to boost the robustness of watermarking. Specifically, we accurately seek the most rational modification structure (i.e., core subnetwork) using the module risk minimization, and then calculate the contrastive alignment error and the corresponding hash value as the reversible compensation information for the restoration of carrier network. Experimental results show that our scheme has superior robustness against various hostile attacks, such as fine-tuning, pruning, cross-domain matching, and overwriting. In the absence of malicious jamming attacks, the core subnetwork can be recovered without any loss. Besides that, we investigate how embedding watermarks in batch normalization (BN) layers affect the generalization performance of the deep transfer learning models, which reveals that reducing the embedding modifications in BN layers can further promote the robustness to resist hostile attacks.

computer science, information systems, software engineering, hardware & architecture

Zhiyu Wu,Mingfu Xue,Weiqiang Liu,Jian Wang,Yushu Zhang

DOI: https://doi.org/10.1109/TETC.2022.3231012

2021-05-28

IEEE Transactions on Emerging Topics in Computing

Abstract:The construction of Deep Neural Network (DNN) models requires high cost, thus a well-trained DNN model can be considered as intellectual property (IP) of the model owner. To date, many DNN IP protection methods have been proposed, but most of them are watermarking based verification methods where model owners can only verify their ownership passively after the copyright of DNN models has been infringed. In this article, we propose an effective framework to actively protect the DNN IP from infringement. Specifically, we encrypt a small number of model's parameters by perturbing them with well-crafted adversarial perturbations. With the encrypted parameters, the accuracy of the DNN model drops significantly, which can prevent malicious infringers from using the model. After the encryption, the positions of encrypted parameters and the values of the added adversarial perturbations form a secret key. Authorized user can use the secret key to decrypt the model on Machine Learning as a Service, while unauthorized user cannot use the model. Compared with the existing DNN watermarking methods which passively verify the ownership after the infringement occurs, the proposed method can prevent infringement in advance. Moreover, compared with few existing active DNN IP protection methods, the proposed method does not require additional training process of the model, thus introduces low computational overhead. Experimental results show that, after the encryption, the test accuracy of the model drops by 80.65%, 81.16%, and 87.91% on Fashion-MNIST (DenseNet), CIFAR-10 (ResNet), and GTSRB (AlexNet) datasets, respectively. Moreover, the proposed method only needs to encrypt an extremely low number of parameters. The proportion of the encrypted parameters in all the model's parameters is as low as 0.000205%. Experimental results also indicate that, the proposed method is robust against model fine-tuning attack, model pruning attack, and the adaptive attack where attackers know the detailed steps of the proposed method and all the parameters of the encrypted model.

Law,Computer Science

Peihao Li,Jie Huang,Huaqing Wu,Zeping Zhang,Chunyang Qi

DOI: https://doi.org/10.1016/j.neunet.2024.106199

IF: 7.8

2024-03-06

Neural Networks

Abstract:With the widespread application of deep neural networks (DNNs), the risk of privacy breaches against DNN models is constantly on the rise, resulting in an increasing need for intellectual property (IP) protection for such models. Although neural network watermarking techniques are widely used to safeguard the IP of DNNs, they can only achieve passive protection and cannot actively prevent unauthorized users from illicit use or embezzlement of the trained DNN models. Therefore, the development of proactive protection techniques to prevent IP infringement is imperative. To this end, we propose SecureNet, a key-based access license framework for DNN models. The proposed approach involves injecting license keys into the model through backdoor learning, enabling correct model functionality only when the appropriate license key is included in the input. To ensure the reusability of DNN models, we also propose a license key replacement algorithm. In addition, based on SecureNet, we designed defense mechanisms against adversarial attacks and backdoor attacks, respectively. Furthermore, we introduce a fine-grained authorization method that enables flexible granting of model permissions to different users. We have designed four license-key schemes with different privileges, tailored to various scenarios. We evaluated SecureNet on five benchmark datasets including MNIST, Cifar10, Cifar100, FaceScrub, and CelebA, and assessed its performance on six classic DNN models: LeNet-5, VGG16, ResNet18, ResNet101, NFNet-F5, and MobileNetV3. The results demonstrate that our approach outperforms the state-of-the-art model parameter encryption methods by at least 95% in terms of computational efficiency. Additionally, it provides effective defense against adversarial attacks and backdoor attacks without compromising the model's overall performance.

computer science, artificial intelligence,neurosciences

Jie Zhang,Dongdong Chen,Jing Liao,Weiming Zhang,Huamin Feng,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1109/tpami.2021.3064850

