基于差分隐私的深度伪造指纹检测模型版权保护算法

doi:10.11959/j.issn.1000-436x.2022184

Abstract

Abstract:

A copyright protection algorithm based on differential privacy for deep fake fingerprint detection model (DFFDM) was proposed, realizing active copyright protection and passive copyright verification of DFFDM without weakening the performance of the original task.In the original task training, noise was added to introduce randomness, and the expected stability of the differential privacy algorithm was used to make classification decisions to reduce the sensitivity to noise.In passive verification, FGSM was used to generate adversarial samples, the decision boundary was fine-adjusted to establish a backdoor, and the mapping was used as an implanted watermark to realize passive verification.To solve the copyright confusion caused by multiple backdoors, a watermark verification framework was designed, which stamped the trigger backdoors and identified the copyright with the help of time order.In active protection, to provide users with hierarchical services, the key neurons in the task were frozen by probabilistic selection strategy, and the access rights were designed to realize the thawing of neurons, so as to obtain the right to use the original task.Experimental results show that the backdoor verification is still effective under different model performance, and the embedded backdoor shows a certain robustness to the model modification.Also, the proposed algorithm can resist not only the collusion attack by the attacker to recruit legitimate users, but also the fine-tuning and compression attacks caused by the model modification.

Key words: copyright protection, adversarial samples, differential privacy, model watermark, fake fingerprint detection

CLC Number:

TP391

Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on Communications, 2022, 43(9): 181-193.

