基于标志网络的深度学习多模型水印方案

刘伟发; 张光华; 杨婷; 王鹤

引用本文：

刘伟发,张光华,杨婷,王鹤.基于标志网络的深度学习多模型水印方案[J].信息安全学报,2022,7(6):105-115 [点击复制]
LIU Weifa,ZHANG Guanghua,YANG Ting,WANG He.Logo Network based Deep Learning Multi-model Watermarking Scheme[J].Journal of Cyber Security,2022,7(6):105-115 [点击复制]

本文已被：浏览 2121次下载 1990次	码上扫一扫！
基于标志网络的深度学习多模型水印方案
刘伟发¹, 张光华¹, 杨婷², 王鹤²
0 字体:加大+\|默认\|缩小-
(1.河北科技大学信息科学与工程学院石家庄中国 050018;2.西安电子科技大学网络与信息安全学院西安中国 710071)

摘要:

针对经典水印技术在进行深度学习模型知识产权保护过程中, 存在水印多模型时可复用性不高和开销较大、易被检测和攻击等问题; 在黑盒场景下, 本文从构造触发集、设计嵌入方式等方面切入, 设计一种基于标志网络(Logo Network, LogoNet)的深度学习多模型水印方案(Logo Network based Deep Learning Multi-model Watermarking Scheme, LNMMWS)。首先, 利用二进制编码生成触发集, 并随机裁剪原训练样本以生成噪声集, 精简 LogoNet 层结构, 并在触发集和噪声集的混合数据集上训练LogoNet, LogoNet 拟合触发集并泛化噪声集以获取较高的水印触发模式识别精度和噪声处理能力。其次, 根据不同目标模型的分类类别, 从 LogoNet 中选择水印触发模式, 并调整 LogoNet 输出层的维度, 使 LogoNet 输出层和不同目标模型的输出层相嵌合, 以实现多模型水印的目的。最后, 当所有者发现可疑的远程应用程序接口服务时, 可以输入多组特定的触发样本, 经过输入层变换后, 触发特定的输出以核验水印并实现所有权验证。实验及分析表明, 使用 LNMMWS 进行深度学习模型所有权验证时,具有较高的水印触发模式识别精度、较小的嵌入影响、较多的水印触发模式数量, 并相比已有方案具有更低的时间开销;LNMMWS 在模型压缩攻击、模型微调攻击下具有较好的稳定性, 并具备较强的隐秘性, 能够规避恶意检测风险。

关键词: 知识产权保护深度神经网络所有权验证多模型水印

DOI：10.19363/J.cnki.cn10-1380/tn.2022.11.07

投稿时间：2022-07-03修订日期：2022-10-13

基金项目:本课题得到国家自然基金重点项目: 多源漏洞数据智能分析和漏洞智能利用与挖掘研究(No. U1836210)资助。

Logo Network based Deep Learning Multi-model Watermarking Scheme

LIU Weifa¹, ZHANG Guanghua¹, YANG Ting², WANG He²

(1.School of Information Science and Engineering, Hebei University of Science Technology, Shijiazhuang 050018, China;2.School of Cyber Engineering, Xidian University, Xi'an 710071, China)

Abstract:

In order to solve the problems of low reusability, high time cost, and vulnerability to malicious detection and attack when adding watermarks to multiple target models in the process of intellectual property protection of deep learning models with classical watermarking technology; in the black box scenario, this paper focuses on the construction of special trigger sets and the design of watermark embedding methods, A Logo Network (LogoNet) based Deep Learning Multi model Watermarking Scheme (LNMMWS) is designed. First, the binary encoding method is used to generate the trigger data set, and the noise data set is generated by randomly cutting the original training samples. Simplify the LogoNet layer structure and train LogoNet on the mixed data set of trigger set and noise set. LogoNet fits the trigger set and generalizes the noise set to obtain higher watermark trigger pattern recognition accuracy and noise processing capability. Secondly, according to the classification categories of different target models, select the watermark trigger mode from LogoNet, and adjust the dimensions of the LogoNet output layer to fit the LogoNet output layer with the output layers of different target models, so as to achieve the purpose of adding watermarks to multiple target models. Finally, when the owner finds a suspicious remote application program interface service, he can input multiple groups of specific watermark trigger samples. After the input layer transformation, he can trigger specific output tags to verify the watermark and realize ownership verification. The experiment and analysis show that when using LNMMWS to verify the ownership of the deep learning model, it has higher recognition accuracy of watermark trigger pattern, less embedding influence, more watermark trigger patterns, and lower time cost compared with existing watermarking schemes; LNMMWS has good stability under deep learning model compression attack and model fine-tuning attack, and has strong confidentiality, which can avoid malicious detection risks.

Key words: intellectual property protection deep neural network ownership verification multi-model watermarking