IF: 23.6

2022-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Despite the tremendous success, deep neural networks are exposed to serious IP infringement risks. Given a target deep model, if the attacker knows its full information, it can be easily stolen by fine-tuning. Even if only its output is accessible, a surrogate model can be trained through student-teacher learning by generating many input-output training pairs. Therefore, deep model IP protection is important and necessary. However, it is still seriously under-researched. In this work, we propose a new model watermarking framework for protecting deep networks trained for low-level computer vision or image processing tasks. Specifically, a special task-agnostic barrier is added after the target model, which embeds a unified and invisible watermark into its outputs. When the attacker trains one surrogate model by using the input-output pairs of the barrier target model, the hidden watermark will be learned and extracted afterwards. To enable watermarks from binary bits to high-resolution images, a deep invisible watermarking mechanism is designed. By jointly training the target model and watermark embedding, the extra barrier can even be absorbed into the target model. Through extensive experiments, we demonstrate the robustness of the proposed framework, which can resist attacks with different network structures and objective functions.

Yuchen Sun,Tianpeng Liu,Panhe Hu,Qing Liao,Shaojing Fu,Nenghai Yu,Deke Guo,Yongxiang Liu,Li Liu

DOI: https://doi.org/10.48550/arXiv.2304.14613

2023-06-17

Abstract:Deep Neural Networks (DNNs), from AlexNet to ResNet to ChatGPT, have made revolutionary progress in recent years, and are widely used in various fields. The high performance of DNNs requires a huge amount of high-quality data, expensive computing hardware, and excellent DNN architectures that are costly to obtain. Therefore, trained DNNs are becoming valuable assets and must be considered the Intellectual Property (IP) of the legitimate owner who created them, in order to protect trained DNN models from illegal reproduction, stealing, redistribution, or abuse. Although being a new emerging and interdisciplinary field, numerous DNN model IP protection methods have been proposed. Given this period of rapid evolution, the goal of this paper is to provide a comprehensive survey of two mainstream DNN IP protection methods: deep watermarking and deep fingerprinting, with a proposed taxonomy. More than 190 research contributions are included in this survey, covering many aspects of Deep IP Protection: problem definition, main threats and challenges, merits and demerits of deep watermarking and deep fingerprinting methods, evaluation metrics, and performance discussion. We finish the survey by identifying promising directions for future research.

Artificial Intelligence,Cryptography and Security

Mingfu Xue,Shichang Sun,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

IF: 5.3

2022-03-24

Applied Intelligence

Abstract:Recently, the intellectual properties (IP) protection of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing DNN watermarking methods can only verify the ownership of the model after the piracy occurs, which cannot actively prevent the occurrence of the piracy and do not support users' identities management, thus can not satisfy the requirements of commercial DNN copyright management. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based DNN watermarking methods. In this paper, we propose an active intellectual properties protection technique for DNN models via stealthy backdoor and users' identities authentication. For the first time, we use a set of clean images (as the watermark key samples) to embed an additional class into the DNN for ownership verification, and use the image steganography to embed users' identity information into these watermark key images. Each user will be assigned with a unique identity image for identity authentication and authorization control. Since the backdoor instances are clean images outside the dataset, the backdoor trigger is visually imperceptible and concealed. In addition, we embed the watermark by exploiting an additional class outside the main tasks, which establishes a strong connection for watermark key samples and the corresponding label. As a result, the proposed method is concealed, robust, and can resist common attacks and query modification attack. Experimental results demonstrate that, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate on Fashion-MNIST and CIFAR-10 datasets. In addition, the proposed method is demonstrated to be robust against the model fine-tuning attack, model pruning attack, and query modification attack. Compared with three existing DNN watermarking methods, the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

computer science, artificial intelligence

Sen Peng,Yufei Chen,Jie Xu,Zizhuo Chen,Cong Wang,Xiaohua Jia

DOI: https://doi.org/10.1007/s11280-022-01113-3

2022-11-24

World Wide Web

Abstract:Deep learning has been widely applied in solving many tasks, such as image recognition, speech recognition, and natural language processing. It requires a high-quality dataset, advanced expert knowledge, and enormous computation to train a large-scale Deep Neural Network (DNN) model, which makes it valuable enough to be protected as Intellectual Property (IP). Defending DNN models against IP violations such as illegal usage, replication, and reproduction is particularly important to the healthy development of deep learning techniques. Many approaches have been developed to protect the DNN model IP, such as DNN watermarking, DNN fingerprinting, DNN authentication, and inference perturbation. Given its significant importance, DNN IP protection is still in its infancy stage. In this paper, we present a comprehensive survey of the existing DNN IP protection approaches. We first summarize the deployment mode for DNN models and describe the DNN IP protection problem. Then we categorize the existing protection approaches based on their protection strategies and introduce them in detail. Finally, we compare these approaches and discuss future research topics in DNN IP protection.

