Semi-Fragile Neural Network Watermarking Based on Adversarial Examples

IF 5.3 3区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE IEEE Transactions on Emerging Topics in Computational Intelligence Pub Date : 2024-03-18 DOI:10.1109/TETCI.2024.3372373

Zihan Yuan;Xinpeng Zhang;Zichi Wang;Zhaoxia Yin

{"title":"Semi-Fragile Neural Network Watermarking Based on Adversarial Examples","authors":"Zihan Yuan;Xinpeng Zhang;Zichi Wang;Zhaoxia Yin","doi":"10.1109/TETCI.2024.3372373","DOIUrl":null,"url":null,"abstract":"Deep neural networks (DNNs) may be subject to various modifications during transmission and use. Regular processing operations do not affect the functionality of a model, while malicious tampering will cause serious damage. Therefore, it is crucial to determine the availability of a DNN model. To address this issue, we propose a semi-fragile black-box watermarking method that can distinguish between accidental modification and malicious tampering of DNNs, focusing on the privacy and security of neural network models. Specifically, for a given model, a strategy is designed to generate semi-fragile and sensitive samples using adversarial example techniques without decreasing the model accuracy. The model outputs for these samples are extremely sensitive to malicious tampering and robust to accidental modification. According to these properties, accidental modification and malicious tampering can be distinguished to assess the availability of a watermarked model. Extensive experiments demonstrate that the proposed method can detect malicious model tampering with high accuracy up to 100% while tolerating accidental modifications such as fine-tuning, pruning, and quantitation with the accuracy exceed 75%. Moreover, our semi-fragile neural network watermarking approach can be easily extended to various DNNs.","PeriodicalId":13135,"journal":{"name":"IEEE Transactions on Emerging Topics in Computational Intelligence","volume":null,"pages":null},"PeriodicalIF":5.3000,"publicationDate":"2024-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Emerging Topics in Computational Intelligence","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10474363/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Deep neural networks (DNNs) may be subject to various modifications during transmission and use. Regular processing operations do not affect the functionality of a model, while malicious tampering will cause serious damage. Therefore, it is crucial to determine the availability of a DNN model. To address this issue, we propose a semi-fragile black-box watermarking method that can distinguish between accidental modification and malicious tampering of DNNs, focusing on the privacy and security of neural network models. Specifically, for a given model, a strategy is designed to generate semi-fragile and sensitive samples using adversarial example techniques without decreasing the model accuracy. The model outputs for these samples are extremely sensitive to malicious tampering and robust to accidental modification. According to these properties, accidental modification and malicious tampering can be distinguished to assess the availability of a watermarked model. Extensive experiments demonstrate that the proposed method can detect malicious model tampering with high accuracy up to 100% while tolerating accidental modifications such as fine-tuning, pruning, and quantitation with the accuracy exceed 75%. Moreover, our semi-fragile neural network watermarking approach can be easily extended to various DNNs.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

基于对抗性实例的半脆弱神经网络水印技术

深度神经网络（DNN）在传输和使用过程中可能会受到各种修改。常规处理操作不会影响模型的功能，而恶意篡改则会造成严重损害。因此，确定 DNN 模型的可用性至关重要。针对这一问题，我们提出了一种半脆弱的黑盒水印方法，可以区分 DNN 的意外修改和恶意篡改，重点关注神经网络模型的隐私和安全。具体来说，对于给定的模型，我们设计了一种策略，在不降低模型准确性的情况下，利用对抗性示例技术生成半脆弱敏感样本。这些样本的模型输出对恶意篡改极其敏感，而对意外修改却很稳健。根据这些特性，可以区分意外修改和恶意篡改，从而评估水印模型的可用性。大量实验证明，所提出的方法能以高达 100%的准确率检测出恶意模型篡改，同时能容忍微调、剪枝和量化等意外修改，准确率超过 75%。此外，我们的半脆弱神经网络水印方法可以轻松扩展到各种 DNN。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Emerging Topics in Computational Intelligence Mathematics-Control and Optimization

CiteScore

10.30

自引率

7.50%

发文量

147

期刊介绍： The IEEE Transactions on Emerging Topics in Computational Intelligence (TETCI) publishes original articles on emerging aspects of computational intelligence, including theory, applications, and surveys. TETCI is an electronics only publication. TETCI publishes six issues per year. Authors are encouraged to submit manuscripts in any emerging topic in computational intelligence, especially nature-inspired computing topics not covered by other IEEE Computational Intelligence Society journals. A few such illustrative examples are glial cell networks, computational neuroscience, Brain Computer Interface, ambient intelligence, non-fuzzy computing with words, artificial life, cultural learning, artificial endocrine networks, social reasoning, artificial hormone networks, computational intelligence for the IoT and Smart-X technologies.

期刊最新文献

Table of Contents IEEE Computational Intelligence Society Information IEEE Transactions on Emerging Topics in Computational Intelligence Information for Authors IEEE Transactions on Emerging Topics in Computational Intelligence Publication Information A Novel Multi-Source Information Fusion Method Based on Dependency Interval