提出了一种新型的强鲁棒黑盒指纹水印框架及方法。首先,提出了一种基于数字水印技术的高视觉质量的、具有一定安全性的毒化图像构造方法,将指示用户身份的信息嵌入到毒化图像,实现多用户场景下深度神经网络模型的可追溯性,并降低毒化图像被伪造的概率;其次,提出了毒化特征加强模块来优化模型训练;最后,设计了对抗训练策略,有效地学习到嵌入强度很小的指纹水印。大量的仿真实验表明,所构造的毒化图像中的指纹水印具有非常好的隐蔽性,大幅超越了WaNet等同类最优模型水印方法;以分类性能降低不超过2.4%的代价获得了超过99%的黑盒模型指纹水印验证率;且即便在指纹水印相差1位时亦能准确地进行模型水印版权验证。这些性能总体上优于同类最优的模型水印方法,表明了所提方法的可行性和有效性。
This paper proposes a novel framework and method for strong robust blackbox classification model finger-print watermarking. First of all, we develop a method for constructing poisoned images with high visual quality and enhanced security based on digital watermarking technology. This method embeds user identity information into the poisoned image, enabling traceability of deep neural network models in multiuser scenarios and reducing the susceptibility of the poisoned image to forgery. Second, we introduce a poisoned feature enhancement module to optimize the training of the model. Finally, we design an adversary training strategy, which can effectively learn the finger-print watermark with minimal embedding strength and reduce the probability of forged poisoned images. Extensive simulation experiments show that the good invisibility of the fingerprint watermark in the poisoned image constructed by our method, superior to similar optimal model watermarking methods such as WaNet. More than 99% of the black-box model finger-print watermarking verification rate is obtained at the cost of no more than a 2.4% reduction in the classification performance. Even with a difference of just one bit in the finger-print watermark, accurate verification of the model watermarking by copyright is achieved. These performances are generally better than the best-in-class model watermarking methods, demonstrating the feasibility and effectiveness of our proposed method.
[1] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016: 770-778.
[2] Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks [J]. Communications of the ACM, 2017, 60(6): 84-90.
[3] Zhao L J, Bai H H, Wang A H, et al. Multiple description convolutional neural networks for image compression [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(8): 2494-2508.
[4] Yang R, Xu M, Liu T, et al. Enhancing quality for HEVC compressed videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(7): 2039-2054.
[5] Kang K, Li H S, Yan J J, et al. T-CNN: tubelets with convolutional neural networks for object detection from videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018, 28(10): 2896-2907.
[6] Devlin J, Chang M W, Lee K, et al. BERT: pre-training of deep bidirectional transformers for language understanding [DB/OL]. 2018[2023-11-23]. http://arxiv.org/abs/1810.04805.
[7] Doan K D, Reddy C K. Efficient implicit unsupervised text hashing using adversarial autoencoder [C]//Proceedings of the Web Conference, 2020: 684-694.
[8] Liu Y T, Xie Y, Srivastava A. Neural trojans [C]//2017 IEEE International Conference on Computer Design (ICCD), 2017: 45-48.
[9] Liu Y Q, Ma S Q, Aafer Y, et al. Trojaning attack on neural networks [C]//Proceedings 2018 Network and Distributed System Security Symposium, 2018: 1781.
[10] Gu T Y, Dolan-Gavitt B, Garg S. BadNets: identifying vulnerabilities in the machine learning model supply chain [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1708.06733.
[11] Chen X Y, Liu C, Li B, et al. Targeted backdoor attacks on deep learning systems using data poisoning [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1712.05526.
[12] Barni M, Kallas K, Tondi B. A new backdoor attack in CNNS by training set corruption without label poisoning [C]//2019 IEEE International Conference on Image Processing (ICIP), 2019: 101-105.
[13] Nguyen A, Tran A. WaNet-imperceptible warping-based backdoor attack [DB/OL]. 2021[2023-11-23]. http://arxiv.org/abs/2102.10369.
[14] Xu T, Li Y M, Jiang Y, et al. BATT: backdoor attack with transformation-based triggers [C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023: 1-5.
[15] Wang Z T, Zhai J, Ma S Q. BppAttack: stealthy and efficient Trojan attacks against deep neural networks via image quantization and contrastive adversarial learning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2022: 15054-15063.
[16] Doan K, Lao Y J, Zhao W J, et al. LIRA: learnable, imperceptible and robust backdoor attacks [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 11946- 11956.
[17] Li Y Z, Li Y M, Wu B Y, et al. Invisible backdoor attack with sample-specific triggers [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 16443-16452.
[18] Wang T, Yao Y, Xu F, et al. An invisible black-box backdoor attack through frequency domain [C]//European Conference on Computer Vision, 2022: 396-413.
[19] Kwon H, Kim Y. BlindNet backdoor: attack on deep neural network using blind watermark [J]. Multimedia Tools and Applications, 2022, 81(5): 6217-6234.
[20] Navas K A, Ajay M C, Lekshmi M, et al. DWT-DCT-SVD based watermarking [C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE ’08), 2008: 271-274.
[21] Kansal M, Singh G, Kranthi B V. DWT, DCT and SVD based digital image watermarking [C]//2012 International Conference on Computing Sciences, 2012: 77-81.
[22] Singh A K, Dave M, Mohan A. Hybrid technique for robust and imperceptible image watermarking in DWT-DCT-SVD domain [J]. National Academy Science Letters, 2014, 37(4): 351-358.
[23] Cheng S Y, Liu Y Q, Ma S Q, et al. Deep feature space Trojan attack of neural networks by controlled detoxification [J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(2): 1148-1156.
[24] Zhu J Y, Park T, Isola P, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks [C]//IEEE International Conference on Computer Vision (ICCV), 2017: 2242-2251.
[25] Ronneberger O, Fischer P, Brox T. U-Net: convolutional networks for biomedical image segmentation [C]//International Conference on Medical Image Computing and ComputerAssisted Intervention, 2015: 234-241.
[26] Krizhevsky A. Learning multiple layers of features from tiny images [J]. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 1-60.
[27] Stallkamp J, Schlipsing M, Salmen J, et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition [J]. Neural Networks, 2012, 32: 323-332.
[28] Liu Z W, Luo P, Wang X G, et al. Deep learning face attributes in the wild [C]//IEEE International Conference on Computer Vision (ICCV), 2015: 3730-3738.
