Computer Science

Computer Science ›› 2021, Vol. 48 ›› Issue (7): 9-16.doi: 10.11896/jsjkx.201200204

Special Issue: Artificial Intelligence Security

• Artificial Intelligence Security • Previous Articles     Next Articles

Survey on Artificial Intelligence Model Watermarking

XIE Chen-qi, ZHANG Bao-wen, YI Ping   

  1. School of Cyber Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China
  • Received:2020-12-23 Revised:2021-03-19 Online:2021-07-15 Published:2021-07-02
  • About author:XIE Chen-qi,born in 1997,postgra-duate.His main research interests include artificial intelligence security and so on.(deadlyone@sjtu.edu.cn)
    YI Ping,born in 1969,Ph.D,associate professor,is a senior member of China Computer Federation.His main research interests include artificial intelligence security and so on.
  • Supported by:
    National Key Research and Development Project of China(2020YFB1807504,2020YFB1807500).

PDF (PC)

3061

Abstract: In recent years,with the rapid development of artificial intelligence,it has been used in voice,image and other fields,and achieved remarkable results.However,these trained AI models are very easy to be copied and spread.Therefore,in order to protect the intellectual property rights of the models,a series of algorithms or technologies for model copyright protection emerge as the times require,one of which is model watermarking technology.Once the model is stolen,it can prove its copyright through the verification of the watermark,maintain its intellectual property rights and protect the model.This technology has become a hot spot in recent years,but it has not yet formed a more unified framework.In order to better understand,this paper summarizes the current research of model watermarking,discusses the current mainstream model watermarking algorithms,analyzes the research progress in the research direction of model watermarking,reproduces and compares several typical algorithms,and finally puts forward some suggestions for future research direction.

Key words: Algorithm flow, Algorithm performance comparison, Artificial intelligence security, Information redundancy, Model watermarking

CLC Number: 

