神经网络水印综述

doi:10.3969/j.issn.0255-8297.2021.06.001

Abstract

Abstract: This article sorts out the development context of neural network watermarking technology in recent years, and roughly classifies the mainstream methods into four categories, namely white box watermark, black box watermark, boxless watermark and fragile watermark. Specifically, this article reviews the evaluation indicators of neural network watermarking and these four different types of neural network watermarking technologies, discusses the advantages and disadvantages of existing neural network watermarking schemes, and looks forward to the future development trend.

Key words: neural networks, deep models, digital watermark, artificial intelligence

CLC Number:

TP309

FENG Le, ZHU Renjie, WU Hanzhou, ZHANG Xinpeng, QIAN Zhenxing. Survey of Neural Network Watermarking[J]. Journal of Applied Sciences, 2021, 39(6): 881-892.

References

[1] Agarap A F. Deep learning using rectified linear units (ReLU)[J]. arXiv preprintarXiv:1803.08375, 2018.
[2] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2017:1-12.
[3] Kingma D P, Ba J. Adam:a method for stochastic optimization[C]//International Conference on Learning Representations (ICLR), 2014.
[4] Redmon J, Farhadi A. Yolov3:an incremental improvement[J]. arXiv preprintarXiv:1804.02767, 2018.
[5] He K, Gkioxari G, Dollár P, et al. Mask R-CNN[C]//Proceedings of the IEEE International Conference on Computer Vision, 2017:2961-2969.
[6] Glavaš G, Nanni F, Ponzetto S P. Computational analysis of political texts:bridging research efforts across communities[C]//Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics:Tutorial Abstracts, 2019:18-23.
[7] Conneau A, Khandelwal K, Goyal N, et al. Un-supervised cross-lingual representation learning at scale[J]. arXiv preprint arXiv:1911.02116, 2019.
[8] Moraes R, Valiati J F, Neto W P G. Document-level sentiment classification:an empirical comparison between SVM and ANN[J]. Expert Systems with Applications, 2013, 40(2):621-633.
[9] Mcguffie K, Newhouse A. The radicalization risks of GPT-3 and advanced neural language models[J]. arXiv preprint arXiv:2009.06807, 2020.
[10] Walia E, Suneja A. A robust watermark authentication technique based on Weber's descriptor[J]. Signal, Image and Video Processing, 2014, 8(5):859-872.
[11] Zhou N R, Luo A W, Zou W P. Secure and robust watermark scheme based on multiple transforms and particle swarm optimization algorithm[J]. Multimedia Tools and Applications, 2019, 78(2):2507-2523.
[12] Bravo-Solorio S, Calderon F, Li C, et al. Fast fragile watermark embedding and iterative mechanism with high self-restoration performance[J]. Digital Signal Processing, 2018, 73:83-92.
[13] Wu C, Shih Y. A simple image tamper detection and recovery based on fragile watermark with one parity section and two restoration sections[J]. Optics and Photonics Journal, 2013, 3(2):103-107.
[14] Cox I, Kilian J, Leighton F T, et al. Secure spread spectrum watermarking for multimedia[J]. IEEE Transactions on Image Processing, 1997, 6(12):1673-1687.
[15] Jiang N, Zhao N, Wang L. LSB based quantum image steganography algorithm[J]. International Journal of Theoretical Physics, 2016, 55(1):107-123.
[16] Barni M, Bartolini F, Cappellini V, et al. A DCT-domain system for robust image watermarking[J]. Signal Processing, 1998, 66(3):357-372.
[17] Srivastava R, Kumar B, Singh A K, et al. Computationally efficient joint imperceptible image watermarking and jpeg compression:a green computing approach[J]. Multimedia Tools and Applications, 2018, 77(13):16447-16459.
[18] Ganic E, Eskicioglu A M. Robust DWT-SVD domain image watermarking:embedding data in all frequencies[C]//Proceedings of the 2004 Workshop on Multimedia and Security, 2004:166-174.
[19] Zhang X. Reversible data hiding in encrypted image[J]. IEEE Signal Processing Letters, 2011, 18(4):255-258.
[20] Zhang X. Separable reversible data hiding in encrypted image[J]. IEEE Transactions on Information Forensics and Security, 2011, 7(2):826-832.
[21] Uchida Y, Nagai Y, Sakazawa S, et al. Embedding watermarks into deep neural networks[C]//Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017:269-277.
[22] Adi Y, Baum C, Cisse M, et al. Turning your weakness into a strength:watermarking deep neural networks by backdooring[C]//The 27th Security Symposium, 2018:1615-1631.
[23] Wu H, Liu G, Yao Y, et al. Watermarking neural networks with water-marked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2020, 31(7):2591-2601.
[24] Guan X, Feng H, Zhang W, et al. Reversible watermarking in deep convolutional neural networks for integrity authentication[C]//Proceedings of the 28th ACM International Conference on Multimedia, 2020:2273-2280.
