Chinese Journal of Network and Information Security ›› 2022, Vol. 8 ›› Issue (2): 1-14.doi: 10.11959/j.issn.2096-109x.2022015
• Comprehensive Review • Next Articles
Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG
Revised:
2022-01-05
Online:
2022-04-15
Published:
2022-04-01
Supported by:
CLC Number:
Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
"
类别 | 水印方法 | 验证场景 | 零/多比特 | 鲁棒性 |
将水印以正则化的形式嵌入网络权重中[ | 白盒 | 多比特 | 能应对剪枝、微调 | |
给合法用户发布实现嵌入网络的向量编码,用户只有用编码才能提取出权重[ | 白盒 | 多比特 | 能应对协同攻击、剪枝、微调 | |
嵌入内部 | 将水印嵌入模型中间层/输出层特征输出的概率密度函数中[ | 白盒/黑盒 | 多比特 | 能应对压缩、微调和重写攻击 |
具有补偿机制的微调,通过两个密钥指定嵌入水印的权重位置和覆盖的噪声模式[ | 白盒 | 多比特 | 能应对重写攻击 | |
让嵌入水印的网络权重不参与网络训练[ | 白盒 | 多比特 | 能应对微调 | |
在网络结构上插入passport层[ | 白盒/黑盒 | 多比特 | 需passport使用,单独通过签名验证 | |
在原图上覆盖Logo、噪声以及使用不相关图片作为触发集的后门构造方法[ | 黑盒 | 零比特 | 能应对剪枝、微调和蒸馏 | |
使用编码器生成带有盲水印的图片作为后门触发集[ | 黑盒 | 零比特 | 能应对剪枝、微调 | |
在频域生成不可见水印作为后门触发集[ | 黑盒 | 零比特 | 能应对剪枝、微调 | |
建立后门 | 选择一组抽象图片作为后门,引入密码学协议提供安全性[ | 黑盒 | 零比特 | 能应对剪枝、微调、蒸馏,不能应对歧义攻击 |
在原始分类任务中增添一个新类别,将图片映射到这个类别作为后门[ | 黑盒 | 零比特 | 能应对微调、逃逸攻击 | |
通过对抗训练让网络对于部分对抗样本分类正确,细微地调整决策边界[ | 黑盒 | 零比特 | 能应对剪枝、微调、奇异值分解攻击 | |
基于遗传进化算法生成和优化触发集[ | 黑盒 | 零比特 | 降低了负阳率,能应对微调 |
"
攻击类别 | 手段 | 攻击条件 | 可攻击的水印方法 |
移除攻击 | 重训练[ | 少量数据,白盒 | 嵌入网络内部的白盒方法和基于后门的黑盒方法 |
根据已知网络的输入输出训练一个替代模型[ | 足量数据,黑盒 | 基于后门的黑盒方法 | |
逃逸攻击 | 去除触发集上覆盖的噪声[ | 黑盒 | 在图片上覆盖某种触发模式的后门水印方法 |
集成多个功能相同的模型并基于投票机制推断[ | 黑盒 | 针对同一功能模型的水印方法 | |
基于后门水印检测器逃避触发集的触发[ | 黑盒 | 在图片上覆盖某种干扰模式的后门方法 | |
歧义攻击 | 在模型内部嵌入另一个水印 | 白盒 | 将水印嵌入网络内部参数的白盒方法 |
在模型中植入另外的后门(如利用对抗样本) | 白盒 | 基于后门机制的黑盒方法 |
[1] | DENG J , DONG W , SOCHER R ,et al. ImageNet:a large-scale hierarchical image database[C]// Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition. 2009: 248-255. |
[2] | BROWN T , MANN B , RYDER N ,et al. Language models are few-shot learners[C]// Advances in Neural Information Processing Systems (NeurIPS). 2020: 1877-1901. |
[3] | CECIL R R , SOARES J . IBM Watson studio:a platform to transform data to intelligence[M]. Pharmaceutical Supply Chains-Medicines Shortages. Springer International Publishing, 2019: 183-192. |
[4] | HITAJ D , MANCINI L V . Have you stolen my model? evasion attacks against deep neural network watermarking techniques[J]. 2018:arXiv:1809.00615. |
[5] | TRAMèR F , ZHANG F , JUELS A ,et al. Stealing machine learning models via prediction APIs[C]// Proceedings of the 25th USENIX Conference on Security Symposium. 2016: 601-618. |
[6] | HUA G , HUANG J W , SHI Y Q ,et al. Twenty years of digital audio watermarking—a comprehensive review[J]. Signal Processing, 2016,128: 222-242. |
[7] | ASIKUZZAMAN M , PICKERING M R . An overview of digital video watermarking[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018,28(9): 2131-2153. |
[8] | UCHIDA Y , NAGAI Y , SAKAZAWA S ,et al. Embedding watermarks into deep neural networks[C]// Proceedings of ICMR '17:Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. 2017: 269-277. |
[9] | LIN N , CHEN X M , LU H ,et al. Chaotic weights:a novel approach to protect intellectual property of deep neural networks[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2021,40(7): 1327-1339. |
[10] | LI Y , WANG H X , BARNI M . A survey of deep neural network watermarking techniques[J]. Neurocomputing, 2021,461: 171-193. |
[11] | ANDRIUSHCHENKO M , CROCE F , FLAMMARION N ,et al. Square attack:a query-efficient black-box adversarial attack via random search[M]. Computer Vision-ECCV 2020. Cham: Springer International Publishing, 2020: 484-501. |
[12] | SERBAN A , POLL E , VISSER J . Adversarial examples on object recognition[J]. ACM Computing Surveys, 2020,53(3): 1-38. |
[13] | MOOSAVI-DEZFOOLI S M , FAWZI A , FAWZI O ,et al. Universal adversarial perturbations[C]// Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2017: 86-94. |
