基于水印神经网络的可溯源DNN模型保护方法

doi:10.3969/j.issn.0255-8297.2023.02.001

Abstract

Abstract: This paper proposes a multi-user traceability watermarking neural network approach to model security and copyright certification for deep neural networks (DNN). The watermark is generated by the key driver and embedded invisibly in the output images of the DNN model, hence realizing the intellectual property protection and copyright tracking of DNN model. A codec network is added to the DNN model to embed the watermark, and a two-stream tamper detection network is used as the discriminator. Thus, the problem of residual watermark in the output images of the model is solved, which, reduces the impact on the performance of DNN model and enhances the security. In addition, a two-stage training method is proposed in this paper to distribute different watermarked models to different users. When copyright disputes occur, another residual network can be used to extract the watermark image from the output image. Experiments show that the proposed method is efficient in distributing watermarked models, and is able to trace the source of DNN models embedded with similar watermarked images for multiple users.

Key words: deep neural networks, digital watermarking, intellectual property protection, watermarking neural networks, image steganography

CLC Number:

P391

LIU Yalei, HE Hongjie, CHEN Fan, LIU Zhuohua. Traceable DNN Model Protection Based on Watermark Neural Network[J]. Journal of Applied Sciences, 2023, 41(2): 183-196.

References

[1] Shelhamer E, Long J, Darrell T. Fully convolutional networks for semantic segmentation[C]//IEEE Transactions on Pattern Analysis and Machine Intelligence, 2016:640-651.
[2] He K M, Gkioxari G, Dollár P, et al. Mask R-CNN[C]//2017 IEEE International Conference on Computer Vision (ICCV), 2017:2980-2988.
[3] Zhu C C, Chen F Y, Ahmed U, et al. Semantic relation reasoning for shot-stable few-shot object detection[C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2021:8778-8787.
[4] Brock A, Donahue J, Simonyan K. Large scale GAN training for high fidelity natural image synthesis[C]//International Conference on Learning Representations, 2019.
[5] Zhang H, Koh J Y, Baldridge J, et al. Cross-modal contrastive learning for text-to-image generation[C]//2021 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2021:833-842.
[6] Xue M F, Zhang Y S, Wang J, et al. Intellectual property protection for deep learning models:taxonomy, methods, attacks, and evaluations[J]. IEEE Transactions on Artificial Intelligence, 2022, 3(6):908-923.
[7] Tolosana R, Vera-Rodriguez R, Fierrez J, et al. Deepfakes and beyond:a survey of face manipulation and fake detection[J]. Information Fusion, 2020, 64:131-148.
[8] 张颖君, 陈恺, 周赓, 等. 神经网络水印技术研究进展[J]. 计算机研究与发展, 2021, 58(5):964-976. Zhang Y J, Chen K, Zhou G, et al. Research progress of neural networks watermarking technology[J]. Journal of Computer Research and Development, 2021, 58(5):964-976.(in Chinese)
[9] Uchida Y, Nagai Y, Sakazawa S, et al. Embedding watermarks into deep neural networks[C]//2017 ACM on International Conference on Multimedia Retrieval, 2017:269-277.
[10] Chen H L, Rouhani B D, Fu C, et al. DeepMarks:a secure fingerprinting framework for digital rights management of deep learning models[C]//2019 International Conference on Multimedia Retrieval, 2019:105-113.
[11] Rouhani B D, Chen H L, Koushanfar F. DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks[C]//International Conference on Architectural Support for Programming Languages and Operating Systems, 2019:485-497.
[12] Wang J F, Wu H Z, Zhang X P, et al. Watermarking in deep neural networks via error back-propagation[J]. Electronic Imaging, 2020, 32(4):22-1-22-9.
[13] Guo J, Potkonjak M. Watermarking deep neural networks for embedded systems[C]//2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), 2018:1-8.
[14] Li Z, Hu C Y, Zhang Y, et al. How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]//35th Annual Computer Security Applications Conference, 2019:126-137.
[15] Shafieinejad M, Lukas N, Wang J Q, et al. On the robustness of backdoor-based watermarking in deep neural networks[C]//2021 ACM Workshop on Information Hiding and Multimedia Security, 2021:177-188.
[16] Wu H Z, Liu G, Yao Y W, et al. Watermarking neural networks with watermarked images[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2021, 31(7):2591-2601.
[17] Zarrabi H, Emami A, Khadivi P, et al. BlessMark:a blind diagnostically-lossless watermarking framework for medical applications based on deep neural networks[J]. Multimedia Tools and Applications, 2020, 79(31):22473-22495.
[18] Zhang J, Chen D D, Liao J, et al. Deep model intellectual property protection via deep watermarking[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 44(8):4005-4020.
[19] Fan L X, Ng K W, Chan C S. Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks[DB/OL]. 2019[2021-06-08]. https://arxiv.org/abs/1909.07830.
[20] Goodfellow I, Pouget-Abadie J, Mirza M, et al. Generative adversarial networks[J]. Communications of the ACM, 2020, 63(11):139-144.
[21] Hu D H, Wang L, Jiang W J, et al. A novel image steganography method via deep convolutional generative adversarial networks[J]. IEEE Access, 2018, 6:38303-38314.
[22] Radford A, Metz L, Chintala S. Unsupervised representation learning with deep convolutional generative adversarial networks[EB/OL]. 2015[2021-06-08]. https://arxiv.org/abs/1511.06434.
[23] 刘明明, 张敏情, 刘佳, 等. 基于生成对抗网络的无载体信息隐藏[J]. 应用科学学报, 2018, 36(2):371-382. Liu M M, Zhang M Q, Liu J, et al. Coverless information hiding based on generative adversarial networks[J]. Journal of Applied Sciences, 2018, 36(2):371-382. (in Chinese)
[24] Volkhonskiy D, Nazarov I, Burnaev E. Steganographic generative adversarial networks[C]//International Conference on Machine Vision (ICMV), 2020, 11433:991-1005.
[25] Shi H C, Dong J, Wang W, et al. SSGAN:secure steganography based on generative adversarial networks[C]//Pacific Rim Conference on Multimedia, 2018:534-544.
[26] Arjovsky M, Chintala S, Bottou L. Wasserstein generative adversarial networks[C]//34th International Conference on Machine Learning, 2017:214-223.
[27] Qian Y L, Dong J, Wang W, et al. Deep learning for steganalysis via convolutional neural networks[C]//Media Watermarking, Security, and Forensics, 2015, 9409:171-180.
[28] Zhang C N, Benz P, Karjauv A, et al. UDH:universal deep hiding for steganography, watermarking, and light field messaging[C]//34th International Conference on Neural Information Processing Systems, 2020:10223-10234.
[29] Ronneberger O, Fischer P, Brox T. U-Net:convolutional networks for biomedical image segmentation[C]//International Conference on Medical Image Computing and ComputerAssisted Intervention, 2015:234-241.
[30] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016:770-778.
[31] Zhu J Y, Park T, Isola P, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks[C]//2017 IEEE International Conference on Computer Vision (ICCV), 2017:2242-2251.
[32] Zhou P, Han X T, Morariu V I, et al. Learning rich features for image manipulation detection[C]//2018 IEEE Conference on Computer Vision and Pattern Recognition, 2018:1053-1061.
[33] Fridrich J, Kodovsky J. Rich models for steganalysis of digital images[J]. IEEE Transactions on information Forensics and Security, 2012, 7(3):868-882.
[34] Fan Q N, Yang J L, Hua G, et al. A generic deep architecture for single image reflection removal and image smoothing[C]//2017 IEEE International Conference on Computer Vision (ICCV), 2017:3258-3267.
[35] Mirza M, Osindero S. Conditional generative adversarial nets[EB/OL]. 2014[2021-06-08]. https://arxiv.org/abs/1411.1784.

