深度学习模型的版权保护研究综述

doi:10.11959/j.issn.2096-109x.2022015

Abstract

Abstract:

With the rapid development of deep learning technology, deep learning models have been widely used in many fields such as image classification and speech recognition.Training a deep learning model relies on a large amount of data and computing power, thus selling the trained model or providing specific services (DLaaS, e.g.) has become a new business.However, the commercial interests of model trainers and the intellectual property rights of model developers may be violated if the model is maliciously stolen.With deep neural network watermarking becoming a new research topic, multimedia copyright protection techniques were used for deep learning model protection.Numerous methods have been proposed in this field and then a comprehensive survey is needed.the existing deep neural network watermarking methods were elaborated and summarized and the future research directions of this field were discussed.The overall framework of neural network watermarking was presented, whereby the basic concepts such as classification model and model backdoor were introduced.Secondly, the existing methods were divided into two types according to the mechanism of watermark embedding, one is to embed the watermark bits into the carrier of internal information of the network, and the other one uses the established backdoor mapping as the watermark.These two existing deep neural network watermarking methods were analyzed and summarized, and attacks to the watermarks were also introduced and discussed.By analyzing the white-box and black-box conditions in watermarking scenario, it comes to the conclusion that the model is difficult to be effectively protected when it is distributed in the white-box manner, and the neural network watermark defenses in the black-box distribution and black-box verification are both worthy for further research.

Key words: neural network security, copy right protection of neural networks, black-box watermarking, white-box watermarking, backdoor watermarking

CLC Number:

TP393

Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.

