摘要
针对经典水印技术在进行深度学习模型知识产权保护过程中,存在水印多模型时可复用性不高和开销较大、易被检测和攻击等问题;在黑盒场景下,本文从构造触发集、设计嵌入方式等方面切入,设计一种基于标志网络(Logo Network,LogoNet)的深度学习多模型水印方案(Logo Network based Deep Learning Multi-model Watermarking Scheme,LNMMWS)。首先,利用二进制编码生成触发集,并随机裁剪原训练样本以生成噪声集,精简LogoNet层结构,并在触发集和噪声集的混合数据集上训练LogoNet,LogoNet拟合触发集并泛化噪声集以获取较高的水印触发模式识别精度和噪声处理能力。其次,根据不同目标模型的分类类别,从LogoNet中选择水印触发模式,并调整LogoNet输出层的维度,使LogoNet输出层和不同目标模型的输出层相嵌合,以实现多模型水印的目的。最后,当所有者发现可疑的远程应用程序接口服务时,可以输入多组特定的触发样本,经过输入层变换后,触发特定的输出以核验水印并实现所有权验证。实验及分析表明,使用LNMMWS进行深度学习模型所有权验证时,具有较高的水印触发模式识别精度、较小的嵌入影响、较多的水印触发模式数量,并相比已有方案具有更低的时间开销;LNMMWS在模型压缩攻击、模型微调攻击下具有较好的稳定性,并具备较强的隐秘性,能够规避恶意检测风险。
In order to solve the problems of low reusability,high time cost,and vulnerability to malicious detection and attack when adding watermarks to multiple target models in the process of intellectual property protection of deep learning models with classical watermarking technology;in the black box scenario,this paper focuses on the construction of special trigger sets and the design of watermark embedding methods,A Logo Network(LogoNet)based Deep Learning Multi model Watermarking Scheme(LNMMWS)is designed.First,the binary encoding method is used to generate the trigger data set,and the noise data set is generated by randomly cutting the original training samples.Simplify the LogoNet layer structure and train LogoNet on the mixed data set of trigger set and noise set.LogoNet fits the trigger set and generalizes the noise set to obtain higher watermark trigger pattern recognition accuracy and noise processing capability.Secondly,according to the classification categories of different target models,select the watermark trigger mode from LogoNet,and adjust the dimensions of the LogoNet output layer to fit the LogoNet output layer with the output layers of different target models,so as to achieve the purpose of adding watermarks to multiple target models.Finally,when the owner finds a sus-picious remote application program interface service,he can input multiple groups of specific watermark trigger samples.After the input layer transformation,he can trigger specific output tags to verify the watermark and realize ownership veri-fication.The experiment and analysis show that when using LNMMWS to verify the ownership of the deep learning model,it has higher recognition accuracy of watermark trigger pattern,less embedding influence,more watermark trigger patterns,and lower time cost compared with existing watermarking schemes;LNMMWS has good stability under deep learning model compression attack and model fine-tuning attack,and has strong confidentiality,which can avoid malicious detection risks.
作者
刘伟发
张光华
杨婷
王鹤
LIU Weifa;ZHANG Guanghua;YANG Ting;WANG He(School of Information Science and Engineering,Hebei University of Science Technology,Shijiazhuang 050018,China;School of Cyber Engineering,Xidian University,Xi’an 710071,China)
出处
《信息安全学报》
CSCD
2022年第6期105-115,共11页
Journal of Cyber Security
基金
国家自然基金重点项目:多源漏洞数据智能分析和漏洞智能利用与挖掘研究(No.U1836210)资助。
关键词
知识产权保护
深度神经网络
所有权验证
多模型水印
intellectual property protection
deep neural network
ownership verification
multi-model watermarking