SSAT: Active Authorization Control and User’s Fingerprint Tracking Framework for DNN IP Protection
Authors: 
Mingfu Xue, Yinghao Wu, Leo Yu Zhang, Dujuan Gu, Yushu Zhang, Weiqiang LiuAuthors Info & Claims
Article No.: 324, Pages 1 - 24
Abstract
As training a high-performance deep neural network (DNN) model requires a large amount of data, powerful computing resources and expert knowledge, protecting well-trained DNN models from intellectual property (IP) infringement has raised serious concerns in recent years. Most existing methods using DNN watermarks to verify the ownership of the models after IP infringement occurs, which is reactive in the sense that they cannot prevent unauthorized users from using the model in the first place. Different from these methods, in this article, we propose an active authorization control and user’s fingerprint tracking method for the IP protection of DNN models by utilizing sample-specific backdoor attack. The proposed method inversely and multiplely exploits sample-specific trigger as the key to implement authorization control for DNN model, in which the generated triggers are imperceptible and sample-specific for clean images. Specifically, a U-Net model is used to generate backdoor instances. Then, the target model is trained on the clean images and backdoor instances, which are inversely labeled as wrong classes and correct classes, respectively. Only authorized users can use the target model normally by pre-processing the clean images through the U-Net model. Moreover, the images processed by the U-Net model will contain unique fingerprint that can be extracted to verify and track the corresponding user’s identity. This article is the first work that utilizes the sample-specific backdoor attack to implement active authorization control and user’s fingerprint management for DNN model under black-box scenarios. Extensive experimental results on ImageNet dataset and YouTube Aligned Face dataset demonstrate that the proposed method is effective in protecting the DNN model from unauthorized usage. Specifically, the protected model has a low inference accuracy (1.00%) for unauthorized users, while maintaining a normal inference accuracy (97.67%) for authorized users. Besides, the proposed method can achieve 100% fingerprint tracking success rates on both the ImageNet and YouTube Aligned Face datasets. Moreover, it is demonstrated that the proposed method is robust against fine-tuning attack, pruning attack, pruning attack with retraining, reverse-engineering attack, adaptive attack, and JPEG compression attack. The code is available at https://github.com/nuaaaisec/SSAT.
References
[1]
Yossi Adi, Carsten Baum, Moustapha Cissé, Benny Pinkas, and Joseph Keshet. 2018. Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. In 27th USENIX Security Symposium, 1615–1631.
[2]
Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2021. IPGuard: Protecting Intellectual Property of Deep Neural Networks via Fingerprinting the Classification Boundary. In Asia Conference on Computer and Communications Security, 14–25.
[3]
Abhishek Chakraborty, Ankit Mondal, and Ankur Srivastava. 2020. Hardware-Assisted Intellectual Property Protection of Deep Learning Models. In ACM/IEEE Design Automation Conference, 1–6.
[4]
Brian Chen and Gregory W. Wornell. 2001. Quantization Index Modulation: A Class of Provably Good Methods for Digital Watermarking and Information Embedding. IEEE Transactions on Information Theory 47, 4 (2001), 1423–1443.
[5]
Huili Chen, Bita Darvish Rouhani, Cheng Fu, Jishen Zhao, and Farinaz Koushanfar. 2019. DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models. In International Conference on Multimedia Retrieval, 105–113.
[6]
Mingliang Chen and Min Wu. 2018. Protect Your Deep Neural Networks from Piracy. In IEEE International Workshop on Information Forensics and Security, 1–7.
[7]
Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Fei-Fei Li. 2009. ImageNet: A Large-Scale Hierarchical Image Database. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 248–255.
[8]
Anuj Dubey, Rosario Cammarota, and Aydin Aysu. 2020a. BoMaNet: Boolean Masking of an Entire Neural Network. In IEEE/ACM International Conference on Computer Aided Design, 51:1–51:9.
[9]
Anuj Dubey, Rosario Cammarota, and Aydin Aysu. 2020b. MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection. In IEEE International Symposium on Hardware Oriented Security and Trust, 197–208.
[10]
Lixin Fan, Kam Woh Ng, Chee Seng Chan, and Qiang Yang. 2022. DeepIPR: Deep Neural Network Intellectual Property Protection with Passports. IEEE Transactions on Pattern Analysis and Machine Intelligence 44, 10 (2022), 6122–6139.
[11]
Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. MIT Press.
[12]
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In Proceedings of the 3rd International Conference on Learning Representations, 1–11.
[13]
Jia Guo and Miodrag Potkonjak. 2018. Watermarking Deep Neural Networks for Embedded Systems. In Proceedings of the International Conference on Computer-Aided Design, 1–8.
[14]
Song Han, Jeff Pool, John Tran, and William J. Dally. 2015. Learning Both Weights and Connections for Efficient Neural Network. In Annual Conference on Neural Information Processing Systems, 1135–1143.
[15]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 770–778.
[16]
Max Jaderberg, Karen Simonyan, Andrew Zisserman, and Koray Kavukcuoglu. 2015. Spatial Transformer Networks. In Annual Conference on Neural Information Processing Systems, 2017–2025.