[14] | ZHANG J , CHEN D D , LIAO J ,et al. Model watermarking for image processing networks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020,34(7): 12805-12812. |
[15] | ZHANG J , CHEN D , LIAO J ,et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021. |
[16] | WU H Z , LIU G , YAO Y W ,et al. Watermarking neural networks with watermarked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2021,31(7): 2591-2601. |
[17] | CHEN H L , ROUHANI B D , FU C ,et al. DeepMarks:a secure fingerprinting framework for digital rights management of deep learning models[C]// Proceedings of ICMR '19:Proceedings of the 2019 on International Conference on Multimedia Retrieval. 2019: 105-113. |
[18] | ROUHANI B D , CHEN H L , KOUSHANFAR F . DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]// Proceedings of ASPLOS '19:Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. 2019: 485-497. |
[19] | KURIBAYASHI M , FUNABIKI N . Efficient decentralized tracing protocol for fingerprinting system with index table[C]// Proceedings of 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC). 2019: 1595-1601. |
[20] | FENG L , ZHANG X . Watermarking neural network with compensation mechanism[C]// Knowledge Science,Engineering and Management. 2020: 363-375. |
[21] | TARTAGLIONE E , GRANGETTO M , CAVAGNINO D ,et al. Delving in the loss landscape to embed robust watermarks into neural networks[C]// Proceedings of 2020 25th International Conference on Pattern Recognition (ICPR). 2021: 1243-1250. |
[22] | FAN L , NG K , CHAN C S . Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks[C]// Advances in Neural Information Processing Systems (NeurIPS 2019). 2019: 4716-4725. |
[23] | SEBASTIAN S , ATLI B G , MARCHAL S ,et al. DAWN:dynamic adversarial watermarking of neural networks[C]// Proceedings of the 29th ACM International Conference on Multimedia. 2021. |
[24] | VENUGOPAL A , USZKOREIT J , TALBOT D ,et al. Watermarking the outputs of structured prediction with an application in statistical machine translation[R]. |
[25] | LOU X X , GUO S W , ZHANG T W ,et al. When NAS meets watermarking:ownership verification of DNN models via cache side channels[J]. 2021:arXiv:2102.03523. |
[26] | HE H , KANG S , SAKAMOTO Y . A weight-wise watermarking technique for DNN models and its robustness against overwriting attack[C]// Proceedings of International Workshop on Advanced Imaging Technology (IWAIT) 2021. 2021: 442-446. |
[27] | LYU P Z , LI P , ZHANG S Z ,et al. HufuNet:embedding the left piece as watermark and keeping the right piece for ownership verification in deep neural networks[J]. 2021:arXiv:2103.13628. |
[28] | LI M , ZHONG Q , ZHANG L Y ,et al. Protecting the intellectual property of deep neural networks with watermarking:the frequency domain approach[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). 2021: 402-409. |
[29] | LI Z , HU C Y , ZHANG Y ,et al. How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]// Proceedings of ACSAC '19:Proceedings of the 35th Annual Computer Security Applications Conference. 2019. |
[30] | LI M , ZHONG Q , ZHANG L Y ,et al. Protecting the intellectual property of deep neural networks with watermarking:the frequency domain approach[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). 2021: 402-409. |
[31] | GUO J , POTKONJAK M . Evolutionary trigger set generation for DNN black-box watermarking[R]. |
[32] | YOSSI A , BAUM C , CISSE M ,et al. Turning your weakness into a strength:Watermarking deep neural networks by backdooring[C]// 27th USENIX Security Symposium (USENIX Security 18). 2018: 1615-1631. |
[33] | ZHONG Q , ZHANG L Y , ZHANG J ,et al. Protecting IP of deep neural networks with watermarking:a new label helps[C]// Advances in Knowledge Discovery and Data Mining. 2020: 462-474. |
