计算机科学 ›› 2021, Vol. 48 ›› Issue (7): 9-16.doi: 10.11896/jsjkx.201200204

所属专题: 人工智能安全

• 人工智能安全* • 上一篇    下一篇

人工智能模型水印研究综述

谢宸琪, 张保稳, 易平   

  1. 上海交通大学网络空间安全学院 上海200240
  • 收稿日期:2020-12-23 修回日期:2021-03-19 出版日期:2021-07-15 发布日期:2021-07-02
  • 通讯作者: 易平(yiping@sjtu.edu.cn)
  • 基金资助:
    国家重点研发计划(2020YFB1807504,2020YFB1807500)

Survey on Artificial Intelligence Model Watermarking

XIE Chen-qi, ZHANG Bao-wen, YI Ping   

  1. School of Cyber Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China
  • Received:2020-12-23 Revised:2021-03-19 Online:2021-07-15 Published:2021-07-02
  • About author:XIE Chen-qi,born in 1997,postgra-duate.His main research interests include artificial intelligence security and so on.(deadlyone@sjtu.edu.cn)
    YI Ping,born in 1969,Ph.D,associate professor,is a senior member of China Computer Federation.His main research interests include artificial intelligence security and so on.
  • Supported by:
    National Key Research and Development Project of China(2020YFB1807504,2020YFB1807500).

摘要: 近年来人工智能迅速发展,被用于语音、图像等多种领域,并取得了显著效果。然而,这些训练好的人工智能模型非常容易被复制并扩散,因此,为了保护模型的知识产权,关于模型版权保护的一系列算法或技术应运而生,其中一种就是模型水印技术。通过模型水印技术,向人工智能模型植入水印,一旦模型被窃取,可以通过验证水印来证明自己的版权所有权,维护自己的知识产权,从而达到保护模型的作用。该类技术在近年来成为了一大热点,但目前尚未形成较为统一的框架。为了更好地理解,总结了现阶段模型水印的研究成果,论述了当前主流的模型水印算法,分析了模型水印研究方向的研究进展,还复现了其中几种典型算法并进行了比较,最后提出了未来可能的研究方向。

关键词: 模型水印, 人工智能安全, 算法流程, 算法性能比较, 信息冗余

Abstract: In recent years,with the rapid development of artificial intelligence,it has been used in voice,image and other fields,and achieved remarkable results.However,these trained AI models are very easy to be copied and spread.Therefore,in order to protect the intellectual property rights of the models,a series of algorithms or technologies for model copyright protection emerge as the times require,one of which is model watermarking technology.Once the model is stolen,it can prove its copyright through the verification of the watermark,maintain its intellectual property rights and protect the model.This technology has become a hot spot in recent years,but it has not yet formed a more unified framework.In order to better understand,this paper summarizes the current research of model watermarking,discusses the current mainstream model watermarking algorithms,analyzes the research progress in the research direction of model watermarking,reproduces and compares several typical algorithms,and finally puts forward some suggestions for future research direction.

Key words: Algorithm flow, Algorithm performance comparison, Artificial intelligence security, Information redundancy, Model watermarking

中图分类号: 

