通信学报 ›› 2022, Vol. 43 ›› Issue (9): 181-193.doi: 10.11959/j.issn.1000-436x.2022184
袁程胜1,2, 郭强1,2, 付章杰1,2
修回日期:
2022-09-08
出版日期:
2022-09-25
发布日期:
2022-09-01
作者简介:
袁程胜(1989– ),男,山东济宁人,南京信息工程大学副教授、硕士生导师,主要研究方向为信息隐藏、多媒体取证与AI安全基金资助:
Chengsheng YUAN1,2, Qiang GUO1,2, Zhangjie FU1,2
Revised:
2022-09-08
Online:
2022-09-25
Published:
2022-09-01
Supported by:
摘要:
提出了一种基于差分隐私的深度伪造指纹检测模型版权保护算法,在不削弱原始任务性能的同时,实现了深度伪造指纹检测模型版权的主动保护和被动验证。在原始任务训练时,通过添加噪声以引入随机性,利用差分隐私算法的期望稳定性进行分类决策,以削弱对噪声的敏感。在被动验证中,利用FGSM生成对抗样本,通过微调决策边界以建立后门,将后门映射关系作为植入水印实现被动验证。为了解决多后门造成的版权混淆,设计了一种水印验证框架,对触发后门加盖时间戳,借助时间顺序来鉴别版权。在主动保护中,为了给用户提供分等级的服务,通过概率选择策略冻结任务中的关键性神经元,设计访问权限实现神经元的解冻,以获得原始任务的使用权。实验结果表明,不同模型性能下的后门验证依然有效,嵌入的后门对模型修改表现出稳健性。此外,所提算法不但能抵挡攻击者策反合法用户实施的合谋攻击,而且能抵挡模型修改发动的微调、压缩等攻击。
中图分类号:
袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193.
Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on Communications, 2022, 43(9): 181-193.
[1] | YADAV J , JAFFERY Z A , SINGH L . A short review on machine learning techniques used for fingerprint recognition[J]. Journal of Critical Reviews, 2020,7(13): 2768-2773. |
[2] | YUAN C S , YU P P , XIA Z H ,et al. FLD-SRC:fingerprint liveness detection for AFIS based on spatial ridges continuity[J]. IEEE Journal of Selected Topics in Signal Processing, 2022,16(4): 817-827. |
[3] | HE Y , ZHAO N , YIN H X . Integrated networking,caching,and computing for connected vehicles:a deep reinforcement learning approach[J]. IEEE Transactions on Vehicular Technology, 2018,67(1): 44-55. |
[4] | ZHAO D B , CHEN Y R , LV L . Deep reinforcement learning with visual attention for vehicle classification[J]. IEEE Transactions on Cognitive and Developmental Systems, 2017,9(4): 356-367. |
[5] | LI X L , DING L K , WANG L ,et al. FPGA accelerates deep residual learning for image recognition[C]// Proceedings of IEEE 2nd Information Technology,Networking,Electronic and Automation Control Conference. Piscataway:IEEE Press, 2017: 837-840. |
[6] | SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[J]. arXiv Preprint,arXiv:1409.1556, 2014. |
[7] | COLLOBERT R , WESTON J , BOTTOU L ,et al. Natural language processing (almost) from scratch[J]. Journal of Machine Learning Research, 2011,12: 2493-2537. |
[8] | BHUYAN M P , SARMA S K , RAHMAN M . Natural language processing based stochastic model for the correctness of Assamese sentences[C]// Proceedings of the 5th International Conference on Com munication and Electronics Systems (ICCES). Piscataway:IEEE Press, 2020: 1179-1182. |
[9] | YUAN C S , JIAO S M , SUN X M ,et al. MFFFLD:a multimodal-feature-fusion-based fingerprint liveness detection[J]. IEEE Transactions on Cognitive and Developmental Systems, 2022,14(2): 648-661. |
[10] | CETINIC E , LIPIC T , GRGIC S . Fine-tuning convolutional neural networks for fine art classification[J]. Expert Systems with Applications, 2018,114: 107-118. |
[11] | UCHIDA Y , NAGAI Y , SAKAZAWA S ,et al. Embedding watermarks into deep neural networks[C]// Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. New York:ACM Press, 2017: 269-277. |
[12] | LIU Z , SUN M , ZHOU T ,et al. Rethinking the value of network pruning[J]. arXiv Preprint,arXiv:1810.05270, 2018. |