Figures/Tables 5

References 69

[1]	DENG J , DONG W , SOCHER R ,et al. ImageNet:a large-scale hierarchical image database[C]// Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition. 2009: 248-255.
[2]	BROWN T , MANN B , RYDER N ,et al. Language models are few-shot learners[C]// Advances in Neural Information Processing Systems (NeurIPS). 2020: 1877-1901.
[3]	CECIL R R , SOARES J . IBM Watson studio:a platform to transform data to intelligence[M]. Pharmaceutical Supply Chains-Medicines Shortages. Springer International Publishing, 2019: 183-192.
[4]	HITAJ D , MANCINI L V . Have you stolen my model? evasion attacks against deep neural network watermarking techniques[J]. 2018:arXiv:1809.00615.
[5]	TRAMèR F , ZHANG F , JUELS A ,et al. Stealing machine learning models via prediction APIs[C]// Proceedings of the 25th USENIX Conference on Security Symposium. 2016: 601-618.
[6]	HUA G , HUANG J W , SHI Y Q ,et al. Twenty years of digital audio watermarking—a comprehensive review[J]. Signal Processing, 2016,128: 222-242.
[7]	ASIKUZZAMAN M , PICKERING M R . An overview of digital video watermarking[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018,28(9): 2131-2153.
[8]	UCHIDA Y , NAGAI Y , SAKAZAWA S ,et al. Embedding watermarks into deep neural networks[C]// Proceedings of ICMR '17:Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. 2017: 269-277.
[9]	LIN N , CHEN X M , LU H ,et al. Chaotic weights:a novel approach to protect intellectual property of deep neural networks[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2021,40(7): 1327-1339.
[10]	LI Y , WANG H X , BARNI M . A survey of deep neural network watermarking techniques[J]. Neurocomputing, 2021,461: 171-193.
[11]	ANDRIUSHCHENKO M , CROCE F , FLAMMARION N ,et al. Square attack:a query-efficient black-box adversarial attack via random search[M]. Computer Vision-ECCV 2020. Cham: Springer International Publishing, 2020: 484-501.
[12]	SERBAN A , POLL E , VISSER J . Adversarial examples on object recognition[J]. ACM Computing Surveys, 2020,53(3): 1-38.
[13]	MOOSAVI-DEZFOOLI S M , FAWZI A , FAWZI O ,et al. Universal adversarial perturbations[C]// Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2017: 86-94.
[14]	ZHANG J , CHEN D D , LIAO J ,et al. Model watermarking for image processing networks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020,34(7): 12805-12812.
[15]	ZHANG J , CHEN D , LIAO J ,et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021.
[16]	WU H Z , LIU G , YAO Y W ,et al. Watermarking neural networks with watermarked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2021,31(7): 2591-2601.
[17]	CHEN H L , ROUHANI B D , FU C ,et al. DeepMarks:a secure fingerprinting framework for digital rights management of deep learning models[C]// Proceedings of ICMR '19:Proceedings of the 2019 on International Conference on Multimedia Retrieval. 2019: 105-113.
[18]	ROUHANI B D , CHEN H L , KOUSHANFAR F . DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]// Proceedings of ASPLOS '19:Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 2019: 485-497.
[19]	KURIBAYASHI M , FUNABIKI N . Efficient decentralized tracing protocol for fingerprinting system with index table[C]// Proceedings of 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC). 2019: 1595-1601.
[20]	FENG L , ZHANG X . Watermarking neural network with compensation mechanism[C]// Knowledge Science,Engineering and Management. 2020: 363-375.
[21]	TARTAGLIONE E , GRANGETTO M , CAVAGNINO D ,et al. Delving in the loss landscape to embed robust watermarks into neural networks[C]// Proceedings of 2020 25th International Conference on Pattern Recognition (ICPR). 2021: 1243-1250.
[22]	FAN L , NG K , CHAN C S . Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks[C]// Advances in Neural Information Processing Systems (NeurIPS 2019). 2019: 4716-4725.
[23]	SEBASTIAN S , ATLI B G , MARCHAL S ,et al. DAWN:dynamic adversarial watermarking of neural networks[C]// Proceedings of the 29th ACM International Conference on Multimedia. 2021.
[24]	VENUGOPAL A , USZKOREIT J , TALBOT D ,et al. Watermarking the outputs of structured prediction with an application in statistical machine translation[R].
[25]	LOU X X , GUO S W , ZHANG T W ,et al. When NAS meets watermarking:ownership verification of DNN models via cache side channels[J]. 2021:arXiv:2102.03523.
[26]	HE H , KANG S , SAKAMOTO Y . A weight-wise watermarking technique for DNN models and its robustness against overwriting attack[C]// Proceedings of International Workshop on Advanced Imaging Technology (IWAIT) 2021. 2021: 442-446.
[27]	LYU P Z , LI P , ZHANG S Z ,et al. HufuNet:embedding the left piece as watermark and keeping the right piece for ownership verification in deep neural networks[J]. 2021:arXiv:2103.13628.
[28]	LI M , ZHONG Q , ZHANG L Y ,et al. Protecting the intellectual property of deep neural networks with watermarking:the frequency domain approach[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). 2021: 402-409.
[29]	LI Z , HU C Y , ZHANG Y ,et al. How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]// Proceedings of ACSAC '19:Proceedings of the 35th Annual Computer Security Applications Conference. 2019.
[30]	LI M , ZHONG Q , ZHANG L Y ,et al. Protecting the intellectual property of deep neural networks with watermarking:the frequency domain approach[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). 2021: 402-409.
[31]	GUO J , POTKONJAK M . Evolutionary trigger set generation for DNN black-box watermarking[R].
[32]	YOSSI A , BAUM C , CISSE M ,et al. Turning your weakness into a strength:Watermarking deep neural networks by backdooring[C]// 27th USENIX Security Symposium (USENIX Security 18). 2018: 1615-1631.