  • TP393
[1]LECUN Y,BENGIO Y,HINTON G.Deep learning[J].Na-ture,2015,521(7553):436-444.
[2]GOODFELLOW I,BENGIO Y,COURVILLE A,et al.Deeplearning[M].Cambridge:MIT press,2016.
[3]SCHMIDHUBER J.Deep learning in neural networks:An overview[J].Neural networks,2015,61:85-117.
[4]WANG X,YANG W,WEINREB J,et al.Searching for prostate cancer by fully automated magnetic resonance imaging classification:deep learning versus non-deep learning[J].Scientific Reports,2017,7(1):1-8.
[5]XIONG H Y,ALIPANAHI B,LEE L J,et al.The human splicing code reveals new insights into the genetic determinants of disease[J].Science,2015,347(6218):144-153.
[6]WEBB S.Deep learning for biology[J].Nature,2018,554(2):555-557.
[7]BRANSON K.A deep (learning) dive into a cell [J].Nature Methods,2018,15(4):253-254.
[8]DENG Y,BAO F,KONG Y,et al.Deep direct reinforcement learning for financial signal representation and trading[J].IEEE Transactions on Neural Networks and Learning Systems,2016,28(3):653-664.
[9]HE Y,ZHAO N,YIN H.Integrated networking,caching,and computing for connected vehicles:A deep reinforcement learning approach[J].IEEE Transactions on Vehicular Technology,2017,67(1):44-55.
[10]ZHAO D,CHEN Y,LV L.Deep reinforcement learning with visual attention for vehicle classification[J].IEEE Transactions on Cognitive and Developmental Systems,2016,9(4):356-367.
[11]HE K,ZHANG X,REN S,et al.Deep residual learning for ima-ge recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[12]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J].arXiv:1409.1556,2014.
[13]COLLOBERT R,WESTON J,BOTTOU L,et al.Natural language processing (almost) from scratch[J].Journal of Machine Learning Research,2011,12(ARTICLE):2493-2537.
[14]CHOWDHARY K.Natural language processing[M]//Fundamentals of Artificial Intelligence.Springer,2020:603-649.
[15]AKHTAR N,MIAN A.Threat of adversarial attacks on deep learning in computer vision:A survey[J].IEEE Access,2018,6:14410-14430.
[16]CHEN H,WANG F Y.Guest editors’ introduction:Artificialintelligence for homeland security[J].IEEE intelligent systems,2005,20(5):12-16.
[17]JUUTI M,SZYLLER S,MARCHAL S,et al.PRADA:protecting against DNN model stealing attacks[C]//Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P).IEEE,2019:512-527.
[18]TRAMÈR F,ZHANG F,JUELS A,et al.Stealing machinelearning models via prediction apis[C]//Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16.2016:601-618.
[19]DAVIES C R.An evolutionary step in intellectual propertyrights-Artificial intelligence and intellectual property[J].Computer Law & Security Review,2011,27(6):601-619.
[20]COX I J,MILLER M L,BLOOM J A,et al.Digital watermar-king[M].San Francisco:Morgan Kaufmann,2002.
[21]PODILCHUK C I,DELP E J.Digital watermarking:algorithms and applications[J].IEEE Signal Processing Magazine,2001,18(4):33-46.
[22]UCHIDA Y,NAGAI Y,SAKAZAWA S,et al.Embedding watermarks into deep neural networks[C]//Proceedings of the 2017 ACM on International Conference on Multimedia Retrie-val.2017:269-277.
[23]CHEN H,FU C,ROUHANI B D,et al.DeepAttest:An end-to-end attestation framework for deep neural networks[C]//Proceedings of the 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).IEEE,2019:487-498.
[24]CHEN H,ROHANI B D,KOUSHANFAR F.DeepMarks:adigital fingerprinting framework for deep neural networks[J].arXiv:1804.03648,2018.
[25]ROUHANI B D,CHEN H,KOUSHANFAR F.Deepsigns:A generic watermarking framework for ip protection of deep lear-ning models[J].arXiv:1804.00750,2018.
[26]ADI Y,BAUM C,CISSE M,et al.Turning your weakness into a strength:Watermarking deep neural networks by backdooring[C]//Proceedings of the 27th {USENIX} Security Symposium.2018:1615-1631.
[27]FAN L,NG K W,CHAN C S.Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks [C]//Proceedings of the Advances in Neural Information Processing Systems.2019:4714-4723.
[28]VAN SCHYNDEL R G,TIRKEL A Z,OSBORNE C F.A digi-tal watermark[C]//Proceedings of 1st International Conference on Image Processing.IEEE,1994:86-90.
[29]LIU Z,SUN M,ZHOU T,et al.Rethinking the value of network pruning[J].arXiv:1810.05270,2018.
[30]CETINIC E,LIPIC T,GRGIC S.Fine-tuning convolutional neural networks for fine art classification[J].Expert Systems with Applications,2018,114:107-118.
[31]CHANG C L,HUNG J L,TIEN C W,et al.Evaluating Robustness of AI Models against Adversarial Attacks[C]//Procee-dings of the 1st ACM Workshop on Security and Privacy on Artificial Intelligence.2020:47-54.
[32]CHENG Y,YU F X,FERIS R S,et al.An exploration of para-meter redundancy in deep networks with circulant projections[C]//Proceedings of the IEEE International Conference on Computer Vision.2015:2857-2865.
[33]ZHANG J,GU Z,JANG J,et al.Protecting intellectual property of deep neural networks with watermarking[C]// Proceedings of the Proceedings of the 2018 on Asia Conference on Computer and Communications Security.2018:159-172.
[34]NAMBA R,SAKUMA J.Robust watermarking of neural net-work with exponential weighting[C]//Proceedings of the 2019 ACM Asia Conference on Computer and Communications Secu-rity.2019:228-240.
[35]LI H,WILLSON E,ZHENG H,et al.Persistent and unfor-geable watermarks for deep neural networks[J].arXiv:1910.01226,2019.
[36]LI H,WENGER E,SHAN S,et al.Piracy resistant watermarks for deep neural networks[J].arXiv:1910.01226,2019.
[37]ZHU C,CHENG Y,GAN Z,et al.Freelb:Enhanced adversarial training for natural language understanding[J].arXiv:1909.11764,2019.
[38]LI L,MA R,GUO Q,et al.Bert-attack:Adversarial attackagainst bert using bert[J].arXiv:2004.09984,2020.
[39]SAMIZADE S,TAN Z H,SHEN C,et al.Adversarial example detection by classification for deep speech recognition[C]//ICASSP 2020 IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP 2020).IEEE,2020:3102-3106.
[40]LE MERRER E,PEREZ P,TRÉDAN G.Adversarial frontierstitching for remote neural network watermarking[J].Neural Computing and Applications,2020,32(13):9233-9244.
[41]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[42]SHAFAHI A,NAJIBI M,GHIASI A,et al.Adversarial training for free![J].arXiv:1904.12843,2019.
[43]CHEN H,ROUHANI B D,KOUSHANFAR F.BlackMarks:Blackbox Multibit Watermarking for Deep Neural Networks[J].arXiv:1904.00344,2019.
[44]ZHANG J,CHEN D,LIAO J,et al.Model watermarking for ima-ge processing networks[C]//Proceedings of the AAAI Confe-rence on Artificial Intelligence.2020:12805-12812.
[45]WANG T,KERSCHBAUM F.Robust and Undetectable White-Box Watermarks for Deep Neural Networks [J].arXiv:1910.14268,2019.
[46]LI Z,HU C,ZHANG Y,et al.How to prove your model belongs to you:a blind-watermark based framework to protect intellectual property of DNN[C]//Proceedings of the Proceedings of the 35th Annual Computer Security Applications Conference.2019:126-137.
[47]YU Y C,DING L,CHEN Z N.Research on attack and defense technology of machine learning system[J].Netinfo Security,2018,213(9):10-18.
[48]LIU R X,CHEN H,GUO R Y,et al.Privacy attack and defense in machine learning [J].Journal of Software,2020(3):866-892.
[49]CHEN Y F,SHEN C,WANG T,et al.Security and privacy risk of artificial intelligence system [J].Journal of Computer Research and Development,2019,56(10):111-126.
[1] JING Hui-yun, ZHOU Chuan, HE Xin. Security Evaluation Method for Risk of Adversarial Attack on Face Detection [J]. Computer Science, 2021, 48(7): 17-24.
[2] BAO Yu-xuan, LU Tian-liang, DU Yan-hui, SHI Da. Deepfake Videos Detection Method Based on i_ResNet34 Model and Data Augmentation [J]. Computer Science, 2021, 48(7): 77-85.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.