Mingfu Xue,Yinghao Wu,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03926-1

2021-09-16

Abstract:Training high performance Deep Neural Networks (DNNs) models require large-scale and high-quality datasets. The expensive cost of collecting and annotating large-scale datasets make the valuable datasets can be considered as the Intellectual Property (IP) of the dataset owner. To date, almost all the copyright protection schemes for deep learning focus on the copyright protection of models, while the copyright protection of the dataset is rarely studied. In this paper, we propose a novel method to actively protect the dataset from being used to train DNN models without authorization. Experimental results on on CIFAR-10 and TinyImageNet datasets demonstrate the effectiveness of the proposed method. Compared with the model trained on clean dataset, the proposed method can effectively make the test accuracy of the unauthorized model trained on protected dataset drop from 86.21% to 38.23% and from 74.00% to 16.20% on CIFAR-10 and TinyImageNet datasets, respectively.

Cryptography and Security

Kejiang Chen,Xianhan Zeng,Qichao Ying,Sheng Li,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.2112.14420

2021-12-29

Abstract:Deep learning has achieved enormous success in various industrial applications. Companies do not want their valuable data to be stolen by malicious employees to train pirated models. Nor do they wish the data analyzed by the competitors after using them online. We propose a novel solution for dataset protection in this scenario by robustly and reversibly transform the images into adversarial images. We develop a reversible adversarial example generator (RAEG) that introduces slight changes to the images to fool traditional classification models. Even though malicious attacks train pirated models based on the defensed versions of the protected images, RAEG can significantly weaken the functionality of these models. Meanwhile, the reversibility of RAEG ensures the performance of authorized models. Extensive experiments demonstrate that RAEG can better protect the data with slight distortion against adversarial defense than previous methods.

Computer Vision and Pattern Recognition,Image and Video Processing

Junfeng Guo,Yiming Li,Lixu Wang,Shu-Tao Xia,Heng Huang,Cong Liu,Bo Li

DOI: https://doi.org/10.48550/arXiv.2310.14942

2023-11-05

Abstract:The prosperity of deep neural networks (DNNs) is largely benefited from open-source datasets, based on which users can evaluate and improve their methods. In this paper, we revisit backdoor-based dataset ownership verification (DOV), which is currently the only feasible approach to protect the copyright of open-source datasets. We reveal that these methods are fundamentally harmful given that they could introduce malicious misclassification behaviors to watermarked DNNs by the adversaries. In this paper, we design DOV from another perspective by making watermarked models (trained on the protected dataset) correctly classify some `hard' samples that will be misclassified by the benign model. Our method is inspired by the generalization property of DNNs, where we find a \emph{hardly-generalized domain} for the original dataset (as its \emph{domain watermark}). It can be easily learned with the protected dataset containing modified samples. Specifically, we formulate the domain generation as a bi-level optimization and propose to optimize a set of visually-indistinguishable clean-label modified data with similar effects to domain-watermarked samples from the hardly-generalized domain to ensure watermark stealthiness. We also design a hypothesis-test-guided ownership verification via our domain watermark and provide the theoretical analyses of our method. Extensive experiments on three benchmark datasets are conducted, which verify the effectiveness of our method and its resistance to potential adaptive methods. The code for reproducing main experiments is available at \url{<a class="link-external link-https" href="https://github.com/JunfengGo/Domain-Watermark" rel="external noopener nofollow">this https URL</a>}.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Pang Zilong,Wang Mingxu,Cao Lvchen,Chai Xiuli,Gan Zhihua

DOI: https://doi.org/10.1007/s10489-022-04416-0

IF: 5.3

2023-01-01

Applied Intelligence

Abstract:The cost of collecting and labeling open-sourced datasets which promote the development of deep learning is expensive. Thus, it is important to design an efficient open-sourced data set protection algorithm to detect the open-sourced data sets used in illegal ways. In this paper, a protection algorithm based on adaptive robust blind-watermark is proposed suitable for multiple paired open-sourced datasets, and the evaluation criteria of the algorithm are defined. Specifically, in the embed stage, the highly concealed of the watermark is realized by combining UNet and double GAN to take into account the local and global features of the carrier and the watermark image. A preprocess network is used in the Embedding network to adapt different watermark size. In the extraction part, a modified feature sharing UNet with GAN is used to ensure robustness of the extraction network. Paired datasets are used for training to ensure accurate extraction of watermarks. After the target model is trained using the watermarked dataset, its inference output will contain watermark information. When it is believed that a suspicious model is illegally trained with the dataset, it can be verified by the watermark extracted from inference output of the suspicious model. We evaluate our method on three target models including nine datasets. The results show that our framework successfully verifies the dataset used illegally and without a noticeable impact on the target model task when training with the watermark dataset.

