On Function-Coupled Watermarks for Deep Neural Networks

IF 3.7 2区工程技术 Q2 ENGINEERING, ELECTRICAL & ELECTRONIC IEEE Journal on Emerging and Selected Topics in Circuits and Systems Pub Date : 2024-10-30 DOI:10.1109/JETCAS.2024.3476386

Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu

{"title":"On Function-Coupled Watermarks for Deep Neural Networks","authors":"Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu","doi":"10.1109/JETCAS.2024.3476386","DOIUrl":null,"url":null,"abstract":"Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: \n<uri>https://github.com/cure-lab/Function-Coupled-Watermark</uri>\n.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"608-619"},"PeriodicalIF":3.7000,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10738841","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","FirstCategoryId":"5","ListUrlMain":"https://ieeexplore.ieee.org/document/10738841/","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: https://github.com/cure-lab/Function-Coupled-Watermark .

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

深度神经网络的函数耦合水印研究

性能良好的深度神经网络（DNN）通常需要大量标注数据和计算资源进行训练。为了保护这些知识产权（IP），人们提出了各种水印技术，DNN 提供商可以通过检索其嵌入的水印来主张 IP 所有权。虽然文献报道的结果很有希望，但现有的解决方案都受到水印去除攻击，如模型微调、模型剪枝和模型提取。在本文中，我们提出了一种新型 DNN 水印解决方案，可有效抵御上述攻击。我们的主要见解是加强水印和模型功能的耦合，这样去除水印就会不可避免地降低模型在正常输入上的性能。具体来说，一方面，我们从原始训练数据集中抽取输入样本，并将其融合为水印图像。另一方面，我们在训练过程中随机屏蔽模型权重，以便在网络中分布水印信息。我们的方法可以成功抵御常见的水印去除攻击、水印模糊攻击和现有的广泛使用的后门检测方法，在各种基准上的评估结果表明，我们的方法优于现有的解决方案。我们的代码可在以下网址获取：https://github.com/cure-lab/Function-Coupled-Watermark。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Journal on Emerging and Selected Topics in Circuits and Systems ENGINEERING, ELECTRICAL & ELECTRONIC-

CiteScore

8.50

自引率

2.20%

发文量

期刊介绍： The IEEE Journal on Emerging and Selected Topics in Circuits and Systems is published quarterly and solicits, with particular emphasis on emerging areas, special issues on topics that cover the entire scope of the IEEE Circuits and Systems (CAS) Society, namely the theory, analysis, design, tools, and implementation of circuits and systems, spanning their theoretical foundations, applications, and architectures for signal and information processing.

期刊最新文献

Introducing IEEE Collabratec Table of Contents Erratum to “A Reconfigurable Spatial Architecture for Energy-Efficient Inception Neural Networks” Guest Editorial: Toward Trustworthy AI: Advances in Circuits, Systems, and Applications IEEE Journal on Emerging and Selected Topics in Circuits and Systems Publication Information