网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (2): 1-14.doi: 10.11959/j.issn.2096-109x.2022015

• 综述 •    下一篇

深度学习模型的版权保护研究综述

王馨雅, 华光, 江昊, 张海剑   

  1. 武汉大学电子信息学院,湖北 武汉 430072
  • 修回日期:2022-01-05 出版日期:2022-04-15 发布日期:2022-04-01
  • 作者简介:王馨雅(1998- ),女,湖北仙桃人,武汉大学硕士生,主要研究方向为神经网络水印,人工智能安全
    华光(1986- ),男,湖北武汉人,武汉大学研究员、博士生导师,主要研究方向为多媒体安全与取证、人工智能安全
    江昊(1976- ),男,湖北武汉人,武汉大学教授、博士生导师,主要研究方向为移动网络、大数据分析、人工智能
    张海剑(1983- ),男,湖北宜昌人。武汉大学副教授,主要研究方向为时频分析、语音与阵列信号处理、媒体内容安全
  • 基金资助:
    国家自然科学基金(61802284);国家自然科学基金企业创新发展联合基金重点项目(U19B2004);广东省科技专项基金(2019SDR002)

Survey on intellectual property protection for deep learning model

Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG   

  1. School of Electronic Information, Wuhan University, Wuhan 430072, China
  • Revised:2022-01-05 Online:2022-04-15 Published:2022-04-01
  • Supported by:
    The National Natural Science Foundation of China(61802284);The National Natural Science Foundation of China Enterprise Innovation Development Key Project(U19B2004);The Special Fund for Science and Technology of Guang-dong Province(2019SDR002)

摘要:

随着深度学习技术的迅猛发展,深度学习模型在图像分类、语音识别等领域得到了广泛应用。训练深度学习模型依赖大量的数据和算力,成本高昂,因此,出售已训练好的模型或者提供特定的服务(如DLaaS)成为一种商业模式。然而,如果模型遭到恶意用户窃取,则可能会对模型训练者的商业利益造成损害。此外,网络拓扑结构设计和参数训练的过程包含着模型训练者的智慧结晶,因此一个训练完备的模型应属于模型开发者的知识产权从而得到保护。近年来,深度神经网络水印成为一个新兴的研究课题,研究者将多媒体内容保护的方法引入深度学习模型保护领域,试图在深度神经网络模型中嵌入水印以验证模型的所有权。目前已有大量方法被提出,但缺乏梳理和概括。对神经网络水印领域已有的方法进行了梳理和总结,并探讨了该领域未来的研究方向。给出神经网络水印的模型框架,并介绍了分类模型、模型后门等基础概念。按照水印嵌入的机制将已有的方法分类为两类:一是嵌入网络内部,以网络内部信息作为载体;二是建立网络后门,将后门特殊映射关系作为水印。分别对基于这两种思想的深度神经网络水印方法进行了全面的阐述和总结,讨论了各方法的特点、优势和局限性,同时介绍并讨论了相应的水印攻击方法。通过分析水印中的白盒与黑盒场景可知,白盒分发的模型难以得到有效保护,而黑盒分发和黑盒验证场景下的神经网络水印防攻值得进一步的研究。

关键词: 神经网络安全, 神经网络版权保护, 黑盒水印, 白盒水印, 后门水印

Abstract:

With the rapid development of deep learning technology, deep learning models have been widely used in many fields such as image classification and speech recognition.Training a deep learning model relies on a large amount of data and computing power, thus selling the trained model or providing specific services (DLaaS, e.g.) has become a new business.However, the commercial interests of model trainers and the intellectual property rights of model developers may be violated if the model is maliciously stolen.With deep neural network watermarking becoming a new research topic, multimedia copyright protection techniques were used for deep learning model protection.Numerous methods have been proposed in this field and then a comprehensive survey is needed.the existing deep neural network watermarking methods were elaborated and summarized and the future research directions of this field were discussed.The overall framework of neural network watermarking was presented, whereby the basic concepts such as classification model and model backdoor were introduced.Secondly, the existing methods were divided into two types according to the mechanism of watermark embedding, one is to embed the watermark bits into the carrier of internal information of the network, and the other one uses the established backdoor mapping as the watermark.These two existing deep neural network watermarking methods were analyzed and summarized, and attacks to the watermarks were also introduced and discussed.By analyzing the white-box and black-box conditions in watermarking scenario, it comes to the conclusion that the model is difficult to be effectively protected when it is distributed in the white-box manner, and the neural network watermark defenses in the black-box distribution and black-box verification are both worthy for further research.

Key words: neural network security, copy right protection of neural networks, black-box watermarking, white-box watermarking, backdoor watermarking

中图分类号: 

No Suggested Reading articles found!