Yiming Li,Mingyan Zhu,Xue Yang,Yong Jiang,Tao Wei,Shu-Tao Xia

DOI: https://doi.org/10.1109/tifs.2023.3265535

IF: 7.231

2023-04-21

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning, especially deep neural networks (DNNs), has been widely and successfully adopted in many critical applications for its high effectiveness and efficiency. The rapid development of DNNs has benefited from the existence of some high-quality datasets ( ., ImageNet), which allow researchers and developers to easily verify the performance of their methods. Currently, almost all existing released datasets require that they can only be adopted for academic or educational purposes rather than commercial purposes without permission. However, there is still no good way to ensure that. In this paper, we formulate the protection of released datasets as verifying whether they are adopted for training a (suspicious) third-party model, where defenders can only query the model while having no information about its parameters and training details. Based on this formulation, we propose to embed external patterns via backdoor watermarking for the ownership verification to protect them. Our method contains two main parts, including dataset watermarking and dataset verification. Specifically, we exploit poison-only backdoor attacks ( ., BadNets) for dataset watermarking and design a hypothesis-test-guided method for dataset verification. We also provide some theoretical analyses of our methods. Experiments on multiple benchmark datasets of different tasks are conducted, which verify the effectiveness of our method. The code for reproducing main experiments is available at https://github.com/THUYimingLi/DVBW.

computer science, theory & methods,engineering, electrical & electronic

Chaohui Xu,Qi Cui,Jinxin Dong,Weiyang He,Chip-Hong Chang

2024-09-29

Abstract:Illegitimate reproduction, distribution and derivation of Deep Neural Network (DNN) models can inflict economic loss, reputation damage and even privacy infringement. Passive DNN intellectual property (IP) protection methods such as watermarking and fingerprinting attempt to prove the ownership upon IP violation, but they are often too late to stop catastrophic damage of IP abuse and too feeble against strong adversaries. In this paper, we propose IDEA, an Inverse Domain Expert Adaptation based proactive DNN IP protection method featuring active authorization and source traceability. IDEA generalizes active authorization as an inverse problem of domain adaptation. The multi-adaptive optimization is solved by a mixture-of-experts model with one real and two fake experts. The real expert re-optimizes the source model to correctly classify test images with a unique model user key steganographically embedded. The fake experts are trained to output random prediction on test images without or with incorrect user key embedded by minimizing their mutual information (MI) with the real expert. The MoE model is knowledge distilled into a unified protected model to avoid leaking the expert model features by maximizing their MI with additional multi-layer attention and contrastive representation loss optimization. IDEA not only prevents unauthorized users without the valid key to access the functional model, but also enable the model owner to validate the deployed model and trace the source of IP infringement. We extensively evaluate IDEA on five datasets and four DNN models to demonstrate its effectiveness in authorization control, culprit tracing success rate, and robustness against various attacks.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Yiming Li,Yang Bai,Yong Jiang,Yong Yang,Shu-Tao Xia,Bo Li

DOI: https://doi.org/10.48550/arXiv.2210.00875

2023-04-05

Abstract:Deep neural networks (DNNs) have demonstrated their superiority in practice. Arguably, the rapid development of DNNs is largely benefited from high-quality (open-sourced) datasets, based on which researchers and developers can easily evaluate and improve their learning methods. Since the data collection is usually time-consuming or even expensive, how to protect their copyrights is of great significance and worth further exploration. In this paper, we revisit dataset ownership verification. We find that existing verification methods introduced new security risks in DNNs trained on the protected dataset, due to the targeted nature of poison-only backdoor watermarks. To alleviate this problem, in this work, we explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. Specifically, we introduce two dispersibilities and prove their correlation, based on which we design the untargeted backdoor watermark under both poisoned-label and clean-label settings. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification. Experiments on benchmark datasets verify the effectiveness of our methods and their resistance to existing backdoor defenses. Our codes are available at \url{<a class="link-external link-https" href="https://github.com/THUYimingLi/Untargeted_Backdoor_Watermark" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Zheng Li,Chengyu Hu,Yang Zhang,Shanqing Guo