[34] | GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. CoRR, 2014. |
[35] | SERBAN A , POLL E , VISSER J . Adversarial examples on object recognition[J]. ACM Computing Surveys, 2020,53(3): 1-38. |
[36] | MERRER L E , PéREZ P , TRéDAN G , . Adversarial frontier stitching for remote neural network watermarking[J]. Neural Computing and Applications, 2020,32(13): 9233-9244. |
[37] | LUKAS N , ZHANG Y , KERSCHBAUM F . Deep neural network fingerprinting by conferrable adversarial examples[C]// International Conference on Learning Representations (ICLR). 2021. |
[38] | ZHAO J J , HU Q Y , LIU G Y ,et al. AFA:adversarial fingerprinting authentication for deep neural networks[J]. Computer Communications, 2020,150: 488-497. |
[39] | CHEN H , ROUHANI B D , KOUSHANFAR F . Blackmarks:blackbox multibit watermarking for deep neural networks[J]. CoRR. 2019. |
[40] | ZHU R J , ZHANG X P , SHI M T ,et al. Secure neural network watermarking protocol against forging attack[J]. EURASIP Journal on Image and Video Processing, 2020(2020): 37. |
[41] | APRILPYONE M , KIYA H . Piracy-resistant DNN watermarking by block-wise image transformation with secret key[R]. 2021. |
[42] | Deepstego:protecting intellectual property of deep neural networks by steganography[J]. CoRR. 2019. |
[43] | ALDAGHRI N , MAHDAVIFAR H , BEIRAMI A . Coded machine unlearning[J]. IEEE Access, 2021,9: 88137-88150. |
[44] | BOURTOULE L , CHANDRASEKARAN V , CHOQUETTECHOO C A ,et al. Machine unlearning[C]// Proceedings of 2021 IEEE Symposium on Security and Privacy. 2021: 141-159. |
[45] | MOLNAR C , CASALICCHIO G , BISCHL B . Interpretable machine learning-a brief history,state-of-the-art and challenges[C]// ECML PKDD 2020 Workshops. 2020. |
[46] | MOLNAR C , K?NIG G , HERBINGER J ,et al. General pitfalls of model-agnostic interpretation methods for machine learning models[J]. 2020:arXiv:2007.04131. |
[47] | SAMEK W , MONTAVON G , LAPUSCHKIN S ,et al. Toward interpretable machine learning:transparent deep neural networks and beyond[R]. 2020. |
[48] | SU J W , VARGAS D V , SAKURAI K . One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019,23(5): 828-841. |
[49] | GENG C X , HUANG S J , CHEN S C . Recent advances in open set recognition:a survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021,43(10): 3614-3631. |
[50] | WANG T H , KERSCHBAUM F . Attacks on digital watermarks for deep neural networks[C]// Proceedings of ICASSP 2019 - 2019 IEEE International Conference on Acoustics,Speech and Signal Processing. 2019: 2622-2626. |
[51] | WANG T H , KERSCHBAUM F . Robust and undetectable white-box watermarks for deep neural networks[R]. 2019. |
[52] | SHAFIEINEJAD M , WANG J Q , LUKAS N ,et al. On the robustness of the backdoor-based watermarking in deep neural networks[R]. 2019. |
[53] | WANG T H , KERSCHBAUM F . RIGA:covert and robust white-box watermarking of deep neural networks[C]// Proceedings of the Web Conference 2021. 2021. |
[54] | CHEN X Y , WANG W X , BENDER C ,et al. REFIT:a unified watermark removal framework for deep learning systems with limited data[C]// Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 2021: 321-335. |
[55] | LIU K , DOLAN-GAVITT B , GARG S . Fine-pruning:defending against backdooring attacks on deep neural networks[C]// Research in Attacks,Intrusions,and Defenses. 2018. |
[56] | HAN S , POOL J , TRAN J ,et al. Learning both weights and connections for efficient neural networks[R]. 2015. |
[57] | RYOTA N , SAKUMA J . Robust watermarking of neural network with exponential weighting[C]// Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 2019: 228-240. |