[17]
Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled Watermarks as a Defense against Model Extraction. In 30th USENIX Security Symposium, 1937–1954.
[18]
Minoru Kuribayashi, Takuro Tanaka, and Nobuo Funabiki. 2020. DeepWatermark: Embedding Watermark into DNN Model. In Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, 1340–1346.
[19]
Bowen Li, Lixin Fan, Hanlin Gu, Jie Li, and Qiang Yang. 2023. FedIPR: Ownership Verification for Federated Deep Neural Network Models. IEEE Transactions on Pattern Analysis and Machine Intelligence 45, 4 (2023), 4521–4536.
[20]
Hao Li, Asim Kadav, Igor Durdanovic, Hanan Samet, and Hans Peter Graf. 2017. Pruning Filters for Efficient ConvNets. In Proceedings of the 5th International Conference on Learning Representations, 1–13.
[21]
Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. 2021. Invisible Backdoor Attack with Sample-Specific Triggers. In International Conference on Computer Vision, 16463–16472.
[22]
Ning Lin, Xiaoming Chen, Hang Lu, and Xiaowei Li. 2021. Chaotic Weights: A Novel Approach to Protect Intellectual Property of Deep Neural Networks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 40, 7 (2021), 1327–1339.
[23]
Nils Lukas, Edward Jiang, Xinda Li, and Florian Kerschbaum. 2022. SoK: How Robust Is Image Classification Deep Neural Network Watermarking? In IEEE Symposium on Security and Privacy (SP), 787–804.
[24]
Nils Lukas, Yuxuan Zhang, and Florian Kerschbaum. 2021. Deep Neural Network Fingerprinting by Conferrable Adversarial Examples. In Proceedings of the 9th International Conference on Learning Representations, 1–17.
[25]
April Pyone Maung Maung and Hitoshi Kiya. 2020. Training DNN Model with Secret Key for Model Protection. In 9th IEEE Global Conference on Consumer Electronics, 818–821.
[26]
Erwan Le Merrer, Patrick Pérez, and Gilles Trédan. 2020. Adversarial Frontier Stitching for Remote Neural Network Watermarking. Neural Computing and Applications 32, 13 (2020), 9233–9244.
[27]
Omkar M. Parkhi, Andrea Vedaldi, and Andrew Zisserman. 2015. Deep Face Recognition. In British Machine Vision Conference, 1–12.
[28]
Nikiforos Pittaras, Foteini Markatopoulou, Vasileios Mezaris, and Ioannis Patras. 2017. Comparison of Fine-Tuning and Extension Strategies for Deep Convolutional Neural Networks. In International Conference on MultiMedia Modeling, 102–114.
[29]
Ge Ren, Jun Wu, Gaolei Li, Shenghong Li, and Mohsen Guizani. 2024. Protecting Intellectual Property with Reliable Availability of Learning Models in AI-based Cybersecurity Services. IEEE Transactions on Dependable and Secure Computing 21, 2 (2024), 600–617.
[30]
Mauro Ribeiro, Katarina Grolinger, and Miriam A. M. Capretz. 2015. MLaaS: Machine Learning as a Service. In 14th IEEE International Conference on Machine Learning and Applications, 896–902.
[31]
John A Rice. 2006. Mathematical Statistics and Data Analysis. Cengage Learning.
[32]
Olaf Ronneberger, Philipp Fischer, and Thomas Brox. 2015. U-Net: Convolutional Networks for Biomedical Image Segmentation. In Medical Image Computing and Computer-Assisted Intervention, 234–241.
[33]
Bita Darvish Rouhani, Huili Chen, and Farinaz Koushanfar. 2019. DeepSigns: An End-to-End Watermarking Framework for Ownership Protection of Deep Neural Networks. In 24th International Conference on Architectural Support for Programming Languages and Operating Systems, 485–497.
[34]
Matthew Tancik, Ben Mildenhall, and Ren Ng. 2020. StegaStamp: Invisible Hyperlinks in Physical Photographs. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2114–2123.
[35]
Buse G. A. Tekgul, Yuxi Xia, Samuel Marchal, and N. Asokan. 2021. WAFFLE: Watermarking in Federated Learning. In 40th International Symposium on Reliable Distributed Systems, 310–320.
[36]
Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. 2017. Embedding Watermarks into Deep Neural Networks. In International Conference on Multimedia Retrieval, 269–277.
[37]
Gregory K. Wallace. 1992. The JPEG Still Picture Compression Standard. IEEE Transactions on Consumer Electronics 38, 1 (1992), 30–44.
[38]
Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. 2019. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In IEEE Symposium on Security and Privacy, 707–723.
[39]
Si Wang, Chaohui Xu, Yue Zheng, and Chip-Hong Chang. 2022. A Buyer-traceable DNN Model IP Protection Method against Piracy and Misappropriation. In 4th International Conference on Artificial Intelligence Circuits and Systems, 308–311.