DOI: https://doi.org/10.48550/arXiv.1903.01743

2019-03-05

Cryptography and Security

Abstract:Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity. To fill these gaps, in this paper, we propose a novel intellectual property protection (IPP) framework based on blind-watermark for watermarking deep neural networks that meet the requirements of security and feasibility. Our framework accepts ordinary samples and the exclusive logo as inputs, outputting newly generated samples as watermarks, which are almost indistinguishable from the origin, and infuses these watermarks into DNN models by assigning specific labels, leaving the backdoor as the basis for our copyright claim. We evaluated our IPP framework on two benchmark datasets and 15 popular deep learning models. The results show that our framework successfully verifies the ownership of all the models without a noticeable impact on their primary task. Most importantly, we are the first to successfully design and implement a blind-watermark based framework, which can achieve state-of-art performances on undetectability against evasion attack and unforgeability against fraudulent claims of ownership. Further, our framework shows remarkable robustness and establishes a clear association between the model and the author's identity.

Yiming Li,Ziqi Zhang,Jiawang Bai,Baoyuan Wu,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.48550/arXiv.2010.05821

2020-10-12

Cryptography and Security

Abstract:The rapid development of deep learning has benefited from the release of some high-quality open-sourced datasets ($e.g.$, ImageNet), which allows researchers to easily verify the effectiveness of their algorithms. Almost all existing open-sourced datasets require that they can only be adopted for academic or educational purposes rather than commercial purposes, whereas there is still no good way to protect them. In this paper, we propose a \emph{backdoor embedding based dataset watermarking} method to protect an open-sourced image-classification dataset by verifying whether it is used for training a third-party model. Specifically, the proposed method contains two main processes, including \emph{dataset watermarking} and \emph{dataset verification}. We adopt classical poisoning-based backdoor attacks ($e.g.$, BadNets) for dataset watermarking, ie, generating some poisoned samples by adding a certain trigger ($e.g.$, a local patch) onto some benign samples, labeled with a pre-defined target class. Based on the proposed backdoor-based watermarking, we use a hypothesis test guided method for dataset verification based on the posterior probability generated by the suspicious third-party model of the benign samples and their correspondingly watermarked samples ($i.e.$, images with trigger) on the target class. Experiments on some benchmark datasets are conducted, which verify the effectiveness of the proposed method.

Yiming Li,Mingyan Zhu,Xue Yang,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.48550/arxiv.2209.06015

2022-01-01

Abstract:Deep learning, especially deep neural networks (DNNs), has been widely and successfully adopted in many critical applications for its high effectiveness and efficiency. The rapid development of DNNs has benefited from the existence of some high-quality datasets ($e.g.$, ImageNet), which allow researchers and developers to easily verify the performance of their methods. Currently, almost all existing released datasets require that they can only be adopted for academic or educational purposes rather than commercial purposes without permission. However, there is still no good way to ensure that. In this paper, we formulate the protection of released datasets as verifying whether they are adopted for training a (suspicious) third-party model, where defenders can only query the model while having no information about its parameters and training details. Based on this formulation, we propose to embed external patterns via backdoor watermarking for the ownership verification to protect them. Our method contains two main parts, including dataset watermarking and dataset verification. Specifically, we exploit poison-only backdoor attacks ($e.g.$, BadNets) for dataset watermarking and design a hypothesis-test-guided method for dataset verification. Experiments on multiple benchmark datasets of different tasks are conducted, which verify the effectiveness of our method. The code for reproducing main experiments is available at \url{https://github.com/THUYimingLi/DVBW}.

