神经网络水印综述

doi:10.3969/j.issn.0255-8297.2021.06.001

摘要/Abstract

摘要： 梳理了近年来神经网络水印技术的发展脉络,将主流方法大致归为白盒水印、黑盒水印、无盒水印和脆弱水印。综述了神经网络水印的评价指标和上述4种不同类型的神经网络水印技术,探讨了现有神经网络水印方案的优缺点,并对未来的发展趋势进行了展望。

关键词: 神经网络, 深度模型, 数字水印, 人工智能

Abstract: This article sorts out the development context of neural network watermarking technology in recent years, and roughly classifies the mainstream methods into four categories, namely white box watermark, black box watermark, boxless watermark and fragile watermark. Specifically, this article reviews the evaluation indicators of neural network watermarking and these four different types of neural network watermarking technologies, discusses the advantages and disadvantages of existing neural network watermarking schemes, and looks forward to the future development trend.

Key words: neural networks, deep models, digital watermark, artificial intelligence

中图分类号:

TP309

冯乐, 朱仁杰, 吴汉舟, 张新鹏, 钱振兴. 神经网络水印综述[J]. 应用科学学报, 2021, 39(6): 881-892.

FENG Le, ZHU Renjie, WU Hanzhou, ZHANG Xinpeng, QIAN Zhenxing. Survey of Neural Network Watermarking[J]. Journal of Applied Sciences, 2021, 39(6): 881-892.