Chaohui Xu,Qi Cui,Jinxin Dong,Weiyang He,Chip-Hong Chang

2024-09-29

Abstract:Illegitimate reproduction, distribution and derivation of Deep Neural Network (DNN) models can inflict economic loss, reputation damage and even privacy infringement. Passive DNN intellectual property (IP) protection methods such as watermarking and fingerprinting attempt to prove the ownership upon IP violation, but they are often too late to stop catastrophic damage of IP abuse and too feeble against strong adversaries. In this paper, we propose IDEA, an Inverse Domain Expert Adaptation based proactive DNN IP protection method featuring active authorization and source traceability. IDEA generalizes active authorization as an inverse problem of domain adaptation. The multi-adaptive optimization is solved by a mixture-of-experts model with one real and two fake experts. The real expert re-optimizes the source model to correctly classify test images with a unique model user key steganographically embedded. The fake experts are trained to output random prediction on test images without or with incorrect user key embedded by minimizing their mutual information (MI) with the real expert. The MoE model is knowledge distilled into a unified protected model to avoid leaking the expert model features by maximizing their MI with additional multi-layer attention and contrastive representation loss optimization. IDEA not only prevents unauthorized users without the valid key to access the functional model, but also enable the model owner to validate the deployed model and trace the source of IP infringement. We extensively evaluate IDEA on five datasets and four DNN models to demonstrate its effectiveness in authorization control, culprit tracing success rate, and robustness against various attacks.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Yifan Yan,Xudong Pan,Mi Zhang,Min Yang

DOI: https://doi.org/10.48550/arxiv.2303.09732

2023-01-01

Abstract:Copyright protection for deep neural networks (DNNs) is an urgent need for AI corporations. To trace illegally distributed model copies, DNN watermarking is an emerging technique for embedding and verifying secret identity messages in the prediction behaviors or the model internals. Sacrificing less functionality and involving more knowledge about the target DNN, the latter branch called white-box DNN watermarking is believed to be accurate, credible and secure against most known watermark removal attacks, with emerging research efforts in both the academy and the industry. In this paper, we present the first systematic study on how the mainstream white-box DNN watermarks are commonly vulnerable to neural structural obfuscation with dummy neurons, a group of neurons which can be added to a target model but leave the model behavior invariant. Devising a comprehensive framework to automatically generate and inject dummy neurons with high stealthiness, our novel attack intensively modifies the architecture of the target model to inhibit the success of watermark verification. With extensive evaluation, our work for the first time shows that nine published watermarking schemes require amendments to their verification procedures.

Yifan Yan,Xudong Pan,Yining Wang,Mi Zhang,Min Yang

DOI: https://doi.org/10.48550/arXiv.2205.00199

2022-05-19

Abstract:Recently, how to protect the Intellectual Property (IP) of deep neural networks (DNN) becomes a major concern for the AI industry. To combat potential model piracy, recent works explore various watermarking strategies to embed secret identity messages into the prediction behaviors or the internals (e.g., weights and neuron activation) of the target model. Sacrificing less functionality and involving more knowledge about the target model, the latter branch of watermarking schemes (i.e., white-box model watermarking) is claimed to be accurate, credible and secure against most known watermark removal attacks, with emerging research efforts and applications in the industry. In this paper, we present the first effective removal attack which cracks almost all the existing white-box watermarking schemes with provably no performance overhead and no required prior knowledge. By analyzing these IP protection mechanisms at the granularity of neurons, we for the first time discover their common dependence on a set of fragile features of a local neuron group, all of which can be arbitrarily tampered by our proposed chain of invariant neuron transforms. On $9$ state-of-the-art white-box watermarking schemes and a broad set of industry-level DNN architectures, our attack for the first time reduces the embedded identity message in the protected models to be almost random. Meanwhile, unlike known removal attacks, our attack requires no prior knowledge on the training data distribution or the adopted watermark algorithms, and leaves model functionality intact.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Wei Jiang,Ziwei Song,Jinyu Zhan,Di Liu,Jiafu Wan