Shichang Sun,Mingfu Xue,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

2021-04-19

Abstract:Recently, the research on protecting the intellectual properties (IP) of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing watermarking methods focus on verifying the copyright of the model, which do not support the authentication and management of users' fingerprints, thus can not satisfy the requirements of commercial copyright protection. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based watermarking methods. To address these challenges, in this paper, we propose a method to protect the intellectual properties of DNN models by using an additional class and steganographic images. Specifically, we use a set of watermark key samples to embed an additional class into the DNN, so that the watermarked DNN will classify the watermark key sample as the predefined additional class in the copyright verification stage. We adopt the least significant bit (LSB) image steganography to embed users' fingerprints into watermark key images. Each user will be assigned with a unique fingerprint image so that the user's identity can be authenticated later. Experimental results demonstrate that, the proposed method can protect the copyright of DNN models effectively. On Fashion-MNIST and CIFAR-10 datasets, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate. In addition, the proposed method is demonstrated to be robust to the model fine-tuning attack, model pruning attack, and the query modification attack. Compared with three existing watermarking methods (the logo-based, noise-based, and adversarial frontier stitching watermarking methods), the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

Artificial Intelligence

Mingfu Xue,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1109/tai.2021.3133824

2021-01-01

IEEE Transactions on Artificial Intelligence

Abstract:The training and creation of deep learning model is usually costly, thus the trained model can be regarded as an intellectual property (IP) of the model creator. However, malicious users who obtain high-performance models may illegally copy, redistribute, or abuse the models without permission. To deal with such security threats, a few deep neural networks (DNN) IP protection methods have been proposed in recent years. This article attempts to provide a review of the existing DNN IP protection works and also an outlook. First, we propose the first taxonomy for DNN IP protection methods in terms of six attributesscenario, mechanism, capacity, type, function, and target models. Then, we present a survey on existing DNN IP protection works in terms of the above six attributes, especially focusing on the challenges these methods face, whether these methods can provide proactive protection, and their resistances to different levels of attacks. After that, we analyze the potential attacks on DNN IP protection methods from the aspects of model modifications, evasion attacks, and active attacks. Besides, a systematic evaluation method for DNN IP protection methods with respect to basic functional metrics, attack-resistance metrics, and customized metrics for different application scenarios is given. Finally, challenges and future research opportunities on DNN IP protection are presented.

Mingfu Xue,Shichang Sun,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

IF: 5.3

2022-03-24

Applied Intelligence

Abstract:Recently, the intellectual properties (IP) protection of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing DNN watermarking methods can only verify the ownership of the model after the piracy occurs, which cannot actively prevent the occurrence of the piracy and do not support users' identities management, thus can not satisfy the requirements of commercial DNN copyright management. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based DNN watermarking methods. In this paper, we propose an active intellectual properties protection technique for DNN models via stealthy backdoor and users' identities authentication. For the first time, we use a set of clean images (as the watermark key samples) to embed an additional class into the DNN for ownership verification, and use the image steganography to embed users' identity information into these watermark key images. Each user will be assigned with a unique identity image for identity authentication and authorization control. Since the backdoor instances are clean images outside the dataset, the backdoor trigger is visually imperceptible and concealed. In addition, we embed the watermark by exploiting an additional class outside the main tasks, which establishes a strong connection for watermark key samples and the corresponding label. As a result, the proposed method is concealed, robust, and can resist common attacks and query modification attack. Experimental results demonstrate that, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate on Fashion-MNIST and CIFAR-10 datasets. In addition, the proposed method is demonstrated to be robust against the model fine-tuning attack, model pruning attack, and query modification attack. Compared with three existing DNN watermarking methods, the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

computer science, artificial intelligence

Zhiyu Wu,Mingfu Xue,Weiqiang Liu,Jian Wang,Yushu Zhang

DOI: https://doi.org/10.1109/TETC.2022.3231012

2021-05-28

IEEE Transactions on Emerging Topics in Computing

Abstract:The construction of Deep Neural Network (DNN) models requires high cost, thus a well-trained DNN model can be considered as intellectual property (IP) of the model owner. To date, many DNN IP protection methods have been proposed, but most of them are watermarking based verification methods where model owners can only verify their ownership passively after the copyright of DNN models has been infringed. In this article, we propose an effective framework to actively protect the DNN IP from infringement. Specifically, we encrypt a small number of model's parameters by perturbing them with well-crafted adversarial perturbations. With the encrypted parameters, the accuracy of the DNN model drops significantly, which can prevent malicious infringers from using the model. After the encryption, the positions of encrypted parameters and the values of the added adversarial perturbations form a secret key. Authorized user can use the secret key to decrypt the model on Machine Learning as a Service, while unauthorized user cannot use the model. Compared with the existing DNN watermarking methods which passively verify the ownership after the infringement occurs, the proposed method can prevent infringement in advance. Moreover, compared with few existing active DNN IP protection methods, the proposed method does not require additional training process of the model, thus introduces low computational overhead. Experimental results show that, after the encryption, the test accuracy of the model drops by 80.65%, 81.16%, and 87.91% on Fashion-MNIST (DenseNet), CIFAR-10 (ResNet), and GTSRB (AlexNet) datasets, respectively. Moreover, the proposed method only needs to encrypt an extremely low number of parameters. The proportion of the encrypted parameters in all the model's parameters is as low as 0.000205%. Experimental results also indicate that, the proposed method is robust against model fine-tuning attack, model pruning attack, and the adaptive attack where attackers know the detailed steps of the proposed method and all the parameters of the encrypted model.

