一种新型深度分类神经网络黑盒指纹水印算法

doi:10.3969/j.issn.0255-8297.2024.03.010

应用科学学报 ›› 2024, Vol. 42 ›› Issue (3): 486-498.doi: 10.3969/j.issn.0255-8297.2024.03.010

• 数字媒体取证与安全专栏 • 上一篇下一篇

一种新型深度分类神经网络黑盒指纹水印算法

莫谋科¹, 王春桃^1,2,3,4, 郭庆文¹, 边山^1,2

1. 华南农业大学数学与信息学院, 广东广州 510610;
2. 农业农村部华南热带智慧农业技术重点实验室, 广东广州 510610;
3. 广东省农业人工智能重点实验室, 广东广州 510610;
4. 广州市智慧农业重点实验室, 广东广州 510610

收稿日期:2023-11-23 发布日期:2024-06-06
通信作者: 王春桃，教授，博导，研究方向为信息隐藏和多媒体信号处理。E-mail: wangct@scau.edu.cn E-mail:wangct@scau.edu.cn
基金资助:
国家自然科学基金（No. 62172165, No. U22B2047）；广东省自然科学基金（No. 2022A1515010325）；广州市基础与应用基础研究项目（No. 202201010742）；广州市科技项目（No. 202102020582）资助

A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network

MO Mouke¹, WANG Chuntao^1,2,3,4, GUO Qingwen¹, BIAN Shan^1,2

1. College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510610, Guangdong, China;
2. Key Laboratory of Smart Agricultural Technology in Tropical South China, Guangzhou 510610, Guangdong, China;
3. Guangdong Key Laboratory of Agricultural Artificial Intelligence, Guangzhou 510610, Guangdong, China;
4. Guangzhou Key Laboratory of Intelligent Agriculture, Guangzhou 510610, Guangdong, China

Received:2023-11-23 Published:2024-06-06

摘要/Abstract

摘要： 提出了一种新型的强鲁棒黑盒指纹水印框架及方法。首先，提出了一种基于数字水印技术的高视觉质量的、具有一定安全性的毒化图像构造方法，将指示用户身份的信息嵌入到毒化图像，实现多用户场景下深度神经网络模型的可追溯性，并降低毒化图像被伪造的概率；其次，提出了毒化特征加强模块来优化模型训练；最后，设计了对抗训练策略，有效地学习到嵌入强度很小的指纹水印。大量的仿真实验表明，所构造的毒化图像中的指纹水印具有非常好的隐蔽性，大幅超越了WaNet等同类最优模型水印方法；以分类性能降低不超过2.4%的代价获得了超过99%的黑盒模型指纹水印验证率；且即便在指纹水印相差1位时亦能准确地进行模型水印版权验证。这些性能总体上优于同类最优的模型水印方法，表明了所提方法的可行性和有效性。

关键词: 黑盒模型水印, 分类模型, 毒化图像, 指纹水印, 鲁棒性

Abstract: This paper proposes a novel framework and method for strong robust blackbox classification model finger-print watermarking. First of all, we develop a method for constructing poisoned images with high visual quality and enhanced security based on digital watermarking technology. This method embeds user identity information into the poisoned image, enabling traceability of deep neural network models in multiuser scenarios and reducing the susceptibility of the poisoned image to forgery. Second, we introduce a poisoned feature enhancement module to optimize the training of the model. Finally, we design an adversary training strategy, which can effectively learn the finger-print watermark with minimal embedding strength and reduce the probability of forged poisoned images. Extensive simulation experiments show that the good invisibility of the fingerprint watermark in the poisoned image constructed by our method, superior to similar optimal model watermarking methods such as WaNet. More than 99% of the black-box model finger-print watermarking verification rate is obtained at the cost of no more than a 2.4% reduction in the classification performance. Even with a difference of just one bit in the finger-print watermark, accurate verification of the model watermarking by copyright is achieved. These performances are generally better than the best-in-class model watermarking methods, demonstrating the feasibility and effectiveness of our proposed method.

Key words: black-box model watermarking, classification models, poisoned images, fingerprint watermarking, robustness

中图分类号:

TP309

莫谋科, 王春桃, 郭庆文, 边山. 一种新型深度分类神经网络黑盒指纹水印算法[J]. 应用科学学报, 2024, 42(3): 486-498.

MO Mouke, WANG Chuntao, GUO Qingwen, BIAN Shan. A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network[J]. Journal of Applied Sciences, 2024, 42(3): 486-498.

