一种新型深度分类神经网络黑盒指纹水印算法

doi:10.3969/j.issn.0255-8297.2024.03.010

Abstract

Abstract: This paper proposes a novel framework and method for strong robust blackbox classification model finger-print watermarking. First of all, we develop a method for constructing poisoned images with high visual quality and enhanced security based on digital watermarking technology. This method embeds user identity information into the poisoned image, enabling traceability of deep neural network models in multiuser scenarios and reducing the susceptibility of the poisoned image to forgery. Second, we introduce a poisoned feature enhancement module to optimize the training of the model. Finally, we design an adversary training strategy, which can effectively learn the finger-print watermark with minimal embedding strength and reduce the probability of forged poisoned images. Extensive simulation experiments show that the good invisibility of the fingerprint watermark in the poisoned image constructed by our method, superior to similar optimal model watermarking methods such as WaNet. More than 99% of the black-box model finger-print watermarking verification rate is obtained at the cost of no more than a 2.4% reduction in the classification performance. Even with a difference of just one bit in the finger-print watermark, accurate verification of the model watermarking by copyright is achieved. These performances are generally better than the best-in-class model watermarking methods, demonstrating the feasibility and effectiveness of our proposed method.

Key words: black-box model watermarking, classification models, poisoned images, fingerprint watermarking, robustness

CLC Number:

TP309

MO Mouke, WANG Chuntao, GUO Qingwen, BIAN Shan. A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network[J]. Journal of Applied Sciences, 2024, 42(3): 486-498.

References

[1] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016: 770-778.
[2] Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks [J]. Communications of the ACM, 2017, 60(6): 84-90.
[3] Zhao L J, Bai H H, Wang A H, et al. Multiple description convolutional neural networks for image compression [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(8): 2494-2508.
[4] Yang R, Xu M, Liu T, et al. Enhancing quality for HEVC compressed videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(7): 2039-2054.
[5] Kang K, Li H S, Yan J J, et al. T-CNN: tubelets with convolutional neural networks for object detection from videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018, 28(10): 2896-2907.
[6] Devlin J, Chang M W, Lee K, et al. BERT: pre-training of deep bidirectional transformers for language understanding [DB/OL]. 2018[2023-11-23]. http://arxiv.org/abs/1810.04805.
[7] Doan K D, Reddy C K. Efficient implicit unsupervised text hashing using adversarial autoencoder [C]//Proceedings of the Web Conference, 2020: 684-694.
[8] Liu Y T, Xie Y, Srivastava A. Neural trojans [C]//2017 IEEE International Conference on Computer Design (ICCD), 2017: 45-48.
[9] Liu Y Q, Ma S Q, Aafer Y, et al. Trojaning attack on neural networks [C]//Proceedings 2018 Network and Distributed System Security Symposium, 2018: 1781.
[10] Gu T Y, Dolan-Gavitt B, Garg S. BadNets: identifying vulnerabilities in the machine learning model supply chain [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1708.06733.
[11] Chen X Y, Liu C, Li B, et al. Targeted backdoor attacks on deep learning systems using data poisoning [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1712.05526.
[12] Barni M, Kallas K, Tondi B. A new backdoor attack in CNNS by training set corruption without label poisoning [C]//2019 IEEE International Conference on Image Processing (ICIP), 2019: 101-105.
[13] Nguyen A, Tran A. WaNet-imperceptible warping-based backdoor attack [DB/OL]. 2021[2023-11-23]. http://arxiv.org/abs/2102.10369.
[14] Xu T, Li Y M, Jiang Y, et al. BATT: backdoor attack with transformation-based triggers [C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023: 1-5.
[15] Wang Z T, Zhai J, Ma S Q. BppAttack: stealthy and efficient Trojan attacks against deep neural networks via image quantization and contrastive adversarial learning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2022: 15054-15063.
[16] Doan K, Lao Y J, Zhao W J, et al. LIRA: learnable, imperceptible and robust backdoor attacks [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 11946- 11956.
[17] Li Y Z, Li Y M, Wu B Y, et al. Invisible backdoor attack with sample-specific triggers [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 16443-16452.
[18] Wang T, Yao Y, Xu F, et al. An invisible black-box backdoor attack through frequency domain [C]//European Conference on Computer Vision, 2022: 396-413.
[19] Kwon H, Kim Y. BlindNet backdoor: attack on deep neural network using blind watermark [J]. Multimedia Tools and Applications, 2022, 81(5): 6217-6234.
[20] Navas K A, Ajay M C, Lekshmi M, et al. DWT-DCT-SVD based watermarking [C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE ’08), 2008: 271-274.
[21] Kansal M, Singh G, Kranthi B V. DWT, DCT and SVD based digital image watermarking [C]//2012 International Conference on Computing Sciences, 2012: 77-81.
[22] Singh A K, Dave M, Mohan A. Hybrid technique for robust and imperceptible image watermarking in DWT-DCT-SVD domain [J]. National Academy Science Letters, 2014, 37(4): 351-358.
[23] Cheng S Y, Liu Y Q, Ma S Q, et al. Deep feature space Trojan attack of neural networks by controlled detoxification [J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(2): 1148-1156.
[24] Zhu J Y, Park T, Isola P, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks [C]//IEEE International Conference on Computer Vision (ICCV), 2017: 2242-2251.
[25] Ronneberger O, Fischer P, Brox T. U-Net: convolutional networks for biomedical image segmentation [C]//International Conference on Medical Image Computing and ComputerAssisted Intervention, 2015: 234-241.
[26] Krizhevsky A. Learning multiple layers of features from tiny images [J]. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 1-60.
[27] Stallkamp J, Schlipsing M, Salmen J, et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition [J]. Neural Networks, 2012, 32: 323-332.
[28] Liu Z W, Luo P, Wang X G, et al. Deep learning face attributes in the wild [C]//IEEE International Conference on Computer Vision (ICCV), 2015: 3730-3738.