[13] | LE M E , PéREZ P , TRéDAN G , . Adversarial frontier stitching for remote neural network watermarking[J]. Neural Computing and Applications, 2020,32(13): 9233-9244. |
[14] | ZHU R , ZHANG X , SHI M ,et al. Secure neural network watermarking protocol against forging attack[J]. EURASIP Journal on Image and Video Processing, 2020,2020(1): 1-12. |
[15] | TIAN J Y , ZHOU J T , DUAN J . Probabilistic selective encryption of convolutional neural networks for hierarchical services[C]// Proceed ings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2021: 2205-2214. |
[16] | 樊雪峰, 周晓谊, 朱冰冰 ,等. 深度神经网络模型版权保护方案综述[J]. 计算机研究与发展, 2022,59(5): 953-977. |
FAN X F , ZHOU X Y , ZHU B B ,et al. Survey of copyright protection schemes based on DNN model[J]. Journal of Computer Research and Development, 2022,59(5): 953-977. | |
[17] | KURIBAYASHI M , TANAKA T , FUNABIKI N . Deepwatermark:embedding watermark into DNN model[C]// Proceedings of Asia-Pacific Signal and Information Processing Association Annual Summit and Conference. Piscataway:IEEE Press, 2020: 1340-1346. |
[18] | ROUHANI B D , CHEN H L , KOUSHANFAR F . DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]// Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. New York:ACM Press, 2019: 485-497. |
[19] | FENG L , ZHANG X . Watermarking neural network with compensation mechanism[C]// Proceedings of International Conference on Knowledge Science,Engineering and Management. Berlin:Springer, 2020: 363-375. |
[20] | FAN L , NG K W , CHAN C S . Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks[C]// Proceedings of Annual Conference on Neural Information Processing Systems. Massachusetts:MIT Press, 2019: 4716-4725. |
[21] | ZHANG J , CHEN D , LIAO J ,et al. Passport-aware normalization for deep model protection[J]. Advances in Neural Information Processing Systems, 2020,33: 22619-22628. |
[22] | ZHANG J , GU Z , JANG J ,et al. Protecting intellectual property of deep neural networks with watermarking[C]// Proceedings of the 2018 on Asia Conference on Computer and Communications Security. New York:ACM Press, 2018: 159-172. |
[23] | ADI Y , BAUM C , CISSE M ,et al. Turning your weakness into a strength:watermarking deep neural networks by backdooring[J]. arXiv Preprint,arXiv:1802.04633, 2018. |
[24] | GUO J , POTKONJAK M . Evolutionary trigger set generation for DNN black-box watermarking[J]. arXiv Preprint,arXiv:1906.04411, 2019. |
[25] | GUO J , POTKONJAK M . Watermarking deep neural networks for embedded systems[C]// Proceedings of IEEE/ACM International Conference on Computer-Aided Design. Piscataway:IEEE Press, 2018: 1-8. |
[26] | JIA H , CHOQUETTE-CHOO C A , CHANDRASEKARAN V ,et al. Entangled watermarks as a defense against model extraction[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1937-1954. |
[27] | ZHONG Q , ZHANG L Y , ZHANG J ,et al. Protecting IP of deep neural networks with watermarking:a new label helps[C]// Advances in Knowledge Discovery and Data Mining. Berlin:Springer, 2020: 462-474. |
[28] | QUAN Y H , TENG H , CHEN Y X ,et al. Watermarking deep neural networks in image processing[J]. IEEE Transactions on Neural Networks and Learning Systems, 2021,32(5): 1852-1865. |