参考文献

[1] Agarap A F. Deep learning using rectified linear units (ReLU)[J]. arXiv preprintarXiv:1803.08375, 2018.
[2] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2017:1-12.
[3] Kingma D P, Ba J. Adam:a method for stochastic optimization[C]//International Conference on Learning Representations (ICLR), 2014.
[4] Redmon J, Farhadi A. Yolov3:an incremental improvement[J]. arXiv preprintarXiv:1804.02767, 2018.
[5] He K, Gkioxari G, Dollár P, et al. Mask R-CNN[C]//Proceedings of the IEEE International Conference on Computer Vision, 2017:2961-2969.
[6] Glavaš G, Nanni F, Ponzetto S P. Computational analysis of political texts:bridging research efforts across communities[C]//Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics:Tutorial Abstracts, 2019:18-23.
[7] Conneau A, Khandelwal K, Goyal N, et al. Un-supervised cross-lingual representation learning at scale[J]. arXiv preprint arXiv:1911.02116, 2019.
[8] Moraes R, Valiati J F, Neto W P G. Document-level sentiment classification:an empirical comparison between SVM and ANN[J]. Expert Systems with Applications, 2013, 40(2):621-633.
[9] Mcguffie K, Newhouse A. The radicalization risks of GPT-3 and advanced neural language models[J]. arXiv preprint arXiv:2009.06807, 2020.
[10] Walia E, Suneja A. A robust watermark authentication technique based on Weber's descriptor[J]. Signal, Image and Video Processing, 2014, 8(5):859-872.
[11] Zhou N R, Luo A W, Zou W P. Secure and robust watermark scheme based on multiple transforms and particle swarm optimization algorithm[J]. Multimedia Tools and Applications, 2019, 78(2):2507-2523.
[12] Bravo-Solorio S, Calderon F, Li C, et al. Fast fragile watermark embedding and iterative mechanism with high self-restoration performance[J]. Digital Signal Processing, 2018, 73:83-92.
[13] Wu C, Shih Y. A simple image tamper detection and recovery based on fragile watermark with one parity section and two restoration sections[J]. Optics and Photonics Journal, 2013, 3(2):103-107.
[14] Cox I, Kilian J, Leighton F T, et al. Secure spread spectrum watermarking for multimedia[J]. IEEE Transactions on Image Processing, 1997, 6(12):1673-1687.
[15] Jiang N, Zhao N, Wang L. LSB based quantum image steganography algorithm[J]. International Journal of Theoretical Physics, 2016, 55(1):107-123.
[16] Barni M, Bartolini F, Cappellini V, et al. A DCT-domain system for robust image watermarking[J]. Signal Processing, 1998, 66(3):357-372.
[17] Srivastava R, Kumar B, Singh A K, et al. Computationally efficient joint imperceptible image watermarking and jpeg compression:a green computing approach[J]. Multimedia Tools and Applications, 2018, 77(13):16447-16459.
[18] Ganic E, Eskicioglu A M. Robust DWT-SVD domain image watermarking:embedding data in all frequencies[C]//Proceedings of the 2004 Workshop on Multimedia and Security, 2004:166-174.
[19] Zhang X. Reversible data hiding in encrypted image[J]. IEEE Signal Processing Letters, 2011, 18(4):255-258.
[20] Zhang X. Separable reversible data hiding in encrypted image[J]. IEEE Transactions on Information Forensics and Security, 2011, 7(2):826-832.
[21] Uchida Y, Nagai Y, Sakazawa S, et al. Embedding watermarks into deep neural networks[C]//Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017:269-277.
[22] Adi Y, Baum C, Cisse M, et al. Turning your weakness into a strength:watermarking deep neural networks by backdooring[C]//The 27th Security Symposium, 2018:1615-1631.
[23] Wu H, Liu G, Yao Y, et al. Watermarking neural networks with water-marked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2020, 31(7):2591-2601.
[24] Guan X, Feng H, Zhang W, et al. Reversible watermarking in deep convolutional neural networks for integrity authentication[C]//Proceedings of the 28th ACM International Conference on Multimedia, 2020:2273-2280.
[25] Zhang T, Ye S, Zhang K, et al. A systematic DNN weight pruning framework using alternating direction method of multipliers[C]//Proceedings of the European Conference on Computer Vision (ECCV), 2018:184-199.
[26] Hou L, Kwok J T. Loss-aware weight quantization of deep networks[J]. arXiv preprintarXiv:1802.08635, 2018.
[27] Lu Z, Sindhwani V, Sainath T N. Learning compact recurrent neural networks[C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2016:5960- 5964.
[28] Wang W, Sun Y, Eriksson B, et al. Wide compression:tensor ring nets[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018:9329-9338.
[29] Polino A, Pascanu R, Dan A. Model compression via distillation and quantization[J]. arXiv preprint arXiv:1802.05668, 2018.
[30] Truong J, Maini P, Walls R, et al. Data-free model extraction[J]. arXiv preprint arXiv:2011.14779, 2020.
[31] Molnar C, König G, Herbinger J, et al. Pitfalls to avoid when interpreting machine learning models[J]. arXiv preprint arXiv:2007.04131, 2020.
[32] Wang T, Kerschbaum F. Attacks on digital watermarks for deep neural networks[C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP2019), 2019:2622- 2626.
[33] Feng L, Zhang X. Watermarking neural network with compensation mechanism[C]//International Conference on Knowledge Science, Engineering and Management, 2020:363- 375.
[34] Rouhani B D, Chen H, Koushanfar F. Deepsigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]//Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, 2019:485-497.
[35] Fan L X, Ng K W, Chan C S. Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks[C]//Advances in Neural Information Processing Systems 32:Annual Conference on Neural Information Processing Systems, Vancouver, Canada, 2019:4716-4725.
[36] He K, Zhang X, Ren S. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016:770-778.
[37] Gu T, Dolan-Gavitt B, Garg S. BadNets:identifying vulnerabilities in the machine learning model supply chain[J]. arXiv preprint arXiv:1708.06733, 2017.
[38] Zhang J, Gu Z, Jang J, et al. Protecting intellectual property of deep neural networks with watermarking[C]//Proceedings of the 2018 on Asia Conference on Computer and Communications Security, 2018:159-172.
[39] Merrer E L, Perez P, Trédan G. Adversarial frontier stitching for remote neural network watermarking[J]. Neural Computing and Applications, 2020, 32(13):9233-9244.
[40] Guo J, Potkonjak M. Watermarking deep neural networks for embedded systems[C]//2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), 2018:1-8.
[41] Li Z, Hu C, Zhang Y, et al. How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]//Proceedings of the 35th Annual Computer Security Applications Conference, 2019:126-137.
[42] Xue M, Wu Z, He C, et al. Active DNN IP protection:a novel user fingerprint management and DNN authorization control technique[C]//2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications, 2020:975-982.
[43] Li H, Willson E, Zheng H. Persistent and unforgeable watermarks for deep neural networks[J]. arXiv preprint arXiv:1910.01226, 2019a.
[44] Aprilpyone M, Kiya H. Piracy-resistant DNN watermarking by block-wise image transformation with secret key[J]. arXiv preprint arXiv:2104.04241, 2021.
[45] Hitaj D, Mancini L V. Have you stolen my model? evasion attacks against deep neural network watermarking techniques[J]. arXiv preprint arXiv:1809.00615, 2018.
[46] Zhu R, Zhang X, Shi M, et al. Secure neural network watermarking protocol against forging attack[J]. EURASIP Journal on Image and Video Processing, 2020, 2020(1):1-12.
[47] Quan Y, Teng H, Chen Y, et al. Watermarking deep neural networks in image processing[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 32(5):1852-1865.
[48] Ong D S, Chan C S, Ng K W, et al. Protecting intellectual property of generative adversarial networks from ambiguity attack[J]. arXiv preprintarXiv:2102.04362, 2021.
[49] Zhang J, Chen D, Liao J, et al. Model watermarking for image processing networks[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2020:12805-12812.
[50] Zhang J, Chen D, Liao J, et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, (99):1.
[51] Zhang X, Wang S. Fragile watermarking with error-free restoration capability[J]. IEEE Transactions on Multimedia, 2008, 10(8):1490-1499.
[52] Liu X L, Lin C C, Yuan S W. Blind dual watermarking for color images' authentication and copyright protection[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2016, 28(5):1047-1055.
[53] Fang H, Zhang W, Ma Z, et al. A camera shooting resilient watermarking scheme for underpainting documents[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 30(11):4075-4089.
[54] Abuadbba L, Kim H, Nepal S. DeepiSign:invisible fragile watermark to protect the integrity and authenticity of CNN[C]//The 36th ACM/SIGAPP Symposium on Applied Computing, Virtual Event, Korea, 2021:952-959.