Traceable DNN Model Protection Based on Watermark Neural Network

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 5

Recommended Articles

Metrics

Comments

[1]	WEI Jianjie, Lü Donghui, LU Xiaofeng, SUN Guangling. Improved Method to Craft Universal Perturbations Based on Fast Feature Fool [J]. Journal of Applied Sciences, 2020, 38(6): 986-994.
[2]	LI Zonghan, LIU Jia, KE Yan, ZHANG Minqing, LUO Peng. Cover Selection Steganography Scheme Based on Image-to-Image Translation [J]. Journal of Applied Sciences, 2019, 37(5): 733-743.
[3]	GUO Cheng-qing1;2, XU Guo-ai1;2, NIU Xin-xin1;2, LI Yang1;2. High-Capacity Text Watermarking Resistive to Print-Scan Process [J]. Journal of Applied Sciences, 2011, 29(2): 140-146.
[4]	CHEN Chao;SUN Guang-ling;JIAN Ling . Application of Digital Watermarking Using Plugins to Prevent Leaking of E-Documents from Internal Networks [J]. Journal of Applied Sciences, 2008, 26(6): 602-605 .
[5]	FU Wei, XING Guang-zhong, HOU Lan-tian, JING Yuan. Research on Inlaid Algorithm of Image Digital Watermarking Based on Wavelet Set Decomposition Transform [J]. Journal of Applied Sciences, 2005, 23(6): 658-660.