  • TP393
[1]LECUN Y,BENGIO Y,HINTON G.Deep learning[J].Na-ture,2015,521(7553):436-444.
[2]GOODFELLOW I,BENGIO Y,COURVILLE A,et al.Deeplearning[M].Cambridge:MIT press,2016.
[3]SCHMIDHUBER J.Deep learning in neural networks:An overview[J].Neural networks,2015,61:85-117.
[4]WANG X,YANG W,WEINREB J,et al.Searching for prostate cancer by fully automated magnetic resonance imaging classification:deep learning versus non-deep learning[J].Scientific Reports,2017,7(1):1-8.
[5]XIONG H Y,ALIPANAHI B,LEE L J,et al.The human splicing code reveals new insights into the genetic determinants of disease[J].Science,2015,347(6218):144-153.
[6]WEBB S.Deep learning for biology[J].Nature,2018,554(2):555-557.
[7]BRANSON K.A deep (learning) dive into a cell [J].Nature Methods,2018,15(4):253-254.
[8]DENG Y,BAO F,KONG Y,et al.Deep direct reinforcement learning for financial signal representation and trading[J].IEEE Transactions on Neural Networks and Learning Systems,2016,28(3):653-664.
[9]HE Y,ZHAO N,YIN H.Integrated networking,caching,and computing for connected vehicles:A deep reinforcement learning approach[J].IEEE Transactions on Vehicular Technology,2017,67(1):44-55.
[10]ZHAO D,CHEN Y,LV L.Deep reinforcement learning with visual attention for vehicle classification[J].IEEE Transactions on Cognitive and Developmental Systems,2016,9(4):356-367.
[11]HE K,ZHANG X,REN S,et al.Deep residual learning for ima-ge recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[12]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J].arXiv:1409.1556,2014.
[13]COLLOBERT R,WESTON J,BOTTOU L,et al.Natural language processing (almost) from scratch[J].Journal of Machine Learning Research,2011,12(ARTICLE):2493-2537.
[14]CHOWDHARY K.Natural language processing[M]//Fundamentals of Artificial Intelligence.Springer,2020:603-649.
[15]AKHTAR N,MIAN A.Threat of adversarial attacks on deep learning in computer vision:A survey[J].IEEE Access,2018,6:14410-14430.
[16]CHEN H,WANG F Y.Guest editors’ introduction:Artificialintelligence for homeland security[J].IEEE intelligent systems,2005,20(5):12-16.
[17]JUUTI M,SZYLLER S,MARCHAL S,et al.PRADA:protecting against DNN model stealing attacks[C]//Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P).IEEE,2019:512-527.
[18]TRAMÈR F,ZHANG F,JUELS A,et al.Stealing machinelearning models via prediction apis[C]//Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16.2016:601-618.
[19]DAVIES C R.An evolutionary step in intellectual propertyrights-Artificial intelligence and intellectual property[J].Computer Law & Security Review,2011,27(6):601-619.
[20]COX I J,MILLER M L,BLOOM J A,et al.Digital watermar-king[M].San Francisco:Morgan Kaufmann,2002.
[21]PODILCHUK C I,DELP E J.Digital watermarking:algorithms and applications[J].IEEE Signal Processing Magazine,2001,18(4):33-46.
[22]UCHIDA Y,NAGAI Y,SAKAZAWA S,et al.Embedding watermarks into deep neural networks[C]//Proceedings of the 2017 ACM on International Conference on Multimedia Retrie-val.2017:269-277.
[23]CHEN H,FU C,ROUHANI B D,et al.DeepAttest:An end-to-end attestation framework for deep neural networks[C]//Proceedings of the 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).IEEE,2019:487-498.
[24]CHEN H,ROHANI B D,KOUSHANFAR F.DeepMarks:adigital fingerprinting framework for deep neural networks[J].arXiv:1804.03648,2018.
[25]ROUHANI B D,CHEN H,KOUSHANFAR F.Deepsigns:A generic watermarking framework for ip protection of deep lear-ning models[J].arXiv:1804.00750,2018.
[26]ADI Y,BAUM C,CISSE M,et al.Turning your weakness into a strength:Watermarking deep neural networks by backdooring[C]//Proceedings of the 27th {USENIX} Security Symposium.2018:1615-1631.
[27]FAN L,NG K W,CHAN C S.Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks [C]//Proceedings of the Advances in Neural Information Processing Systems.2019:4714-4723.