[25] Zhang T, Ye S, Zhang K, et al. A systematic DNN weight pruning framework using alternating direction method of multipliers[C]//Proceedings of the European Conference on Computer Vision (ECCV), 2018:184-199.
[26] Hou L, Kwok J T. Loss-aware weight quantization of deep networks[J]. arXiv preprintarXiv:1802.08635, 2018.
[27] Lu Z, Sindhwani V, Sainath T N. Learning compact recurrent neural networks[C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2016:5960- 5964.
[28] Wang W, Sun Y, Eriksson B, et al. Wide compression:tensor ring nets[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018:9329-9338.
[29] Polino A, Pascanu R, Dan A. Model compression via distillation and quantization[J]. arXiv preprint arXiv:1802.05668, 2018.
[30] Truong J, Maini P, Walls R, et al. Data-free model extraction[J]. arXiv preprint arXiv:2011.14779, 2020.
[31] Molnar C, König G, Herbinger J, et al. Pitfalls to avoid when interpreting machine learning models[J]. arXiv preprint arXiv:2007.04131, 2020.
[32] Wang T, Kerschbaum F. Attacks on digital watermarks for deep neural networks[C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP2019), 2019:2622- 2626.
[33] Feng L, Zhang X. Watermarking neural network with compensation mechanism[C]//International Conference on Knowledge Science, Engineering and Management, 2020:363- 375.
[34] Rouhani B D, Chen H, Koushanfar F. Deepsigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]//Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, 2019:485-497.
[35] Fan L X, Ng K W, Chan C S. Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks[C]//Advances in Neural Information Processing Systems 32:Annual Conference on Neural Information Processing Systems, Vancouver, Canada, 2019:4716-4725.
[36] He K, Zhang X, Ren S. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016:770-778.
[37] Gu T, Dolan-Gavitt B, Garg S. BadNets:identifying vulnerabilities in the machine learning model supply chain[J]. arXiv preprint arXiv:1708.06733, 2017.
[38] Zhang J, Gu Z, Jang J, et al. Protecting intellectual property of deep neural networks with watermarking[C]//Proceedings of the 2018 on Asia Conference on Computer and Communications Security, 2018:159-172.
[39] Merrer E L, Perez P, Trédan G. Adversarial frontier stitching for remote neural network watermarking[J]. Neural Computing and Applications, 2020, 32(13):9233-9244.
[40] Guo J, Potkonjak M. Watermarking deep neural networks for embedded systems[C]//2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), 2018:1-8.
[41] Li Z, Hu C, Zhang Y, et al. How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]//Proceedings of the 35th Annual Computer Security Applications Conference, 2019:126-137.
[42] Xue M, Wu Z, He C, et al. Active DNN IP protection:a novel user fingerprint management and DNN authorization control technique[C]//2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications, 2020:975-982.
[43] Li H, Willson E, Zheng H. Persistent and unforgeable watermarks for deep neural networks[J]. arXiv preprint arXiv:1910.01226, 2019a.
[44] Aprilpyone M, Kiya H. Piracy-resistant DNN watermarking by block-wise image transformation with secret key[J]. arXiv preprint arXiv:2104.04241, 2021.
[45] Hitaj D, Mancini L V. Have you stolen my model? evasion attacks against deep neural network watermarking techniques[J]. arXiv preprint arXiv:1809.00615, 2018.
[46] Zhu R, Zhang X, Shi M, et al. Secure neural network watermarking protocol against forging attack[J]. EURASIP Journal on Image and Video Processing, 2020, 2020(1):1-12.
[47] Quan Y, Teng H, Chen Y, et al. Watermarking deep neural networks in image processing[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 32(5):1852-1865.
[48] Ong D S, Chan C S, Ng K W, et al. Protecting intellectual property of generative adversarial networks from ambiguity attack[J]. arXiv preprintarXiv:2102.04362, 2021.
[49] Zhang J, Chen D, Liao J, et al. Model watermarking for image processing networks[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2020:12805-12812.
[50] Zhang J, Chen D, Liao J, et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, (99):1.
[51] Zhang X, Wang S. Fragile watermarking with error-free restoration capability[J]. IEEE Transactions on Multimedia, 2008, 10(8):1490-1499.
[52] Liu X L, Lin C C, Yuan S W. Blind dual watermarking for color images' authentication and copyright protection[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2016, 28(5):1047-1055.
[53] Fang H, Zhang W, Ma Z, et al. A camera shooting resilient watermarking scheme for underpainting documents[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 30(11):4075-4089.
[54] Abuadbba L, Kim H, Nepal S. DeepiSign:invisible fragile watermark to protect the integrity and authenticity of CNN[C]//The 36th ACM/SIGAPP Symposium on Applied Computing, Virtual Event, Korea, 2021:952-959.

