• 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
高级检索

针对深度神经网络模型指纹检测的逃避算法

钱亚冠, 何念念, 郭艳凯, 王滨, 李晖, 顾钊铨, 张旭鸿, 吴春明

钱亚冠, 何念念, 郭艳凯, 王滨, 李晖, 顾钊铨, 张旭鸿, 吴春明. 针对深度神经网络模型指纹检测的逃避算法[J]. 计算机研究与发展, 2021, 58(5): 1106-1117. DOI: 10.7544/issn1000-1239.2021.20200903
引用本文: 钱亚冠, 何念念, 郭艳凯, 王滨, 李晖, 顾钊铨, 张旭鸿, 吴春明. 针对深度神经网络模型指纹检测的逃避算法[J]. 计算机研究与发展, 2021, 58(5): 1106-1117. DOI: 10.7544/issn1000-1239.2021.20200903
shu
Qian Yaguan, He Niannian, Guo Yankai, Wang Bin, Li Hui, Gu Zhaoquan, Zhang Xuhong, Wu Chunming. An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks[J]. Journal of Computer Research and Development, 2021, 58(5): 1106-1117. DOI: 10.7544/issn1000-1239.2021.20200903
Citation: Qian Yaguan, He Niannian, Guo Yankai, Wang Bin, Li Hui, Gu Zhaoquan, Zhang Xuhong, Wu Chunming. An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks[J]. Journal of Computer Research and Development, 2021, 58(5): 1106-1117. DOI: 10.7544/issn1000-1239.2021.20200903
shu
钱亚冠, 何念念, 郭艳凯, 王滨, 李晖, 顾钊铨, 张旭鸿, 吴春明. 针对深度神经网络模型指纹检测的逃避算法[J]. 计算机研究与发展, 2021, 58(5): 1106-1117. CSTR: 32373.14.issn1000-1239.2021.20200903
引用本文: 钱亚冠, 何念念, 郭艳凯, 王滨, 李晖, 顾钊铨, 张旭鸿, 吴春明. 针对深度神经网络模型指纹检测的逃避算法[J]. 计算机研究与发展, 2021, 58(5): 1106-1117. CSTR: 32373.14.issn1000-1239.2021.20200903
shu
Qian Yaguan, He Niannian, Guo Yankai, Wang Bin, Li Hui, Gu Zhaoquan, Zhang Xuhong, Wu Chunming. An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks[J]. Journal of Computer Research and Development, 2021, 58(5): 1106-1117. CSTR: 32373.14.issn1000-1239.2021.20200903
Citation: Qian Yaguan, He Niannian, Guo Yankai, Wang Bin, Li Hui, Gu Zhaoquan, Zhang Xuhong, Wu Chunming. An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks[J]. Journal of Computer Research and Development, 2021, 58(5): 1106-1117. CSTR: 32373.14.issn1000-1239.2021.20200903
shu

针对深度神经网络模型指纹检测的逃避算法

  • 1(浙江科技学院大数据学院 杭州 310023)

  • 2(海康威视&浙江科技学院边缘智能安全联合实验室 杭州 310023)

  • 3(西安电子科技大学网络与信息安全学院 西安 710071)

  • 4(广州大学网络空间先进技术研究院 广州 510006)

  • 5(浙江大学控制科学与工程学院 杭州 310058)

  • 6(浙江大学计算机科学与技术学院 杭州 310058) (qianyg@yeah.net)

基金项目: 国家重点研发计划项目(2018YFB2100400,2018YFB1800601);国家自然科学基金项目(61902082);浙江省重点研发计划项目(2020C01077,2021C01036,2020C01021);之江实验室科技预研项目(2018FD0ZX01)
详细信息

  • 中图分类号: TP309

An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks

  • 1(School of Big-data Science, Zhejiang University of Science and Technology, Hangzhou 310023)

  • 2(Edge Intelligence Security Joint Laboratory, Hikvision & Zhejiang University of Science and Technology, Hangzhou 310023)

  • 3(School of Cyber Engineering, Xidian University, Xi’an 710071)

  • 4(Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006)

  • 5(College of Control Science and Engineering, Zhejiang University, Hangzhou 310058)

  • 6(College of Computer Science and Technology, Zhejiang University, Hangzhou 310058)

Funds: This work was supported by the National Key Research and Development Program of China (2018YFB2100400, 2018YFB1800601), the National Natural Science Foundation of China (61902082), the Key Research and Development Program of Zhejiang Province (2020C01077, 2021C01036, 2020C01021), and the Major Scientific Project of Zhejiang Lab (2018FD0ZX01).