Figures/Tables 14

References 39

[1]	YADAV J , JAFFERY Z A , SINGH L ． A short review on machine learning techniques used for fingerprint recognition［J］． Journal of Critical Reviews, 2020,7(13): 2768-2773.
[2]	YUAN C S , YU P P , XIA Z H ,et al． FLD-SRC:fingerprint liveness detection for AFIS based on spatial ridges continuity［J］． IEEE Journal of Selected Topics in Signal Processing, 2022,16(4): 817-827．
[3]	HE Y , ZHAO N , YIN H X ． Integrated networking,caching,and computing for connected vehicles:a deep reinforcement learning approach［J］． IEEE Transactions on Vehicular Technology, 2018,67(1): 44-55．
[4]	ZHAO D B , CHEN Y R , LV L ． Deep reinforcement learning with visual attention for vehicle classification［J］． IEEE Transactions on Cognitive and Developmental Systems, 2017,9(4): 356-367．
[5]	LI X L , DING L K , WANG L ,et al． FPGA accelerates deep residual learning for image recognition［C］// Proceedings of IEEE 2nd Information Technology,Networking,Electronic and Automation Control Conference． Piscataway:IEEE Press, 2017: 837-840．
[6]	SIMONYAN K , ZISSERMAN A ． Very deep convolutional networks for large-scale image recognition［J］． arXiv Preprint,arXiv:1409．1556, 2014．
[7]	COLLOBERT R , WESTON J , BOTTOU L ,et al． Natural language processing (almost) from scratch［J］． Journal of Machine Learning Research, 2011,12: 2493-2537．
[8]	BHUYAN M P , SARMA S K , RAHMAN M ． Natural language processing based stochastic model for the correctness of Assamese sentences［C］// Proceedings of the 5th International Conference on Com munication and Electronics Systems (ICCES)． Piscataway:IEEE Press, 2020: 1179-1182．
[9]	YUAN C S , JIAO S M , SUN X M ,et al． MFFFLD:a multimodal-feature-fusion-based fingerprint liveness detection［J］． IEEE Transactions on Cognitive and Developmental Systems, 2022,14(2): 648-661．
[10]	CETINIC E , LIPIC T , GRGIC S ． Fine-tuning convolutional neural networks for fine art classification［J］． Expert Systems with Applications, 2018,114: 107-118．
[11]	UCHIDA Y , NAGAI Y , SAKAZAWA S ,et al． Embedding watermarks into deep neural networks［C］// Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval． New York:ACM Press, 2017: 269-277．
[12]	LIU Z , SUN M , ZHOU T ,et al． Rethinking the value of network pruning［J］． arXiv Preprint,arXiv:1810．05270, 2018．
[13]	LE M E , PéREZ P , TRéDAN G , ． Adversarial frontier stitching for remote neural network watermarking［J］． Neural Computing and Applications, 2020,32(13): 9233-9244．
[14]	ZHU R , ZHANG X , SHI M ,et al． Secure neural network watermarking protocol against forging attack［J］． EURASIP Journal on Image and Video Processing, 2020,2020(1): 1-12．
[15]	TIAN J Y , ZHOU J T , DUAN J ． Probabilistic selective encryption of convolutional neural networks for hierarchical services［C］// Proceed ings of IEEE/CVF Conference on Computer Vision and Pattern Recognition． Piscataway:IEEE Press, 2021: 2205-2214．
[16]	樊雪峰, 周晓谊, 朱冰冰 ,等．深度神经网络模型版权保护方案综述［J］．计算机研究与发展, 2022,59(5): 953-977．
	FAN X F , ZHOU X Y , ZHU B B ,et al． Survey of copyright protection schemes based on DNN model［J］． Journal of Computer Research and Development, 2022,59(5): 953-977．
[17]	KURIBAYASHI M , TANAKA T , FUNABIKI N ． Deepwatermark:embedding watermark into DNN model［C］// Proceedings of Asia-Pacific Signal and Information Processing Association Annual Summit and Conference． Piscataway:IEEE Press, 2020: 1340-1346．
[18]	ROUHANI B D , CHEN H L , KOUSHANFAR F ． DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks［C］// Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems． New York:ACM Press, 2019: 485-497．
[19]	FENG L , ZHANG X ． Watermarking neural network with compensation mechanism［C］// Proceedings of International Conference on Knowledge Science,Engineering and Management． Berlin:Springer, 2020: 363-375．
[20]	FAN L , NG K W , CHAN C S ． Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks［C］// Proceedings of Annual Conference on Neural Information Processing Systems． Massachusetts:MIT Press, 2019: 4716-4725．
[21]	ZHANG J , CHEN D , LIAO J ,et al． Passport-aware normalization for deep model protection［J］． Advances in Neural Information Processing Systems, 2020,33: 22619-22628．
[22]	ZHANG J , GU Z , JANG J ,et al． Protecting intellectual property of deep neural networks with watermarking［C］// Proceedings of the 2018 on Asia Conference on Computer and Communications Security． New York:ACM Press, 2018: 159-172．
[23]	ADI Y , BAUM C , CISSE M ,et al． Turning your weakness into a strength:watermarking deep neural networks by backdooring［J］． arXiv Preprint,arXiv:1802．04633, 2018．
[24]	GUO J , POTKONJAK M ． Evolutionary trigger set generation for DNN black-box watermarking［J］． arXiv Preprint,arXiv:1906．04411, 2019．
[25]	GUO J , POTKONJAK M ． Watermarking deep neural networks for embedded systems［C］// Proceedings of IEEE/ACM International Conference on Computer-Aided Design． Piscataway:IEEE Press, 2018: 1-8．
[26]	JIA H , CHOQUETTE-CHOO C A , CHANDRASEKARAN V ,et al. Entangled watermarks as a defense against model extraction［C］// Proceedings of the 30th USENIX Security Symposium． Berkeley:USENIX Association, 2021: 1937-1954．
[27]	ZHONG Q , ZHANG L Y , ZHANG J ,et al． Protecting IP of deep neural networks with watermarking:a new label helps［C］// Advances in Knowledge Discovery and Data Mining． Berlin:Springer, 2020: 462-474．
[28]	QUAN Y H , TENG H , CHEN Y X ,et al． Watermarking deep neural networks in image processing［J］． IEEE Transactions on Neural Networks and Learning Systems, 2021,32(5): 1852-1865．
[29]	ONG D S , SENG C C E , NG K W ,et al． Protecting intellectual property of generative adversarial networks from ambiguity attacks［C］// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition． Piscataway:IEEE Press, 2021: 3629-3638．
[30]	ZHU R , WEI P , LI S ,et al． Fragile neural network watermarking with trigger image set［C］// Proceedings of International Conference on Knowledge Science,Engineering and Management． Berlin:Springer, 2021: 280-293．
[31]	ZHANG J , CHEN D D , LIAO J ,et al． Deep model intellectual property protection via deep watermarking［J］． IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022,44(8): 4005-4020．
[32]	WU H , LIU G , YAO Y ,et al． Watermarking neural networks with watermarked images［J］． IEEE Transactions on Circuits and Systems for Video Technology, 2020,31(7): 2591-2601．
[33]	HUANG S , PAPERNOT N , GOODFELLOW I ,et al． Adversarial attacks on neural network policies［J］． arXiv Preprint,arXiv:1702．02284, 2017．
[34]	LECUYER M , ATLIDAKIS V , GEAMBASU R ,et al． Certified robustness to adversarial examples with differential privacy［C］// Proceedings of 2019 IEEE Symposium on Security and Privacy． Piscataway:IEEE Press, 2019: 656-672．
[35]	刘艺菲, 王宁, 王志刚 ,等．混洗差分隐私下的多维类别数据的收集与分析［J］．软件学报, 2022,33(3): 1093-1110．
	LIU Y F , WANG N , WANG Z G ,et al． Collecting and analyzing multidimensional categorical data under shuffled differential privacy［J］． Journal of Software, 2022,33(3): 1093-1110．
[36]	SHAYER O , LEVI D , FETAYA E ． Learning discrete weights using the local reparameterization trick［J］． arXiv Preprint,arXiv:1710．07739, 2017．
[37]	LOUIZOS C , WELLING M , KINGMA D P ． Learning sparse neural networks through L0 regularization［J］． arXiv Preprint,arXiv:1712．01312, 2017．
[38]	BOGDANOV A , KNE?EVI? M , LEANDER G ,et al. SPONGENT:a lightweight hash function［C］// Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems． Berlin:Springer, 2011: 312-325．
[39]	SHAFAHI A , HUANG W R , STUDER C ,et al． Are adversarial examples inevitable?［J］． arXiv Preprint,arXiv:1809．02104, 2018．

Metrics

Recommended 0

No Suggested Reading articles found!