[40]
Zhou Wang, Alan C. Bovik, Hamid R. Sheikh, and Eero P. Simoncelli. 2004. Image Quality Assessment: From Error Visibility to Structural Similarity. IEEE Transactions on Image Processing 13, 4 (2004), 600–612.
[41]
Lior Wolf, Tal Hassner, and Itay Maoz. 2011. Face Recognition in Unconstrained Videos with Matched Background Similarity. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 529–534.
[42]
Hanzhou Wu, Gen Liu, Yuwei Yao, and Xinpeng Zhang. 2021. Watermarking Neural Networks with Watermarked Images. IEEE Transactions on Circuits and Systems for Video Technology 31, 7 (2021), 2591–2601.
[43]
Yinghao Wu, Mingfu Xue, Dujuan Gu, Yushu Zhang, and Weiqiang Liu. 2022. Sample-Specific Backdoor Based Active Intellectual Property Protection for Deep Neural Networks. In IEEE International Conference on Artificial Intelligence Circuits and Systems, 316–319.
[44]
Guowen Xu, Hongwei Li, Yuan Zhang, Xiaodong Lin, Robert H. Deng, and Xuemin Shen. 2020. A Deep Learning Framework Supporting Model Ownership Protection and Traitor Tracing. In Proceedings of the 26th IEEE International Conference on Parallel and Distributed Systems, 438–446.
[45]
Mingfu Xue, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. 2022. Active Intellectual Property Protection for Deep Neural Networks through Stealthy Backdoor and Users’ Identities Authentication. Applied Intelligence 52 (2022), 16497–16511.
[46]
Mingfu Xue, Yinghao Wu, Shifeng Ni, Leo Yu Zhang, Yushu Zhang, and Weiqiang Liu. 2024. Untargeted Backdoor Attack Against Deep Neural Networks With Imperceptible Trigger. IEEE Transactions on Industrial Informatics 20, 3 (2024), 5004–5013.
[47]
Mingfu Xue, Yushu Zhang, Jian Wang, and Weiqiang Liu. 2022. Intellectual Property Protection for Deep Learning Models: Taxonomy, Methods, Attacks, and Evaluations. IEEE Transactions on Artificial Intelligence 3, 6 (2022), 908–923.
[48]
Jie Zhang, Dongdong Chen, Jing Liao, Han Fang, Weiming Zhang, Wenbo Zhou, Hao Cui, and Nenghai Yu. 2020. Model Watermarking for Image Processing Networks. In 34th AAAI Conference on Artificial Intelligence, 12805–12812.
[49]
Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph. Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting Intellectual Property of Deep Neural Networks with Watermarking. In Asia Conference on Computer and Communications Security, 159–172.
[50]
Richard Zhang, Phillip Isola, Alexei A. Efros, Eli Shechtman, and Oliver Wang. 2018. The Unreasonable Effectiveness of Deep Features as a Perceptual Metric. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 586–595.
[51]
Jingjing Zhao, Qingyue Hu, Gaoyang Liu, Xiaoqiang Ma, Fei Chen, and Mohammad Mehedi Hassan. 2020. AFA: Adversarial Fingerprinting Authentication for Deep Neural Networks. Computer Communications 150 (2020), 488–497.
[52]
Yue Zheng, Si Wang, and Chip-Hong Chang. 2022. A DNN Fingerprint for Non-Repudiable Model Ownership Identification and Piracy Detection. IEEE Transactions on Information Forensics and Security 17 (2022), 2977–2989.
[53]
Qi Zhong, Leo Yu Zhang, Jun Zhang, Longxiang Gao, and Yong Xiang. 2020. Protecting IP of Deep Neural Networks with Watermarking: A New Label Helps. In Pacific-Asia Conference on Knowledge Discovery and Data Mining, 462–474.
Index Terms
- SSAT: Active Authorization Control and User’s Fingerprint Tracking Framework for DNN IP Protection
Recommendations
Deep Serial Number: Computational Watermark for DNN Intellectual Property Protection
Machine Learning and Knowledge Discovery in Databases: Applied Data Science and Demo TrackAbstractIn this paper, we present DSN (Deep Serial Number), a simple yet effective watermarking algorithm designed specifically for deep neural networks (DNNs). Unlike traditional methods that incorporate identification signals into DNNs, our approach ...
DNN Intellectual Property Protection: Taxonomy, Attacks and Evaluations (Invited Paper)
GLSVLSI '21: Proceedings of the 2021 Great Lakes Symposium on VLSISince the training of deep neural networks (DNN) models requires massive training data, time and expensive hardware resources, the trained DNN model is oftentimes regarded as an intellectual property (IP). Recent researches show that DNN is vulnerable to ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2024
729 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 October 2024
Online AM: 20 July 2024
Accepted: 13 July 2024
Revised: 08 June 2024
Received: 22 March 2023
Published in TOMM Volume 20, Issue 10
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
- Aeronautical Science Foundation
- CCF-NSFOCUS Kun-Peng Scientific Research Fund
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 202Total Downloads
- Downloads (Last 12 months)202
- Downloads (Last 6 weeks)50
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in