[28]VAN SCHYNDEL R G,TIRKEL A Z,OSBORNE C F.A digi-tal watermark[C]//Proceedings of 1st International Conference on Image Processing.IEEE,1994:86-90.
[29]LIU Z,SUN M,ZHOU T,et al.Rethinking the value of network pruning[J].arXiv:1810.05270,2018.
[30]CETINIC E,LIPIC T,GRGIC S.Fine-tuning convolutional neural networks for fine art classification[J].Expert Systems with Applications,2018,114:107-118.
[31]CHANG C L,HUNG J L,TIEN C W,et al.Evaluating Robustness of AI Models against Adversarial Attacks[C]//Procee-dings of the 1st ACM Workshop on Security and Privacy on Artificial Intelligence.2020:47-54.
[32]CHENG Y,YU F X,FERIS R S,et al.An exploration of para-meter redundancy in deep networks with circulant projections[C]//Proceedings of the IEEE International Conference on Computer Vision.2015:2857-2865.
[33]ZHANG J,GU Z,JANG J,et al.Protecting intellectual property of deep neural networks with watermarking[C]// Proceedings of the Proceedings of the 2018 on Asia Conference on Computer and Communications Security.2018:159-172.
[34]NAMBA R,SAKUMA J.Robust watermarking of neural net-work with exponential weighting[C]//Proceedings of the 2019 ACM Asia Conference on Computer and Communications Secu-rity.2019:228-240.
[35]LI H,WILLSON E,ZHENG H,et al.Persistent and unfor-geable watermarks for deep neural networks[J].arXiv:1910.01226,2019.
[36]LI H,WENGER E,SHAN S,et al.Piracy resistant watermarks for deep neural networks[J].arXiv:1910.01226,2019.
[37]ZHU C,CHENG Y,GAN Z,et al.Freelb:Enhanced adversarial training for natural language understanding[J].arXiv:1909.11764,2019.
[38]LI L,MA R,GUO Q,et al.Bert-attack:Adversarial attackagainst bert using bert[J].arXiv:2004.09984,2020.
[39]SAMIZADE S,TAN Z H,SHEN C,et al.Adversarial example detection by classification for deep speech recognition[C]//ICASSP 2020 IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP 2020).IEEE,2020:3102-3106.
[40]LE MERRER E,PEREZ P,TRÉDAN G.Adversarial frontierstitching for remote neural network watermarking[J].Neural Computing and Applications,2020,32(13):9233-9244.
[41]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[42]SHAFAHI A,NAJIBI M,GHIASI A,et al.Adversarial training for free![J].arXiv:1904.12843,2019.
[43]CHEN H,ROUHANI B D,KOUSHANFAR F.BlackMarks:Blackbox Multibit Watermarking for Deep Neural Networks[J].arXiv:1904.00344,2019.
[44]ZHANG J,CHEN D,LIAO J,et al.Model watermarking for ima-ge processing networks[C]//Proceedings of the AAAI Confe-rence on Artificial Intelligence.2020:12805-12812.
[45]WANG T,KERSCHBAUM F.Robust and Undetectable White-Box Watermarks for Deep Neural Networks [J].arXiv:1910.14268,2019.
[46]LI Z,HU C,ZHANG Y,et al.How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]//Proceedings of the Proceedings of the 35th Annual Computer Security Applications Conference.2019:126-137.
[47]YU Y C,DING L,CHEN Z N.Research on attack and defense technology of machine learning system[J].Netinfo Security,2018,213(9):10-18.
[48]LIU R X,CHEN H,GUO R Y,et al.Privacy attack and defense in machine learning [J].Journal of Software,2020(3):866-892.
[49]CHEN Y F,SHEN C,WANG T,et al.Security and privacy risk of artificial intelligence system [J].Journal of Computer Research and Development,2019,56(10):111-126.
[1] 景慧昀, 周川, 贺欣.
针对人脸检测对抗攻击风险的安全测评方法
Security Evaluation Method for Risk of Adversarial Attack on Face Detection
计算机科学, 2021, 48(7): 17-24. https://doi.org/10.11896/jsjkx.210300305
[2] 暴雨轩, 芦天亮, 杜彦辉, 石达.
基于i_ResNet34模型和数据增强的深度伪造视频检测方法
Deepfake Videos Detection Method Based on i_ResNet34 Model and Data Augmentation
计算机科学, 2021, 48(7): 77-85. https://doi.org/10.11896/jsjkx.210300258
[3] 仝鑫, 王斌君, 王润正, 潘孝勤.
面向自然语言处理的深度学习对抗样本综述
Survey on Adversarial Sample of Deep Learning Towards Natural Language Processing
计算机科学, 2021, 48(1): 258-267. https://doi.org/10.11896/jsjkx.200500078
[4] 魏湘辉 马少平.
粘连字符切分综述

计算机科学, 2004, 31(11): 199-201.
[5] 张卓 陈世权.
关于Vague集概念的一点注记

计算机科学, 2002, 29(3): 145-145.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!