序号序号	模型压缩率模型压缩率	水印提取水印提取	模型分类精度模型分类精度
1	0.00	成功	90%
2	0.25	成功	84%
3	0.50	成功	70%
4	0.75	失败	50%
5	0.85	失败	50%
66	1.001.00	失败失败	00

序号序号	触发集大小/个触发集大小/个	水印提取水印提取	模型分类精度模型分类精度
1	20	成功	72%
2	50	成功	68%
3	100	成功	57%
4	120	成功	50%

算法	触发成功率	分类精度降幅

WMcontent^[22]	0.99	0.001 9
WMunrelated^[22]	1	0.004 8
WMnoise^[22]	0.99	0.001 1
Fromscratch^[23]	1	0.003 4
文献[25]算法	0.99	0.002 8
本文算法	0.99	0.000 7

Copyright protection algorithm based on differential privacy deep fake fingerprint detection model

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 39

Related Articles 15

Metrics

Recommended 0

[1]	Tao FENG, Liqiu CHEN, Junli FANG, Jianming SHI. Blockchain data sharing scheme based on localized difference privacy and attribute-based searchable encryption [J]. Journal on Communications, 2023, 44(5): 224-233.
[2]	Shengxing YU, Zekai CHEN, Zhong CHEN, Ximeng LIU. DAGUARD: distributed backdoor attack defense scheme under federated learning [J]. Journal on Communications, 2023, 44(5): 110-122.
[3]	Shufen ZHANG, Yanling DONG, Jingcheng XU, Haoshi WANG. AdaBoost algorithm based on target perturbation [J]. Journal on Communications, 2023, 44(2): 198-209.
[4]	Lingtao TANG, Di WANG, Shengyun LIU. Data augmentation scheme for federated learning with non-IID data [J]. Journal on Communications, 2023, 44(1): 164-176.
[5]	Hanyi WANG, Xiaoguang LI, Wenqing BI, Yahong CHEN, Fenghua LI, Ben NIU. Multi-level local differential privacy algorithm recommendation framework [J]. Journal on Communications, 2022, 43(8): 52-64.
[6]	Yong ZHANG, Dandan LI, Lu HAN, Xiaohong HUANG. Privacy-protected crowd-sensed data trading algorithm [J]. Journal on Communications, 2022, 43(5): 1-13.
[7]	Deyang WU, Sen HU, Miaomiao WANG, Haibo JIN, Changbo QU, Yong TANG. Discriminative zero-watermarking algorithm based on region XOR and ternary quantization [J]. Journal on Communications, 2022, 43(2): 208-222.
[8]	Haiyan KANG, Yuanrui JI. Research on federated learning approach based on local differential privacy [J]. Journal on Communications, 2022, 43(10): 94-105.
[9]	Yan YAN, Yiming CONG, Mahmood Adnan, Quanzheng SHENG. Statistics release and privacy protection method of location big data based on deep learning [J]. Journal on Communications, 2022, 43(1): 203-216.
[10]	Si CHEN, Anmin FU, Mang SU, Huaijiang SUN. Trajectory privacy protection scheme based on differential privacy [J]. Journal on Communications, 2021, 42(9): 54-64.
[11]	Hongtao LI, Xiaoyu REN, Jie WANG, Jianfeng MA. Continuous location privacy protection mechanism based on differential privacy [J]. Journal on Communications, 2021, 42(8): 164-175.
[12]	Jianping CAI, Ximeng LIU, Jinbo XIONG, Zuobin YING, Yingjie WU. Approximation method of multiple consistency constraint under differential privacy [J]. Journal on Communications, 2021, 42(6): 107-117.
[13]	Suxia ZHU, Shulun LIU, Guanglu SUN. Shape similarity differential privacy trajectory protection mechanism based on relative entropy and K-means [J]. Journal on Communications, 2021, 42(2): 113-123.
[14]	Yang LIU, Jun LI, Wenyun CHEN, Mugen PENG. Research on endogenous security data sharing mechanism of F-RAN for 6G [J]. Journal on Communications, 2021, 42(1): 67-78.
[15]	Ayong YE,Lingyu MENG,Ziwen ZHAO,Yiqing DIAO,Jiaomei ZHANG. Trajectory differential privacy protection mechanism based on prediction and sliding window [J]. Journal on Communications, 2020, 41(4): 123-133.