Law,Computer Science

Sen Peng,Yufei Chen,Jie Xu,Zizhuo Chen,Cong Wang,Xiaohua Jia

DOI: https://doi.org/10.1007/s11280-022-01113-3

2022-11-24

World Wide Web

Abstract:Deep learning has been widely applied in solving many tasks, such as image recognition, speech recognition, and natural language processing. It requires a high-quality dataset, advanced expert knowledge, and enormous computation to train a large-scale Deep Neural Network (DNN) model, which makes it valuable enough to be protected as Intellectual Property (IP). Defending DNN models against IP violations such as illegal usage, replication, and reproduction is particularly important to the healthy development of deep learning techniques. Many approaches have been developed to protect the DNN model IP, such as DNN watermarking, DNN fingerprinting, DNN authentication, and inference perturbation. Given its significant importance, DNN IP protection is still in its infancy stage. In this paper, we present a comprehensive survey of the existing DNN IP protection approaches. We first summarize the deployment mode for DNN models and describe the DNN IP protection problem. Then we categorize the existing protection approaches based on their protection strategies and introduce them in detail. Finally, we compare these approaches and discuss future research topics in DNN IP protection.

Ruixiang Tang,Qizhang Feng,Ninghao Liu,Fan Yang,Xia Hu

2023-04-10

Abstract:The huge supporting training data on the Internet has been a key factor in the success of deep learning models. However, this abundance of public-available data also raises concerns about the unauthorized exploitation of datasets for commercial purposes, which is forbidden by dataset licenses. In this paper, we propose a backdoor-based watermarking approach that serves as a general framework for safeguarding public-available data. By inserting a small number of watermarking samples into the dataset, our approach enables the learning model to implicitly learn a secret function set by defenders. This hidden function can then be used as a watermark to track down third-party models that use the dataset illegally. Unfortunately, existing backdoor insertion methods often entail adding arbitrary and mislabeled data to the training set, leading to a significant drop in performance and easy detection by anomaly detection algorithms. To overcome this challenge, we introduce a clean-label backdoor watermarking framework that uses imperceptible perturbations to replace mislabeled samples. As a result, the watermarking samples remain consistent with the original labels, making them difficult to detect. Our experiments on text, image, and audio datasets demonstrate that the proposed framework effectively safeguards datasets with minimal impact on original task performance. We also show that adding just 1% of watermarking samples can inject a traceable watermarking function and that our watermarking samples are stealthy and look benign upon visual inspection.

Cryptography and Security,Artificial Intelligence,Machine Learning,Multimedia

Xiaokun Luan,Xiyue Zhang,Jingyi Wang,Meng Sun

2024-07-04

Abstract:Model reuse techniques can reduce the resource requirements for training high-performance deep neural networks (DNNs) by leveraging existing models. However, unauthorized reuse and replication of DNNs can lead to copyright infringement and economic loss to the model owner. This underscores the need to analyze the reuse relation between DNNs and develop copyright protection techniques to safeguard intellectual property rights. Existing white-box testing-based approaches cannot address the common heterogeneous reuse case where the model architecture is changed, and DNN fingerprinting approaches heavily rely on generating adversarial examples with good transferability, which is known to be challenging in the black-box setting. To bridge the gap, we propose NFARD, a Neuron Functionality Analysis-based Reuse Detector, which only requires normal test samples to detect reuse relations by measuring the models' differences on a newly proposed model characterization, i.e., neuron functionality (NF). A set of NF-based distance metrics is designed to make NFARD applicable to both white-box and black-box settings. Moreover, we devise a linear transformation method to handle heterogeneous reuse cases by constructing the optimal projection matrix for dimension consistency, significantly extending the application scope of NFARD. To the best of our knowledge, this is the first adversarial example-free method that exploits neuron functionality for DNN copyright protection. As a side contribution, we constructed a reuse detection benchmark named Reuse Zoo that covers various practical reuse techniques and popular datasets. Extensive evaluations on this comprehensive benchmark show that NFARD achieves F1 scores of 0.984 and 1.0 for detecting reuse relationships in black-box and white-box settings, respectively, while generating test suites 2 ~ 99 times faster than previous methods.

