基于差分隐私的深度伪造指纹检测模型版权保护算法

doi:10.11959/j.issn.1000-436x.2022184

通信学报 ›› 2022, Vol. 43 ›› Issue (9): 181-193.doi: 10.11959/j.issn.1000-436x.2022184

基于差分隐私的深度伪造指纹检测模型版权保护算法

袁程胜¹^,², 郭强¹^,², 付章杰¹^,²

¹ 南京信息工程大学计算机学院、软件学院、网络空间安全学院，江苏南京 210044
² 南京信息工程大学数字取证教育部工程研究中心，江苏南京 210044

修回日期:2022-09-08 出版日期:2022-09-25 发布日期:2022-09-01
作者简介:袁程胜（1989– ），男，山东济宁人，南京信息工程大学副教授、硕士生导师，主要研究方向为信息隐藏、多媒体取证与AI安全
郭强（1997- ），男，江苏南京人，南京信息工程大学硕士生，主要研究方向为信息安全和深度学习
付章杰（1983- ），男，河南南阳人，南京信息工程大学教授、博士生导师，主要研究方向为区块链安全、数字取证、人工智能安全
基金资助:
国家自然科学基金资助项目(62102189);江苏省自然科学基金资助项目(BK20200807);江苏省自然科学基金资助项目(BK20200039);国防科技大学科研计划基金资助项目(JS21-4);浙江省科技厅公益性科技产业基金资助项目(LGF21F020006)

Copyright protection algorithm based on differential privacy deep fake fingerprint detection model

Chengsheng YUAN¹^,², Qiang GUO¹^,², Zhangjie FU¹^,²

¹ School of Computer Science, Nanjing University of Information Science and Technology, Nanjing 210044, China
² Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing 210044, China

Revised:2022-09-08 Online:2022-09-25 Published:2022-09-01
Supported by:
The National Natural Science Foundation of China(62102189);The Natural Science Foundation of Jiangsu Province(BK20200807);The Natural Science Foundation of Jiangsu Province(BK20200039);NUDT Scientific Research Program(JS21-4);Public Welfare Technology and Industry Project of Zhejiang Provincial Science Technology Department(LGF21F020006)

摘要/Abstract

摘要：

提出了一种基于差分隐私的深度伪造指纹检测模型版权保护算法，在不削弱原始任务性能的同时，实现了深度伪造指纹检测模型版权的主动保护和被动验证。在原始任务训练时，通过添加噪声以引入随机性，利用差分隐私算法的期望稳定性进行分类决策，以削弱对噪声的敏感。在被动验证中，利用FGSM生成对抗样本，通过微调决策边界以建立后门，将后门映射关系作为植入水印实现被动验证。为了解决多后门造成的版权混淆，设计了一种水印验证框架，对触发后门加盖时间戳，借助时间顺序来鉴别版权。在主动保护中，为了给用户提供分等级的服务，通过概率选择策略冻结任务中的关键性神经元，设计访问权限实现神经元的解冻，以获得原始任务的使用权。实验结果表明，不同模型性能下的后门验证依然有效，嵌入的后门对模型修改表现出稳健性。此外，所提算法不但能抵挡攻击者策反合法用户实施的合谋攻击，而且能抵挡模型修改发动的微调、压缩等攻击。

关键词: 版权保护, 对抗样本, 差分隐私, 模型水印, 伪造指纹检测

Abstract:

A copyright protection algorithm based on differential privacy for deep fake fingerprint detection model (DFFDM) was proposed, realizing active copyright protection and passive copyright verification of DFFDM without weakening the performance of the original task.In the original task training, noise was added to introduce randomness, and the expected stability of the differential privacy algorithm was used to make classification decisions to reduce the sensitivity to noise.In passive verification, FGSM was used to generate adversarial samples, the decision boundary was fine-adjusted to establish a backdoor, and the mapping was used as an implanted watermark to realize passive verification.To solve the copyright confusion caused by multiple backdoors, a watermark verification framework was designed, which stamped the trigger backdoors and identified the copyright with the help of time order.In active protection, to provide users with hierarchical services, the key neurons in the task were frozen by probabilistic selection strategy, and the access rights were designed to realize the thawing of neurons, so as to obtain the right to use the original task.Experimental results show that the backdoor verification is still effective under different model performance, and the embedded backdoor shows a certain robustness to the model modification.Also, the proposed algorithm can resist not only the collusion attack by the attacker to recruit legitimate users, but also the fine-tuning and compression attacks caused by the model modification.