A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 12

Recommended Articles

Metrics

Comments

[1]	DONG Tenglin, LI Xinran, YAO Heng, QIN Chuan. Robust Coverless Information Hiding Based on Image Classification [J]. Journal of Applied Sciences, 2021, 39(6): 893-905.
[2]	CHEN Qing, XIA Lanting, BU Ying. Robust Watermarking Algorithm Based on Two-Level Singular Value Decomposition [J]. Journal of Applied Sciences, 2020, 38(6): 966-975.
[3]	CHEN Long-sheng, WANG Qi. Prescribed Performance Nonlinear PID Control for Uncertain Continuous Systems [J]. Journal of Applied Sciences, 2017, 35(6): 786-796.
[4]	LI Xin-wei, XIA Xiu-zhen. Robust Image Hashing Based on Content Structure Diagram [J]. Journal of Applied Sciences, 2016, 34(6): 691-701.
[5]	FANG Qiao-yun, LÜ Dong-hui, SUN Jiu-ai. Improved Triangle Mesh Method for Surface Reconstruction from Normal Field [J]. Journal of Applied Sciences, 2016, 34(2): 145-153.
[6]	QIAN Hua-ming1, GE Lei1,2, HUANG Wei1. An Improved Strong Tracking Filtering Algorithm [J]. Journal of Applied Sciences, 2015, 33(1): 32-40.
[7]	LIU Ri, SUN Xiu-xia, LI Da-dong, DONG Wen-han. Counteracting Crosswind Sliding Mode Control of Ultra-low Altitude Airdrop Based on Feedback Linearization [J]. Journal of Applied Sciences, 2014, 32(3): 311-318.
[8]	GAO You-tao1, LU Yu-ping1;2, XU Bo2. Neural Network-Based Sliding Mode Control for Satellite Formation Flying [J]. Journal of Applied Sciences, 2009, 27(6): 651-656.
[9]	ZHANG Zheng-dao, HU Shou-song. The Structure of the Immunocontroller Based on RBF Neural Networks [J]. Journal of Applied Sciences, 2004, 22(3): 388-391.
[10]	ZHOU Xing-de, CHEN Guo-rong. A Study on the Mix Design of Frame Structures Based on Controllability/Robustness [J]. Journal of Applied Sciences, 2003, 21(4): 397-400.
[11]	CHEN Yu-dong, WENG Zheng-xin, SHI Song-jiao. Robust Fault Diagnosis for Nonlinear Systems Based on Least Squares Estimation [J]. Journal of Applied Sciences, 2003, 21(1): 77-83.
[12]	ZHU HONG, LU SHU. CONFIDENCE INTERVAL ESTIMATION FOR THE LCCATION PARAMETER OF NORMAL DISTRIBUTION FROM INCOMPLETE DATA [J]. Journal of Applied Sciences, 1996, 14(2): 173-178.