参考文献

[1] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016: 770-778.
[2] Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks [J]. Communications of the ACM, 2017, 60(6): 84-90.
[3] Zhao L J, Bai H H, Wang A H, et al. Multiple description convolutional neural networks for image compression [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(8): 2494-2508.
[4] Yang R, Xu M, Liu T, et al. Enhancing quality for HEVC compressed videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(7): 2039-2054.
[5] Kang K, Li H S, Yan J J, et al. T-CNN: tubelets with convolutional neural networks for object detection from videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018, 28(10): 2896-2907.
[6] Devlin J, Chang M W, Lee K, et al. BERT: pre-training of deep bidirectional transformers for language understanding [DB/OL]. 2018[2023-11-23]. http://arxiv.org/abs/1810.04805.
[7] Doan K D, Reddy C K. Efficient implicit unsupervised text hashing using adversarial autoencoder [C]//Proceedings of the Web Conference, 2020: 684-694.
[8] Liu Y T, Xie Y, Srivastava A. Neural trojans [C]//2017 IEEE International Conference on Computer Design (ICCD), 2017: 45-48.
[9] Liu Y Q, Ma S Q, Aafer Y, et al. Trojaning attack on neural networks [C]//Proceedings 2018 Network and Distributed System Security Symposium, 2018: 1781.
[10] Gu T Y, Dolan-Gavitt B, Garg S. BadNets: identifying vulnerabilities in the machine learning model supply chain [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1708.06733.
[11] Chen X Y, Liu C, Li B, et al. Targeted backdoor attacks on deep learning systems using data poisoning [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1712.05526.
[12] Barni M, Kallas K, Tondi B. A new backdoor attack in CNNS by training set corruption without label poisoning [C]//2019 IEEE International Conference on Image Processing (ICIP), 2019: 101-105.
[13] Nguyen A, Tran A. WaNet-imperceptible warping-based backdoor attack [DB/OL]. 2021[2023-11-23]. http://arxiv.org/abs/2102.10369.
[14] Xu T, Li Y M, Jiang Y, et al. BATT: backdoor attack with transformation-based triggers [C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023: 1-5.
[15] Wang Z T, Zhai J, Ma S Q. BppAttack: stealthy and efficient Trojan attacks against deep neural networks via image quantization and contrastive adversarial learning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2022: 15054-15063.
[16] Doan K, Lao Y J, Zhao W J, et al. LIRA: learnable, imperceptible and robust backdoor attacks [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 11946- 11956.
[17] Li Y Z, Li Y M, Wu B Y, et al. Invisible backdoor attack with sample-specific triggers [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 16443-16452.
[18] Wang T, Yao Y, Xu F, et al. An invisible black-box backdoor attack through frequency domain [C]//European Conference on Computer Vision, 2022: 396-413.
[19] Kwon H, Kim Y. BlindNet backdoor: attack on deep neural network using blind watermark [J]. Multimedia Tools and Applications, 2022, 81(5): 6217-6234.
[20] Navas K A, Ajay M C, Lekshmi M, et al. DWT-DCT-SVD based watermarking [C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE ’08), 2008: 271-274.
[21] Kansal M, Singh G, Kranthi B V. DWT, DCT and SVD based digital image watermarking [C]//2012 International Conference on Computing Sciences, 2012: 77-81.
[22] Singh A K, Dave M, Mohan A. Hybrid technique for robust and imperceptible image watermarking in DWT-DCT-SVD domain [J]. National Academy Science Letters, 2014, 37(4): 351-358.
[23] Cheng S Y, Liu Y Q, Ma S Q, et al. Deep feature space Trojan attack of neural networks by controlled detoxification [J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(2): 1148-1156.
[24] Zhu J Y, Park T, Isola P, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks [C]//IEEE International Conference on Computer Vision (ICCV), 2017: 2242-2251.
[25] Ronneberger O, Fischer P, Brox T. U-Net: convolutional networks for biomedical image segmentation [C]//International Conference on Medical Image Computing and ComputerAssisted Intervention, 2015: 234-241.
[26] Krizhevsky A. Learning multiple layers of features from tiny images [J]. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 1-60.
[27] Stallkamp J, Schlipsing M, Salmen J, et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition [J]. Neural Networks, 2012, 32: 323-332.
[28] Liu Z W, Luo P, Wang X G, et al. Deep learning face attributes in the wild [C]//IEEE International Conference on Computer Vision (ICCV), 2015: 3730-3738.

一种新型深度分类神经网络黑盒指纹水印算法

A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 12

编辑推荐

Metrics

本文评价

[1]	董腾林, 李欣然, 姚恒, 秦川. 基于图像分类的鲁棒无载体信息隐藏[J]. 应用科学学报, 2021, 39(6): 893-905.
[2]	陈青, 夏兰婷, 卜莹. 基于两级奇异值分解的鲁棒水印算法[J]. 应用科学学报, 2020, 38(6): 966-975.
[3]	曹敏, 郑淑丽, 胡东辉, 王亮. 基于重嵌入的鲁棒可逆水印算法[J]. 应用科学学报, 2017, 35(3): 373-382.
[4]	钱华明1，葛磊1,2，黄蔚1. 一种改进的强跟踪滤波算法[J]. 应用科学学报, 2015, 33(1): 32-40.
[5]	刘日，孙秀霞，李大东，董文瀚. 反馈线性化超低空空投抗侧风滑模控制律设计[J]. 应用科学学报, 2014, 32(3): 311-318.
[6]	丁友东1，庞海波2,3，吴学纯2，魏小成2. 一种用于手势识别的局部均值模式纹理描述子[J]. 应用科学学报, 2013, 31(5): 526-532.
[7]	高有涛1，陆宇平1;2，徐波2. 卫星编队飞行的神经网络滑模控制[J]. 应用科学学报, 2009, 27(6): 651-656.
[8]	石先军于伟东;. 基于显微图像的动物纤维鉴别技术 (英)[J]. 应用科学学报, 2009, 27(1): 62-66 .
[9]	张正道, 胡寿松. 基于RBF神经网络的免疫控制器结构[J]. 应用科学学报, 2004, 22(3): 388-391.
[10]	贤燕华, 罗晓曙, 梁宗经, 翁甲强. DC-DC Buck开关功率变换器的滑模变结构控制[J]. 应用科学学报, 2004, 22(3): 351-355.
[11]	周星德, 陈国荣. 基于可控度/鲁棒性的框架结构综合设计研究[J]. 应用科学学报, 2003, 21(4): 397-400.
[12]	陈玉东, 翁正新, 施颂椒. 基于最小二乘估计的非线性离散系统鲁棒故障诊断[J]. 应用科学学报, 2003, 21(1): 77-83.