Key words: copyright protection, adversarial samples, differential privacy, model watermark, fake fingerprint detection

中图分类号:

TP391

袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193.

Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on Communications, 2022, 43(9): 181-193.

图/表 14

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表1

表2

表3

参考文献 39

[1]	YADAV J , JAFFERY Z A , SINGH L ． A short review on machine learning techniques used for fingerprint recognition［J］． Journal of Critical Reviews, 2020,7(13): 2768-2773.
[2]	YUAN C S , YU P P , XIA Z H ,et al． FLD-SRC:fingerprint liveness detection for AFIS based on spatial ridges continuity［J］． IEEE Journal of Selected Topics in Signal Processing, 2022,16(4): 817-827．
[3]	HE Y , ZHAO N , YIN H X ． Integrated networking,caching,and computing for connected vehicles:a deep reinforcement learning approach［J］． IEEE Transactions on Vehicular Technology, 2018,67(1): 44-55．
[4]	ZHAO D B , CHEN Y R , LV L ． Deep reinforcement learning with visual attention for vehicle classification［J］． IEEE Transactions on Cognitive and Developmental Systems, 2017,9(4): 356-367．
[5]	LI X L , DING L K , WANG L ,et al． FPGA accelerates deep residual learning for image recognition［C］// Proceedings of IEEE 2nd Information Technology,Networking,Electronic and Automation Control Conference． Piscataway:IEEE Press, 2017: 837-840．
[6]	SIMONYAN K , ZISSERMAN A ． Very deep convolutional networks for large-scale image recognition［J］． arXiv Preprint,arXiv:1409．1556, 2014．
[7]	COLLOBERT R , WESTON J , BOTTOU L ,et al． Natural language processing (almost) from scratch［J］． Journal of Machine Learning Research, 2011,12: 2493-2537．
[8]	BHUYAN M P , SARMA S K , RAHMAN M ． Natural language processing based stochastic model for the correctness of Assamese sentences［C］// Proceedings of the 5th International Conference on Com munication and Electronics Systems (ICCES)． Piscataway:IEEE Press, 2020: 1179-1182．
[9]	YUAN C S , JIAO S M , SUN X M ,et al． MFFFLD:a multimodal-feature-fusion-based fingerprint liveness detection［J］． IEEE Transactions on Cognitive and Developmental Systems, 2022,14(2): 648-661．
[10]	CETINIC E , LIPIC T , GRGIC S ． Fine-tuning convolutional neural networks for fine art classification［J］． Expert Systems with Applications, 2018,114: 107-118．
[11]	UCHIDA Y , NAGAI Y , SAKAZAWA S ,et al． Embedding watermarks into deep neural networks［C］// Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval． New York:ACM Press, 2017: 269-277．
[12]	LIU Z , SUN M , ZHOU T ,et al． Rethinking the value of network pruning［J］． arXiv Preprint,arXiv:1810．05270, 2018．
[13]	LE M E , PéREZ P , TRéDAN G , ． Adversarial frontier stitching for remote neural network watermarking［J］． Neural Computing and Applications, 2020,32(13): 9233-9244．
[14]	ZHU R , ZHANG X , SHI M ,et al． Secure neural network watermarking protocol against forging attack［J］． EURASIP Journal on Image and Video Processing, 2020,2020(1): 1-12．
[15]	TIAN J Y , ZHOU J T , DUAN J ． Probabilistic selective encryption of convolutional neural networks for hierarchical services［C］// Proceed ings of IEEE/CVF Conference on Computer Vision and Pattern Recognition． Piscataway:IEEE Press, 2021: 2205-2214．
[16]	樊雪峰, 周晓谊, 朱冰冰 ,等．深度神经网络模型版权保护方案综述［J］．计算机研究与发展, 2022,59(5): 953-977．
	FAN X F , ZHOU X Y , ZHU B B ,et al． Survey of copyright protection schemes based on DNN model［J］． Journal of Computer Research and Development, 2022,59(5): 953-977．
[17]	KURIBAYASHI M , TANAKA T , FUNABIKI N ． Deepwatermark:embedding watermark into DNN model［C］// Proceedings of Asia-Pacific Signal and Information Processing Association Annual Summit and Conference． Piscataway:IEEE Press, 2020: 1340-1346．
[18]	ROUHANI B D , CHEN H L , KOUSHANFAR F ． DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks［C］// Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems． New York:ACM Press, 2019: 485-497．