Survey of Neural Network Watermarking

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	LIU Nan, CHEN Mou, WU Qingxian, SHAO Shuyi. Sliding Mode Anti-swing Control for Unmanned Helicopter Slung-Load System Based on RBF Neural Networks [J]. Journal of Applied Sciences, 2021, 39(6): 1006-1020.
[2]	GUO Yubo, LU Jun, DUAN Pengqi. Automatic Classification of Bamboo Flute Playing Skills Based on Deep Learning [J]. Journal of Applied Sciences, 2021, 39(4): 685-694.
[3]	WEI Jianjie, Lü Donghui, LU Xiaofeng, SUN Guangling. Improved Method to Craft Universal Perturbations Based on Fast Feature Fool [J]. Journal of Applied Sciences, 2020, 38(6): 986-994.
[4]	SUN Quan, TANG Tao, ZHENG Jianbin, PAN Jing, ZHAO Jintao. Financial Transaction Data Based Intelligent Fraud Graph Network Detection [J]. Journal of Applied Sciences, 2020, 38(5): 713-723.
[5]	FANG Junjie, LEI Kai. Blockchain for Edge AI Computing: A Survey [J]. Journal of Applied Sciences, 2020, 38(1): 1-21.
[6]	ZENG Run-hua, ZHANG Shu-qun. Speech and Emotional Recognition Method Based on Improving Convolutional Neural Networks [J]. Journal of Applied Sciences, 2018, 36(5): 837-844.
[7]	LIAO Ting, LI Zhi-jiang. Adaptive Print-Scan Resilient Image Watermarking Based on Fourier Transform [J]. Journal of Applied Sciences, 2016, 34(3): 309-316.
[8]	ZHU Cheng, CHEN Mou. Robust Control of Missile Launch Vehicle Erecting Device Based on Disturbance Observer [J]. Journal of Applied Sciences, 2014, 32(3): 319-324.
[9]	GUO Cheng-qing1;2, XU Guo-ai1;2, NIU Xin-xin1;2, LI Yang1;2. High-Capacity Text Watermarking Resistive to Print-Scan Process [J]. Journal of Applied Sciences, 2011, 29(2): 140-146.
[10]	CHEN Xiao-qian, WANG Hong-yuan, KE Zhi-wu. Adaptive Fuzzy Classification of Modulation Using Cyclic Correlation Feature [J]. Journal of Applied Sciences, 2009, 27(3): 226-230.
[11]	CHEN Chao;SUN Guang-ling;JIAN Ling . Application of Digital Watermarking Using Plugins to Prevent Leaking of E-Documents from Internal Networks [J]. Journal of Applied Sciences, 2008, 26(6): 602-605 .
[12]	FANG Hui-juan;WANG Yong-ji. Spiking Neural Networks with Neurons Firing Multiple Spikes [J]. Journal of Applied Sciences, 2008, 26(6): 638-644 .
[13]	MA Bin-liang;HUANG Yu-mei;LIU Shu-yang;CHEN Liang. Nonlinear Error Compensation of Gyroscope Using Algebra Algorithm of Neural Networks [J]. Journal of Applied Sciences, 2008, 26(4): 436-0436 .
[14]	DENG Yan;CHEN Guo. Automatic-Extraction of Wavelet Energy Features for Rotor Fault Signals [J]. Journal of Applied Sciences, 2007, 25(5): 510-510 .
[15]	FU Wei, XING Guang-zhong, HOU Lan-tian, JING Yuan. Research on Inlaid Algorithm of Image Digital Watermarking Based on Wavelet Set Decomposition Transform [J]. Journal of Applied Sciences, 2005, 23(6): 658-660.