神经网络水印技术研究进展

张颖君; 陈恺; 周赓; 吕培卓; 刘勇; 黄亮

doi:10.7544/issn1000-1239.2021.20200978

神经网络水印技术研究进展

张颖君^1,4,
陈恺^2,3,
周赓^1,4,
吕培卓^2,3,
刘勇²,
黄亮⁵

¹(中国科学院软件研究所可信计算与信息保障实验室北京 100190)
²(信息安全国家重点实验室(中国科学院信息工程研究所) 北京 100195)
³(中国科学院大学网络空间安全学院北京 100049)
⁴(中国科学院大学计算机科学与技术学院北京 100049)
⁵(奇安信科技集团股份有限公司北京 100015) (yingjun2011@iscas.ac.cn)

基金项目: 国家自然科学基金重点项目(U1836211)；国家自然科学基金项目(62072448)；北京市自然科学基金项目(JQ18011)；中国科学院青年创新促进会优秀会员(Y202046)；大数据协同安全国家工程实验室开放课题

详细信息

中图分类号: TP391
计量
- 文章访问数: 1378
- HTML全文浏览量: 7
- PDF下载量: 1226
出版历程
- 发布日期: 2021-04-30

Research Progress of Neural Networks Watermarking Technology

¹(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190)
²(State Key Laboratory of Information Security(Institute of Information Engineering, Chinese Academy of Sciences),Beijing 100195)
³(School of Cyber Security, University of Chinese Academy of Science, Beijing 100049)
⁴(College of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100049)
⁵(Legendsec Information Technology(Beijing) Inc, Beijing 100015)

Funds: This work was supported by the Key Program of the National Natural Science Foundation of China (U1836211), the National Natural Science Foundation of China(62072448)，the Beijing Natural Science Foundation (JQ18011), the Excellent Member of Youth Innovation Promotion Association, Chinese Academy of Sciences (Y202046), and the Open Project of National Engineering Laboratory of Big Data Collaborative Security.

摘要

摘要: 随着深度神经网络的推广应用，训练后的神经网络模型已经成为一种重要的资产并为用户提供服务．服务商在提供服务的同时，也更多地关注其模型的版权保护，神经网络水印技术应运而生.首先，分析水印及其基本需求，并对神经网络水印涉及的相关技术进行介绍；对深度神经网络水印技术进行对比，并重点对白盒和黑盒水印进行详细分析；对神经网络水印攻击技术展开对比，并按照水印攻击目标的不同，对水印鲁棒性攻击、隐蔽性攻击、安全性攻击等技术进行分类介绍；最后对未来方向与挑战进行探讨.
- 数字水印 /
- 深度神经网络 /
- 神经网络后门 /
- 神经网络水印 /
- 水印攻击
Abstract: With the popularization and application of deep neural networks, the trained neural network model has become an important asset and has been provided as machine learning services (MLaaS) for users. However, as a special kind of user, attackers can extract the models when using the services. Considering the high value of the models and risks of being stolen, service providers start to pay more attention to the copyright protection of their models. The main technique is adopted from the digital watermark and applied to neural networks, called neural network watermarking. In this paper, we first analyze this kind of watermarking and show the basic requirements of the design. Then we introduce the related technologies involved in neural network watermarking. Typically, service providers embed watermarks in the neural networks. Once they suspect a model is stolen from them, they can verify the existence of the watermark in the model. Sometimes, the providers can obtain the suspected model and check the existence of watermarks from the model parameters (white-box). But sometimes, the providers cannot acquire the model. What they can only do is to check the input/output pairs of the suspected model (black-box). We discuss these watermarking methods and potential attacks against the watermarks from the viewpoint of robustness, stealthiness, and security. In the end, we discuss future directions and potential challenges.
- digital watermark /
- deep neural network /
- neural network backdoor /
- neural network watermark /
- attacks on the watermarking

HTML全文

参考文献(0)

施引文献(22)

期刊类型引用(8)

1.	曾嘉忻，张卫明，张荣. 基于后门的鲁棒后向模型水印方法. 计算机工程. 2024(02): 132-139 . 百度学术
2.	刘泽坤，宫鑫，刘秀，安龙，吕延滨，刘欣. 基于电力数据中台的行为审计工具建设. 电力大数据. 2024(02): 62-68 . 百度学术
3.	李璇，邓天鹏，熊金波，金彪，林劼. 基于模型后门的联邦学习水印. 软件学报. 2024(07): 3454-3468 . 百度学术
4.	金彪，林翔，熊金波，尤玮婧，李璇，姚志强. 基于水印技术的深度神经网络模型知识产权保护. 计算机研究与发展. 2024(10): 2587-2606 . 本站查看
5.	夏道勋，王林娜，宋允飞，罗星智. 深度神经网络模型数字水印技术研究进展综述. 科学技术与工程. 2023(05): 1799-1811 . 百度学术
6.	刘雅蕾，和红杰，陈帆，刘卓华. 基于水印神经网络的可溯源DNN模型保护方法. 应用科学学报. 2023(02): 183-196 . 百度学术
7.	樊雪峰，周晓谊，朱冰冰，董津位，牛俊，王鹤. 深度神经网络模型版权保护方案综述. 计算机研究与发展. 2022(05): 953-977 . 本站查看
8.	陈大卫，付安民，周纯毅，陈珍珠. 基于生成式对抗网络的联邦学习后门攻击方案. 计算机研究与发展. 2021(11): 2364-2373 . 本站查看