[19]	FENG L , ZHANG X ． Watermarking neural network with compensation mechanism［C］// Proceedings of International Conference on Knowledge Science,Engineering and Management． Berlin:Springer, 2020: 363-375．
[20]	FAN L , NG K W , CHAN C S ． Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks［C］// Proceedings of Annual Conference on Neural Information Processing Systems． Massachusetts:MIT Press, 2019: 4716-4725．
[21]	ZHANG J , CHEN D , LIAO J ,et al． Passport-aware normalization for deep model protection［J］． Advances in Neural Information Processing Systems, 2020,33: 22619-22628．
[22]	ZHANG J , GU Z , JANG J ,et al． Protecting intellectual property of deep neural networks with watermarking［C］// Proceedings of the 2018 on Asia Conference on Computer and Communications Security． New York:ACM Press, 2018: 159-172．
[23]	ADI Y , BAUM C , CISSE M ,et al． Turning your weakness into a strength:watermarking deep neural networks by backdooring［J］． arXiv Preprint,arXiv:1802．04633, 2018．
[24]	GUO J , POTKONJAK M ． Evolutionary trigger set generation for DNN black-box watermarking［J］． arXiv Preprint,arXiv:1906．04411, 2019．
[25]	GUO J , POTKONJAK M ． Watermarking deep neural networks for embedded systems［C］// Proceedings of IEEE/ACM International Conference on Computer-Aided Design． Piscataway:IEEE Press, 2018: 1-8．
[26]	JIA H , CHOQUETTE-CHOO C A , CHANDRASEKARAN V ,et al. Entangled watermarks as a defense against model extraction［C］// Proceedings of the 30th USENIX Security Symposium． Berkeley:USENIX Association, 2021: 1937-1954．
[27]	ZHONG Q , ZHANG L Y , ZHANG J ,et al． Protecting IP of deep neural networks with watermarking:a new label helps［C］// Advances in Knowledge Discovery and Data Mining． Berlin:Springer, 2020: 462-474．
[28]	QUAN Y H , TENG H , CHEN Y X ,et al． Watermarking deep neural networks in image processing［J］． IEEE Transactions on Neural Networks and Learning Systems, 2021,32(5): 1852-1865．
[29]	ONG D S , SENG C C E , NG K W ,et al． Protecting intellectual property of generative adversarial networks from ambiguity attacks［C］// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition． Piscataway:IEEE Press, 2021: 3629-3638．
[30]	ZHU R , WEI P , LI S ,et al． Fragile neural network watermarking with trigger image set［C］// Proceedings of International Conference on Knowledge Science,Engineering and Management． Berlin:Springer, 2021: 280-293．
[31]	ZHANG J , CHEN D D , LIAO J ,et al． Deep model intellectual property protection via deep watermarking［J］． IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022,44(8): 4005-4020．
[32]	WU H , LIU G , YAO Y ,et al． Watermarking neural networks with watermarked images［J］． IEEE Transactions on Circuits and Systems for Video Technology, 2020,31(7): 2591-2601．
[33]	HUANG S , PAPERNOT N , GOODFELLOW I ,et al． Adversarial attacks on neural network policies［J］． arXiv Preprint,arXiv:1702．02284, 2017．
[34]	LECUYER M , ATLIDAKIS V , GEAMBASU R ,et al． Certified robustness to adversarial examples with differential privacy［C］// Proceedings of 2019 IEEE Symposium on Security and Privacy． Piscataway:IEEE Press, 2019: 656-672．
[35]	刘艺菲, 王宁, 王志刚 ,等．混洗差分隐私下的多维类别数据的收集与分析［J］．软件学报, 2022,33(3): 1093-1110．
	LIU Y F , WANG N , WANG Z G ,et al． Collecting and analyzing multidimensional categorical data under shuffled differential privacy［J］． Journal of Software, 2022,33(3): 1093-1110．
[36]	SHAYER O , LEVI D , FETAYA E ． Learning discrete weights using the local reparameterization trick［J］． arXiv Preprint,arXiv:1710．07739, 2017．
[37]	LOUIZOS C , WELLING M , KINGMA D P ． Learning sparse neural networks through L0 regularization［J］． arXiv Preprint,arXiv:1712．01312, 2017．
[38]	BOGDANOV A , KNE?EVI? M , LEANDER G ,et al. SPONGENT:a lightweight hash function［C］// Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems． Berlin:Springer, 2011: 312-325．
[39]	SHAFAHI A , HUANG W R , STUDER C ,et al． Are adversarial examples inevitable?［J］． arXiv Preprint,arXiv:1809．02104, 2018．