[29] | ONG D S , SENG C C E , NG K W ,et al. Protecting intellectual property of generative adversarial networks from ambiguity attacks[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2021: 3629-3638. |
[30] | ZHU R , WEI P , LI S ,et al. Fragile neural network watermarking with trigger image set[C]// Proceedings of International Conference on Knowledge Science,Engineering and Management. Berlin:Springer, 2021: 280-293. |
[31] | ZHANG J , CHEN D D , LIAO J ,et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022,44(8): 4005-4020. |
[32] | WU H , LIU G , YAO Y ,et al. Watermarking neural networks with watermarked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2020,31(7): 2591-2601. |
[33] | HUANG S , PAPERNOT N , GOODFELLOW I ,et al. Adversarial attacks on neural network policies[J]. arXiv Preprint,arXiv:1702.02284, 2017. |
[34] | LECUYER M , ATLIDAKIS V , GEAMBASU R ,et al. Certified robustness to adversarial examples with differential privacy[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 656-672. |
[35] | 刘艺菲, 王宁, 王志刚 ,等. 混洗差分隐私下的多维类别数据的收集与分析[J]. 软件学报, 2022,33(3): 1093-1110. |
LIU Y F , WANG N , WANG Z G ,et al. Collecting and analyzing multidimensional categorical data under shuffled differential privacy[J]. Journal of Software, 2022,33(3): 1093-1110. | |
[36] | SHAYER O , LEVI D , FETAYA E . Learning discrete weights using the local reparameterization trick[J]. arXiv Preprint,arXiv:1710.07739, 2017. |
[37] | LOUIZOS C , WELLING M , KINGMA D P . Learning sparse neural networks through L0 regularization[J]. arXiv Preprint,arXiv:1712.01312, 2017. |
[38] | BOGDANOV A , KNE?EVI? M , LEANDER G ,et al. SPONGENT:a lightweight hash function[C]// Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin:Springer, 2011: 312-325. |
[39] | SHAFAHI A , HUANG W R , STUDER C ,et al. Are adversarial examples inevitable?[J]. arXiv Preprint,arXiv:1809.02104, 2018. |
[1] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[2] | 冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233. |
[3] | 余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD:联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122. |
[4] | 张淑芬, 董燕灵, 徐精诚, 王豪石. 基于目标扰动的AdaBoost算法[J]. 通信学报, 2023, 44(2): 198-209. |
[5] | 汤凌韬, 王迪, 刘盛云. 面向非独立同分布数据的联邦学习数据增强方案[J]. 通信学报, 2023, 44(1): 164-176. |
[6] | 王瀚仪, 李效光, 毕文卿, 陈亚虹, 李凤华, 牛犇. 多级本地化差分隐私算法推荐框架[J]. 通信学报, 2022, 43(8): 52-64. |
[7] | 张勇, 李丹丹, 韩璐, 黄小红. 隐私保护的群体感知数据交易算法[J]. 通信学报, 2022, 43(5): 1-13. |
[8] | 吴德阳, 胡森, 王苗苗, 金海波, 曲长波, 唐勇. 基于区域异或和三值量化的高分辨零水印算法[J]. 通信学报, 2022, 43(2): 208-222. |
[9] | 康海燕, 冀源蕊. 基于本地化差分隐私的联邦学习方法研究[J]. 通信学报, 2022, 43(10): 94-105. |
[10] | 彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160. |
[11] | 晏燕, 丛一鸣, Adnan Mahmood, 盛权政. 基于深度学习的位置大数据统计发布与隐私保护方法[J]. 通信学报, 2022, 43(1): 203-216. |
[12] | 陈思, 付安民, 苏铓, 孙怀江. 基于差分隐私的轨迹隐私保护方案[J]. 通信学报, 2021, 42(9): 54-64. |
[13] | 李洪涛, 任晓宇, 王洁, 马建峰. 基于差分隐私的连续位置隐私保护机制[J]. 通信学报, 2021, 42(8): 164-175. |
[14] | 蔡剑平, 刘西蒙, 熊金波, 应作斌, 吴英杰. 差分隐私下多重一致性约束问题的逼近方法[J]. 通信学报, 2021, 42(6): 107-117. |
[15] | 朱素霞, 刘抒伦, 孙广路. 基于相对熵和K-means的形状相似差分隐私轨迹保护机制[J]. 通信学报, 2021, 42(2): 113-123. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|