摘要

    摘要
  • 摘要: 随着深度神经网络在不同领域的成功应用,模型的知识产权保护成为了一个备受关注的问题.由于深度神经网络的训练需要大量计算资源、人力成本和时间成本,攻击者通过窃取目标模型参数,可低成本地构建本地替代模型.为保护模型所有者的知识产权,最近提出的模型指纹比对方法,利用模型决策边界附近的指纹样本及其指纹查验模型是否被窃取,具有不影响模型自身性能的优点.针对这类基于模型指纹的保护策略,提出了一种逃避算法,可以成功绕开这类保护策略,揭示了模型指纹保护的脆弱性.该逃避算法的核心是设计了一个指纹样本检测器——Fingerprint-GAN.利用生成对抗网络(generative adversarial network, GAN)原理,学习正常样本在隐空间的特征表示及其分布,根据指纹样本与正常样本在隐空间中特征表示的差异性,检测到指纹样本,并向目标模型所有者返回有别于预测的标签,使模型所有者的指纹比对方法失效.最后通过CIFAR-10,CIFAR-100数据集评估了逃避算法的性能,实验结果表明:算法对指纹样本的检测率分别可达95%和94%,而模型所有者的指纹比对成功率最高仅为19%,证明了模型指纹比对保护方法的不可靠性.
    Abstract: With the successful application of deep neural networks in various fields, the protection of intellectual property of models becomes more important. Since training the deep neural network requires a large number of computing resources, labor costs, and time costs, some people attempt to build a local substitute model with lower cost by stealing the target model’s parameters. For protecting the intellectual property of model owners, a model fingerprint matching method is proposed recently, which uses the fingerprint examples near the decision boundary of the model and their fingerprints to check whether their models have been stolen. The advantage of this method is that it does not affect the performance of the model itself. However, this protection strategy has some vulnerabilities, and we propose an evasion algorithm to successfully bypass the protection. The key component of our evasion algorithm is a fingerprint-example detector termed as Fingerprint-GAN. The Fingerprint-GAN first learns the feature representation and distribution of normal examples in a latent space. According to the difference of the feature representation in the latent space between the fingerprint examples and the normal examples, the Fingerprint-GAN finds the fingerprint examples. Finally, the labels of the fingerprint examples different from the predictions are returned to fool fingerprint matching method of the target model owner. Extensive experiments are conducted on CIFAR-10 and CIFAR-100. The results show that the detection rate of this algorithm for fingerprint examples can reach 95% and 94%, respectively, while the model owner’s fingerprint matching success rate is only 19%, which proves the unreliability of the model fingerprint matching protection method.
    • HTML全文
    • 参考文献(0)
    • 相关文章
    • 施引文献(33)

  • 期刊类型引用(9)

    1. 霍纬纲,侯振环. 基于多尺度卷积自注意力的多维时间序列预测. 计算机工程与设计. 2023(04): 1250-1258 . 百度学术
    2. 董红斌,韩爽,付强. 基于AR与DNN联合模型的地理传感器时间序列预测. 计算机科学. 2023(11): 41-48 . 百度学术
    3. 许丹丹,徐洋,张思聪,付子爔. 基于DCNN-GRU模型的XSS攻击检测方法. 计算机应用与软件. 2022(02): 324-329 . 百度学术
    4. 刘琳岚,肖庭忠,舒坚,牛明晓. 基于门控循环单元的链路质量预测. 工程科学与技术. 2022(06): 51-58 . 百度学术
    5. 吴蕾,曾慧平,王海威. 网络非平稳流量多尺度时间序列预测数学建模. 计算机仿真. 2021(08): 356-359+434 . 百度学术
    6. 罗佩,袁景凌,陈旻骋,盛德明. 面向教学资源的均值惩罚随机森林非平稳时序预测方法. 小型微型计算机系统. 2021(10): 2089-2094 . 百度学术
    7. 张冬梅,李金平,李江,余想,宋凯旋. 基于门控权重单元的多变量时间序列预测. 湖南大学学报(自然科学版). 2021(10): 105-112 . 百度学术
    8. 朱海浩,祝永新,汪辉. 基于深度置信网络的多变量时间序列分类方法. 计算机仿真. 2021(12): 262-266 . 百度学术
    9. 杜圣东,李天瑞,杨燕,王浩,谢鹏,洪西进. 一种基于序列到序列时空注意力学习的交通流预测模型. 计算机研究与发展. 2020(08): 1715-1728 . 本站查看

    其他类型引用(24)

    • 资源附件(0)
计量
  • 文章访问数:  863
  • HTML全文浏览量:  5
  • PDF下载量:  439
  • 被引次数: 33
出版历程
  • 发布日期:  2021-04-30

目录

摘要
HTML全文
    参考文献(0)
    相关文章
    施引文献
    资源附件(0)

    /

    返回文章
    返回
    邮件订阅 RSS
    微信订阅号<br/>(实时资讯)

    微信订阅号
    (实时资讯)

    微信服务号<br/>(同步网站)

    微信服务号
    (同步网站)

    微信视频号<br/>(视频分享)

    微信视频号
    (视频分享)

    CCF<br/>(扫码入会)

    CCF
    (扫码入会)

    版权所有 © 《计算机研究与发展》编辑部

    本系统由北京仁和汇智信息技术有限公司开发  百度统计