Cryptography and Security,Machine Learning,Software Engineering

Mingfu Xue,Xin Wang,Yinghao Wu,Shifeng Ni,Yushu Zhang,Weiqiang Liu

DOI: https://doi.org/10.48550/arXiv.2210.07481

2022-10-14

Abstract:Intellectual property (IP) protection for Deep Neural Networks (DNNs) has raised serious concerns in recent years. Most existing works embed watermarks in the DNN model for IP protection, which need to modify the model and lack of interpretability. In this paper, for the first time, we propose an interpretable intellectual property protection method for DNN based on explainable artificial intelligence. Compared with existing works, the proposed method does not modify the DNN model, and the decision of the ownership verification is interpretable. We extract the intrinsic features of the DNN model by using Deep Taylor Decomposition. Since the intrinsic feature is composed of unique interpretation of the model's decision, the intrinsic feature can be regarded as fingerprint of the model. If the fingerprint of a suspected model is the same as the original model, the suspected model is considered as a pirated model. Experimental results demonstrate that the fingerprints can be successfully used to verify the ownership of the model and the test accuracy of the model is not affected. Furthermore, the proposed method is robust to fine-tuning attack, pruning attack, watermark overwriting attack, and adaptive attack.

Computer Vision and Pattern Recognition

Yongqi Jiang,Yansong Gao,Chunyi Zhou,Hongsheng Hu,Anmin Fu,Willy Susilo

2024-11-07

Abstract:With the growing applications of Deep Learning (DL), especially recent spectacular achievements of Large Language Models (LLMs) such as ChatGPT and LLaMA, the commercial significance of these remarkable models has soared. However, acquiring well-trained models is costly and resource-intensive. It requires a considerable high-quality dataset, substantial investment in dedicated architecture design, expensive computational resources, and efforts to develop technical expertise. Consequently, safeguarding the Intellectual Property (IP) of well-trained models is attracting increasing attention. In contrast to existing surveys overwhelmingly focusing on model IPP mainly, this survey not only encompasses the protection on model level intelligence but also valuable dataset intelligence. Firstly, according to the requirements for effective IPP design, this work systematically summarizes the general and scheme-specific performance evaluation metrics. Secondly, from proactive IP infringement prevention and reactive IP ownership verification perspectives, it comprehensively investigates and analyzes the existing IPP methods for both dataset and model intelligence. Additionally, from the standpoint of training settings, it delves into the unique challenges that distributed settings pose to IPP compared to centralized settings. Furthermore, this work examines various attacks faced by deep IPP techniques. Finally, we outline prospects for promising future directions that may act as a guide for innovative research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Ge Ren,Jun Wu,Gaolei Li,Shenghong Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tdsc.2022.3222972

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Artificial intelligence (AI)-based cybersecurity services offer significant promise in many scenarios, including malware detection, content supervision, and so on. Meanwhile, many commercial and government applications have raised the need for intellectual property protection of using deep neural network (DNN). Existing studies (e.g., watermarking techniques) on intellectual property protection only aim at inserting secret information into DNNs, allowing producers to detect whether the given DNN infringes on their own copyrights. However, since the availability protection of learning models is rarely considered, the piracy model can still work with high accuracy. In this paper, a novel model locking (M-LOCK) scheme for the DNN is proposed to enhance its availability protection, where the DNN produces poor accuracy if a specific token is absent, while it maps only the tokenized inputs into correct predictions. The proposed scheme performs the verification process during the DNN inference operation, actively protecting models' intellectual property copyright at each query. Specifically, to train the token-sensitive decision-making boundaries of DNNs, a data poisoning-based model manipulation (DPMM) method is also proposed, which minimizes the correlation between the dummy outputs and correct predictions. Extensive experiments demonstrate the proposed scheme could achieve high reliability and effectiveness across various benchmark datasets as well as typical model protection methods.