序号序号	模型压缩率模型压缩率	水印提取水印提取	模型分类精度模型分类精度
1	0.00	成功	90%
2	0.25	成功	84%
3	0.50	成功	70%
4	0.75	失败	50%
5	0.85	失败	50%
66	1.001.00	失败失败	00

序号序号	触发集大小/个触发集大小/个	水印提取水印提取	模型分类精度模型分类精度
1	20	成功	72%
2	50	成功	68%
3	100	成功	57%
4	120	成功	50%

算法	触发成功率	分类精度降幅

WMcontent^[22]	0.99	0.001 9
WMunrelated^[22]	1	0.004 8
WMnoise^[22]	0.99	0.001 1
Fromscratch^[23]	1	0.003 4
文献[25]算法	0.99	0.002 8
本文算法	0.99	0.000 7

基于差分隐私的深度伪造指纹检测模型版权保护算法

Copyright protection algorithm based on differential privacy deep fake fingerprint detection model

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 39

相关文章 15

Metrics

推荐阅读 0

[1]	张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205.
[2]	冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233.
[3]	余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122.
[4]	张淑芬, 董燕灵, 徐精诚, 王豪石. 基于目标扰动的AdaBoost算法[J]. 通信学报, 2023, 44(2): 198-209.
[5]	汤凌韬, 王迪, 刘盛云. 面向非独立同分布数据的联邦学习数据增强方案[J]. 通信学报, 2023, 44(1): 164-176.
[6]	王瀚仪, 李效光, 毕文卿, 陈亚虹, 李凤华, 牛犇. 多级本地化差分隐私算法推荐框架[J]. 通信学报, 2022, 43(8): 52-64.
[7]	张勇, 李丹丹, 韩璐, 黄小红. 隐私保护的群体感知数据交易算法[J]. 通信学报, 2022, 43(5): 1-13.
[8]	吴德阳, 胡森, 王苗苗, 金海波, 曲长波, 唐勇. 基于区域异或和三值量化的高分辨零水印算法[J]. 通信学报, 2022, 43(2): 208-222.
[9]	康海燕, 冀源蕊. 基于本地化差分隐私的联邦学习方法研究[J]. 通信学报, 2022, 43(10): 94-105.
[10]	彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160.
[11]	晏燕, 丛一鸣, Adnan Mahmood, 盛权政. 基于深度学习的位置大数据统计发布与隐私保护方法[J]. 通信学报, 2022, 43(1): 203-216.
[12]	陈思, 付安民, 苏铓, 孙怀江. 基于差分隐私的轨迹隐私保护方案[J]. 通信学报, 2021, 42(9): 54-64.
[13]	李洪涛, 任晓宇, 王洁, 马建峰. 基于差分隐私的连续位置隐私保护机制[J]. 通信学报, 2021, 42(8): 164-175.
[14]	蔡剑平, 刘西蒙, 熊金波, 应作斌, 吴英杰. 差分隐私下多重一致性约束问题的逼近方法[J]. 通信学报, 2021, 42(6): 107-117.
[15]	朱素霞, 刘抒伦, 孙广路. 基于相对熵和K-means的形状相似差分隐私轨迹保护机制[J]. 通信学报, 2021, 42(2): 113-123.