[58] | YANG Z Q , DANG H , CHANG E C . Effectiveness of distillation attack and countermeasure on neural network watermarking[R]. 2019. |
[59] | CHEN X Y , WANG W X , DING Y M ,et al. Leveraging unlabeled data for watermark removal of deep neural networks[C]// Proc of the 36th Int Conf on Machine Learning. 2019. |
[60] | LIU X K , LI F T , WEN B H ,et al. Removing backdoor-based watermarks in neural networks with limited data[C]// Proceedings of 2020 25th International Conference on Pattern Recognition (ICPR). 2021: 10149-10156. |
[61] | AIKEN W , KIM H , WOO S ,et al. Neural network laundering:removing black-box backdoor watermarks from deep neural networks[J]. Computers & Security, 2021,106:102277. |
[62] | GUO J , POTKONJAK M . Watermarking deep neural networks for embedded systems[C]// Proceedings of the International Conference on Computer-Aided Design. 2018: 1-8. |
[63] | GUO S W , ZHANG T W , QIU H ,et al. The hidden vulnerability of watermarking for deep neural networks[R]. 2020. |
[64] | QUAN Y H , TENG H , CHEN Y X ,et al. Watermarking deep neural networks in image processing[J]. IEEE Transactions on Neural Networks and Learning Systems, 2021,32(5): 1852-1865. |
[65] | SKRIPNIUK V , YU N , ABDELNABI S ,et al. Black-box watermarking for generative adversarial networks[R]. 2020. |
[66] | YADOLLAHI M M , SHOELEH F , DADKHAH S ,et al. Robust black-box watermarking for deep neural network using inverse document frequency[R]. 2021. |
[67] | CHEN H L , DARVISH B , KOUSHANFAR F . SpecMark:a spectral watermarking framework for IP protection of speech recognition systems[C]// Proceedings of Interspeech 2020. 2020: 2312-2316. |
[68] | ZHAO X Y , WU H Z , ZHANG X P . Watermarking graph neural networks by random graphs[C]// Proceedings of 2021 9th International Symposium on Digital Forensics and Security (ISDFS). 2021: 1-6. |
[69] | GUAN X Q , FENG H M , ZHANG W M ,et al. Reversible watermarking in deep convolutional neural networks for integrity authentication[C]// Proceedings of the 28th ACM International Conference on Multimedia. 2020: 2273-2280. |
[1] | Xianyi CHEN, Jun GU, Kai YAN, Dong JIANG, Linfeng XU, Zhangjie FU. Double adversarial attack against license plate recognition system [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 16-27. |
[2] | Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37. |
[3] | Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59. |
[4] | Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89. |
[5] | Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101. |
[6] | Feng YU, Qingxin LIN, Hui LIN, Xiaoding WANG. Privacy-enhanced federated learning scheme based on generative adversarial networks [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 113-122. |
[7] | Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134. |
[8] | Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149. |
[9] | Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32. |
[10] | Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93. |
[11] | Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131. |
[12] | Tian XIAO, Zhihao JIANG, Peng TANG, Zheng HUANG, Jie GUO, Weidong QIU. High-performance directional fuzzing scheme based on deep reinforcement learning [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 132-142. |
[13] | Chenghao YUAN, Yong LI, Shuang REN. Dynamic multi-keyword searchable encryption scheme [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 143-153. |
[14] | Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163. |
[15] | Xuejing GUO, Yixiang FANG, Yi ZHAO, Tianzhu ZHANG, Wenchao ZENG, Junxiang WANG. Traditional guidance mechanism based deep robust watermarking [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 175-183. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|