[33]	ZHONG Q , ZHANG L Y , ZHANG J ,et al. Protecting IP of deep neural networks with watermarking:a new label helps[C]// Advances in Knowledge Discovery and Data Mining. 2020: 462-474.
[34]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. CoRR, 2014.
[35]	SERBAN A , POLL E , VISSER J . Adversarial examples on object recognition[J]. ACM Computing Surveys, 2020,53(3): 1-38.
[36]	MERRER L E , PéREZ P , TRéDAN G , . Adversarial frontier stitching for remote neural network watermarking[J]. Neural Computing and Applications, 2020,32(13): 9233-9244.
[37]	LUKAS N , ZHANG Y , KERSCHBAUM F . Deep neural network fingerprinting by conferrable adversarial examples[C]// International Conference on Learning Representations (ICLR). 2021.
[38]	ZHAO J J , HU Q Y , LIU G Y ,et al. AFA:adversarial fingerprinting authentication for deep neural networks[J]. Computer Communications, 2020,150: 488-497.
[39]	CHEN H , ROUHANI B D , KOUSHANFAR F . Blackmarks:blackbox multibit watermarking for deep neural networks[J]. CoRR. 2019.
[40]	ZHU R J , ZHANG X P , SHI M T ,et al. Secure neural network watermarking protocol against forging attack[J]. EURASIP Journal on Image and Video Processing, 2020(2020): 37.
[41]	APRILPYONE M , KIYA H . Piracy-resistant DNN watermarking by block-wise image transformation with secret key[R]. 2021.
[42]	Deepstego:protecting intellectual property of deep neural networks by steganography[J]. CoRR. 2019.
[43]	ALDAGHRI N , MAHDAVIFAR H , BEIRAMI A . Coded machine unlearning[J]. IEEE Access, 2021,9: 88137-88150.
[44]	BOURTOULE L , CHANDRASEKARAN V , CHOQUETTECHOO C A ,et al. Machine unlearning[C]// Proceedings of 2021 IEEE Symposium on Security and Privacy. 2021: 141-159.
[45]	MOLNAR C , CASALICCHIO G , BISCHL B . Interpretable machine learning-a brief history,state-of-the-art and challenges[C]// ECML PKDD 2020 Workshops. 2020.
[46]	MOLNAR C , K?NIG G , HERBINGER J ,et al. General pitfalls of model-agnostic interpretation methods for machine learning models[J]. 2020:arXiv:2007.04131.
[47]	SAMEK W , MONTAVON G , LAPUSCHKIN S ,et al. Toward interpretable machine learning:transparent deep neural networks and beyond[R]. 2020.
[48]	SU J W , VARGAS D V , SAKURAI K . One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019,23(5): 828-841.
[49]	GENG C X , HUANG S J , CHEN S C . Recent advances in open set recognition:a survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021,43(10): 3614-3631.
[50]	WANG T H , KERSCHBAUM F . Attacks on digital watermarks for deep neural networks[C]// Proceedings of ICASSP 2019 - 2019 IEEE International Conference on Acoustics,Speech and Signal Processing. 2019: 2622-2626.
[51]	WANG T H , KERSCHBAUM F . Robust and undetectable white-box watermarks for deep neural networks[R]. 2019.
[52]	SHAFIEINEJAD M , WANG J Q , LUKAS N ,et al. On the robustness of the backdoor-based watermarking in deep neural networks[R]. 2019.
[53]	WANG T H , KERSCHBAUM F . RIGA:covert and robust white-box watermarking of deep neural networks[C]// Proceedings of the Web Conference 2021. 2021.
[54]	CHEN X Y , WANG W X , BENDER C ,et al. REFIT:a unified watermark removal framework for deep learning systems with limited data[C]// Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 2021: 321-335.
[55]	LIU K , DOLAN-GAVITT B , GARG S . Fine-pruning:defending against backdooring attacks on deep neural networks[C]// Research in Attacks,Intrusions,and Defenses. 2018.
[56]	HAN S , POOL J , TRAN J ,et al. Learning both weights and connections for efficient neural networks[R]. 2015.
[57]	RYOTA N , SAKUMA J . Robust watermarking of neural network with exponential weighting[C]// Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 2019: 228-240.
[58]	YANG Z Q , DANG H , CHANG E C . Effectiveness of distillation attack and countermeasure on neural network watermarking[R]. 2019.
[59]	CHEN X Y , WANG W X , DING Y M ,et al. Leveraging unlabeled data for watermark removal of deep neural networks[C]// Proc of the 36th Int Conf on Machine Learning. 2019.
[60]	LIU X K , LI F T , WEN B H ,et al. Removing backdoor-based watermarks in neural networks with limited data[C]// Proceedings of 2020 25th International Conference on Pattern Recognition (ICPR). 2021: 10149-10156.
[61]	AIKEN W , KIM H , WOO S ,et al. Neural network laundering:removing black-box backdoor watermarks from deep neural networks[J]. Computers ＆ Security, 2021,106:102277.
[62]	GUO J , POTKONJAK M . Watermarking deep neural networks for embedded systems[C]// Proceedings of the International Conference on Computer-Aided Design. 2018: 1-8.
[63]	GUO S W , ZHANG T W , QIU H ,et al. The hidden vulnerability of watermarking for deep neural networks[R]. 2020.
[64]	QUAN Y H , TENG H , CHEN Y X ,et al. Watermarking deep neural networks in image processing[J]. IEEE Transactions on Neural Networks and Learning Systems, 2021,32(5): 1852-1865.
[65]	SKRIPNIUK V , YU N , ABDELNABI S ,et al. Black-box watermarking for generative adversarial networks[R]. 2020.
[66]	YADOLLAHI M M , SHOELEH F , DADKHAH S ,et al. Robust black-box watermarking for deep neural network using inverse document frequency[R]. 2021.
[67]	CHEN H L , DARVISH B , KOUSHANFAR F . SpecMark:a spectral watermarking framework for IP protection of speech recognition systems[C]// Proceedings of Interspeech 2020. 2020: 2312-2316.
[68]	ZHAO X Y , WU H Z , ZHANG X P . Watermarking graph neural networks by random graphs[C]// Proceedings of 2021 9th International Symposium on Digital Forensics and Security (ISDFS). 2021: 1-6.
[69]	GUAN X Q , FENG H M , ZHANG W M ,et al. Reversible watermarking in deep convolutional neural networks for integrity authentication[C]// Proceedings of the 28th ACM International Conference on Multimedia. 2020: 2273-2280.