DOI: https://doi.org/10.1109/tii.2022.3155112

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Although deep neural networks (DNNs) have been increasingly applied in industrial cyber physical systems (ICPSs), they are vulnerable to security attacks due to the tight interaction between cyber elements and physical elements. In this article, we aim to protect the core IP of DNNs, i.e., the model weights, against security attacks. Different from conventional approaches, a layerwise protection framework is proposed to ensure the confidentiality of DNN model weights during the inference procedure such that the security quality is maximized, while satisfying the latency constraint of the DNN task. Based on the layerwise execution characteristics of DNN tasks, the encrypted layer-related weights are decrypted and fed to the next layer of DNN in plaintext. CPU-field programmable gate array (FPGA) coscheduling is considered to accelerate the execution of confidentiality protection, where CPU is utilized to conduct the decryption of weights and FPGA is used to perform the layer execution of DNN. Considering to provide optimal confidential protection for each layer, the problem is transformed into a quality of security maximization problem subject to layerwise execution constraint and deadline constraint of the DNN application. Due to the problem being NP-hard, a fast approximation algorithm is proposed to obtain the near-optimal solution under given real-time and security constraints. Extensive experiments and a real-life ICPS application evaluate the efficiency of the proposed techniques.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Meng Li,Qi Zhong,Leo Yu Zhang,Yajuan Du,Jun Zhang,Yong Xiangt,Yong Xiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00062

2020-12-01

Abstract:Similar to other digital assets, deep neural network (DNN) models could suffer from piracy threat initiated by insider and/or outsider adversaries due to their inherent commercial value. DNN watermarking is a promising technique to mitigate this threat to intellectual property. This work focuses on black-box DNN watermarking, with which an owner can only verify his ownership by issuing special trigger queries to a remote suspicious model. However, informed attackers, who are aware of the watermark and somehow obtain the triggers, could forge fake triggers to claim their ownerships since the poor robustness of triggers and the lack of correlation between the model and the owner identity. This consideration calls for new watermarking methods that can achieve better trade-off for addressing the discrepancy. In this paper, we exploit frequency domain image watermarking to generate triggers and build our DNN watermarking algorithm accordingly. Since watermarking in the frequency domain is high concealment and robust to signal processing operation, the proposed algorithm is superior to existing schemes in resisting fraudulent claim attack. Besides, extensive experimental results on 3 datasets and 8 neural networks demonstrate that the proposed DNN watermarking algorithm achieves similar performance on functionality metrics and better performance on security metrics when compared with existing algorithms.

Jiangfeng Wang,Hanzhou Wu,Xinpeng Zhang,Yuwei Yao

DOI: https://doi.org/10.2352/issn.2470-1173.2020.4.mwsf-022

2020-01-01

Abstract:Recent advances in deep learning (DL) have led to great success in tasks of computer vision and pattern recognition. Sharing pre-trained DL models has been an important means to promote the rapid progress of research community and development of DL based systems. However, it also raises challenges to model authentication. It is quite necessary to protect the ownership of the DL models to be released. In this paper, we present a digital watermarking technique to deep neural networks (DNNs). We propose to mark a DNN by inserting an independent neural network that allows us to use selective weights for watermarking. The independent neural network is only used in the training phase and watermark verification phase, and will not be released publicly. Experiments have shown that, the performance of marked DNN on its original task will not be degraded significantly. Meantime, the watermark can be successfully embedded and extracted with a low neural network loss even under the common attacks including model fine-tuning and compression, which has shown the superiority and applicability of the proposed work.

Hanwen Liu,Zhenyu Weng,Yuesheng Zhu

2021-01-01

Abstract:Deep neural networks (DNNs) are considered as intellectual property of their corresponding owners and thus are in urgent need of ownership protection, due to the massive amount of time and resources invested in designing, tuning and training them. In this paper, we propose a novel watermark-based ownership protection method by using the residuals of important parameters. Different from other watermark-based ownership protection methods that rely on some specific neural network architectures and during verification require external data source, namely ownership indicators, our method does not explicitly use ownership indicators for verification to defeat various attacks against DNN watermarks. Specifically, we greedily select a few and important model parameters for embedding so that the impairment caused by the changed parameters can be reduced and the robustness against different attacks can be improved as the selected parameters can well preserve the model information. Also, without the external data sources for verification, the adversary can hardly cast doubts on ownership verification by forging counterfeit watermarks. The extensive experiments show that our method outperforms previous state-of-the-art methods in five tasks.