中文

Journal of Applied Sciences >

2024 , Vol. 42 >Issue 3: 486 - 498

DOI: https://doi.org/10.3969/j.issn.0255-8297.2024.03.010

Digital Media Forensics and Security

A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network

Expand
  • 1. College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510610, Guangdong, China;
    2. Key Laboratory of Smart Agricultural Technology in Tropical South China, Guangzhou 510610, Guangdong, China;
    3. Guangdong Key Laboratory of Agricultural Artificial Intelligence, Guangzhou 510610, Guangdong, China;
    4. Guangzhou Key Laboratory of Intelligent Agriculture, Guangzhou 510610, Guangdong, China

Received date: 2023-11-23

  Online published: 2024-06-06

Fold

Abstract

This paper proposes a novel framework and method for strong robust blackbox classification model finger-print watermarking. First of all, we develop a method for constructing poisoned images with high visual quality and enhanced security based on digital watermarking technology. This method embeds user identity information into the poisoned image, enabling traceability of deep neural network models in multiuser scenarios and reducing the susceptibility of the poisoned image to forgery. Second, we introduce a poisoned feature enhancement module to optimize the training of the model. Finally, we design an adversary training strategy, which can effectively learn the finger-print watermark with minimal embedding strength and reduce the probability of forged poisoned images. Extensive simulation experiments show that the good invisibility of the fingerprint watermark in the poisoned image constructed by our method, superior to similar optimal model watermarking methods such as WaNet. More than 99% of the black-box model finger-print watermarking verification rate is obtained at the cost of no more than a 2.4% reduction in the classification performance. Even with a difference of just one bit in the finger-print watermark, accurate verification of the model watermarking by copyright is achieved. These performances are generally better than the best-in-class model watermarking methods, demonstrating the feasibility and effectiveness of our proposed method.

Key words: black-box model watermarking; classification models; poisoned images; fingerprint watermarking; robustness

Cite this article

MO Mouke, WANG Chuntao, GUO Qingwen, BIAN Shan . A Novel Black-Box Finger-Print Watermarking Algorithm for Deep Classification Neural Network[J]. Journal of Applied Sciences, 2024 , 42(3) : 486 -498 . DOI: 10.3969/j.issn.0255-8297.2024.03.010

References

[1] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016: 770-778.
[2] Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks [J]. Communications of the ACM, 2017, 60(6): 84-90.
[3] Zhao L J, Bai H H, Wang A H, et al. Multiple description convolutional neural networks for image compression [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(8): 2494-2508.
[4] Yang R, Xu M, Liu T, et al. Enhancing quality for HEVC compressed videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2019, 29(7): 2039-2054.
[5] Kang K, Li H S, Yan J J, et al. T-CNN: tubelets with convolutional neural networks for object detection from videos [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2018, 28(10): 2896-2907.
[6] Devlin J, Chang M W, Lee K, et al. BERT: pre-training of deep bidirectional transformers for language understanding [DB/OL]. 2018[2023-11-23]. http://arxiv.org/abs/1810.04805.
[7] Doan K D, Reddy C K. Efficient implicit unsupervised text hashing using adversarial autoencoder [C]//Proceedings of the Web Conference, 2020: 684-694.
[8] Liu Y T, Xie Y, Srivastava A. Neural trojans [C]//2017 IEEE International Conference on Computer Design (ICCD), 2017: 45-48.
[9] Liu Y Q, Ma S Q, Aafer Y, et al. Trojaning attack on neural networks [C]//Proceedings 2018 Network and Distributed System Security Symposium, 2018: 1781.
[10] Gu T Y, Dolan-Gavitt B, Garg S. BadNets: identifying vulnerabilities in the machine learning model supply chain [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1708.06733.
[11] Chen X Y, Liu C, Li B, et al. Targeted backdoor attacks on deep learning systems using data poisoning [DB/OL]. 2017[2023-11-23]. https://arxiv.org/abs/1712.05526.
[12] Barni M, Kallas K, Tondi B. A new backdoor attack in CNNS by training set corruption without label poisoning [C]//2019 IEEE International Conference on Image Processing (ICIP), 2019: 101-105.
[13] Nguyen A, Tran A. WaNet-imperceptible warping-based backdoor attack [DB/OL]. 2021[2023-11-23]. http://arxiv.org/abs/2102.10369.
[14] Xu T, Li Y M, Jiang Y, et al. BATT: backdoor attack with transformation-based triggers [C]//IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023: 1-5.
[15] Wang Z T, Zhai J, Ma S Q. BppAttack: stealthy and efficient Trojan attacks against deep neural networks via image quantization and contrastive adversarial learning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2022: 15054-15063.
[16] Doan K, Lao Y J, Zhao W J, et al. LIRA: learnable, imperceptible and robust backdoor attacks [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 11946- 11956.
[17] Li Y Z, Li Y M, Wu B Y, et al. Invisible backdoor attack with sample-specific triggers [C]//IEEE/CVF International Conference on Computer Vision (ICCV), 2021: 16443-16452.
[18] Wang T, Yao Y, Xu F, et al. An invisible black-box backdoor attack through frequency domain [C]//European Conference on Computer Vision, 2022: 396-413.
[19] Kwon H, Kim Y. BlindNet backdoor: attack on deep neural network using blind watermark [J]. Multimedia Tools and Applications, 2022, 81(5): 6217-6234.
[20] Navas K A, Ajay M C, Lekshmi M, et al. DWT-DCT-SVD based watermarking [C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE ’08), 2008: 271-274.
[21] Kansal M, Singh G, Kranthi B V. DWT, DCT and SVD based digital image watermarking [C]//2012 International Conference on Computing Sciences, 2012: 77-81.
[22] Singh A K, Dave M, Mohan A. Hybrid technique for robust and imperceptible image watermarking in DWT-DCT-SVD domain [J]. National Academy Science Letters, 2014, 37(4): 351-358.
[23] Cheng S Y, Liu Y Q, Ma S Q, et al. Deep feature space Trojan attack of neural networks by controlled detoxification [J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(2): 1148-1156.
[24] Zhu J Y, Park T, Isola P, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks [C]//IEEE International Conference on Computer Vision (ICCV), 2017: 2242-2251.
[25] Ronneberger O, Fischer P, Brox T. U-Net: convolutional networks for biomedical image segmentation [C]//International Conference on Medical Image Computing and ComputerAssisted Intervention, 2015: 234-241.
[26] Krizhevsky A. Learning multiple layers of features from tiny images [J]. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 1-60.
[27] Stallkamp J, Schlipsing M, Salmen J, et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition [J]. Neural Networks, 2012, 32: 323-332.
[28] Liu Z W, Luo P, Wang X G, et al. Deep learning face attributes in the wild [C]//IEEE International Conference on Computer Vision (ICCV), 2015: 3730-3738.
Options
Outlines

/