Metrics

Recommended 0

No Suggested Reading articles found!

类别	水印方法	验证场景	零/多比特	鲁棒性
	将水印以正则化的形式嵌入网络权重中^[8]	白盒	多比特	能应对剪枝、微调
	给合法用户发布实现嵌入网络的向量编码，用户只有用编码才能提取出权重^[17]	白盒	多比特	能应对协同攻击、剪枝、微调
嵌入内部	将水印嵌入模型中间层/输出层特征输出的概率密度函数中^[18]	白盒/黑盒	多比特	能应对压缩、微调和重写攻击
	具有补偿机制的微调，通过两个密钥指定嵌入水印的权重位置和覆盖的噪声模式^[20]	白盒	多比特	能应对重写攻击
	让嵌入水印的网络权重不参与网络训练^[21]	白盒	多比特	能应对微调
	在网络结构上插入passport层^[22]	白盒/黑盒	多比特	需passport使用，单独通过签名验证
	在原图上覆盖Logo、噪声以及使用不相关图片作为触发集的后门构造方法^[28]	黑盒	零比特	能应对剪枝、微调和蒸馏
	使用编码器生成带有盲水印的图片作为后门触发集^[29]	黑盒	零比特	能应对剪枝、微调
	在频域生成不可见水印作为后门触发集^[30]	黑盒	零比特	能应对剪枝、微调
建立后门	选择一组抽象图片作为后门，引入密码学协议提供安全性^[32]	黑盒	零比特	能应对剪枝、微调、蒸馏，不能应对歧义攻击
	在原始分类任务中增添一个新类别，将图片映射到这个类别作为后门^[33]	黑盒	零比特	能应对微调、逃逸攻击
	通过对抗训练让网络对于部分对抗样本分类正确，细微地调整决策边界^[36]	黑盒	零比特	能应对剪枝、微调、奇异值分解攻击
	基于遗传进化算法生成和优化触发集^[31]	黑盒	零比特	降低了负阳率，能应对微调

攻击类别	手段	攻击条件	可攻击的水印方法
移除攻击	重训练^[52]、微调^[54,59,63]、重写^[50]、蒸馏^[58]	少量数据，白盒	嵌入网络内部的白盒方法和基于后门的黑盒方法
	根据已知网络的输入输出训练一个替代模型^[52]	足量数据，黑盒	基于后门的黑盒方法
逃逸攻击	去除触发集上覆盖的噪声^[57]	黑盒	在图片上覆盖某种触发模式的后门水印方法
	集成多个功能相同的模型并基于投票机制推断^[4]	黑盒	针对同一功能模型的水印方法
	基于后门水印检测器逃避触发集的触发^[4]	黑盒	在图片上覆盖某种干扰模式的后门方法
歧义攻击	在模型内部嵌入另一个水印	白盒	将水印嵌入网络内部参数的白盒方法
	在模型中植入另外的后门（如利用对抗样本）	白盒	基于后门机制的黑盒方法

Survey on intellectual property protection for deep learning model

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 69

Related Articles 15

Metrics

Recommended 0

[1]	Xianyi CHEN, Jun GU, Kai YAN, Dong JIANG, Linfeng XU, Zhangjie FU. Double adversarial attack against license plate recognition system [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 16-27.
[2]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[3]	Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59.
[4]	Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89.
[5]	Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101.
[6]	Feng YU, Qingxin LIN, Hui LIN, Xiaoding WANG. Privacy-enhanced federated learning scheme based on generative adversarial networks [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 113-122.
[7]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[8]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[9]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[10]	Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93.
[11]	Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131.
[12]	Tian XIAO, Zhihao JIANG, Peng TANG, Zheng HUANG, Jie GUO, Weidong QIU. High-performance directional fuzzing scheme based on deep reinforcement learning [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 132-142.
[13]	Chenghao YUAN, Yong LI, Shuang REN. Dynamic multi-keyword searchable encryption scheme [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 143-153.
[14]	Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163.
[15]	Xuejing GUO, Yixiang FANG, Yi ZHAO, Tianzhu ZHANG, Wenchao ZENG, Junxiang WANG. Traditional guidance mechanism based deep robust watermarking [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 175-183.