authorization control
PCPT and ACPT: Copyright Protection and Traceability Scheme for DNN Models
Fan, Xuefeng, Fu, Dahao, Gui, Hangyu, Zhang, Xinpeng, Zhou, Xiaoyi
Abstract--Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventors. Because the existing traceability mechanisms are used for models without watermarks, a small number of false-positives are generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. This framework uses the authorization control center constructed by the detector and verifier. This approach realizes stricter authorization control, which establishes a strong connection between users and model owners, improves the framework security, and supports traceability verification. Internet companies, such as Microsoft, Baidu, and Google, have deployed DNN models in their products and services to provide intelligent and high-quality services. In contrast to traditional multimedia data, the cost of training a good DNN model is considerable. It requires the use of large-scale datasets, huge computing resources, and large labor costs. However, according to the literature, only the KeyNet framework proposed by Jebreel et al. [12] has addressed the problem of traceability after the DNN model is illegally stolen and distributed. However, when the KeyNet framework is used for models without watermarks, a small number of falsepositives are produced. For example, the VGG16 and ResNet18 networks yield 7.92% and 18.92% false-positive rates, respectively. Since PCPT uses additional classes as the trigger set, the distortion of the original decision boundary is minimized (or even eliminated), thus realizing a zero false-positive rate in the unlabeled model. After a video is framed, several trigger sets are constructed according to the different subjects in the video.
ActiveGuard: An Active DNN IP Protection Technique via Adversarial Examples
Xue, Mingfu, Sun, Shichang, He, Can, Zhang, Yushu, Wang, Jian, Liu, Weiqiang
The training of Deep Neural Networks (DNN) is costly, thus DNN can be considered as the intellectual properties (IP) of model owners. To date, most of the existing protection works focus on verifying the ownership after the DNN model is stolen, which cannot resist piracy in advance. To this end, we propose an active DNN IP protection method based on adversarial examples against DNN piracy, named ActiveGuard. ActiveGuard aims to achieve authorization control and users' fingerprints management through adversarial examples, and can provide ownership verification. Specifically, ActiveGuard exploits the elaborate adversarial examples as users' fingerprints to distinguish authorized users from unauthorized users. Legitimate users can enter fingerprints into DNN for identity authentication and authorized usage, while unauthorized users will obtain poor model performance due to an additional control layer. In addition, ActiveGuard enables the model owner to embed a watermark into the weights of DNN. When the DNN is illegally pirated, the model owner can extract the embedded watermark and perform ownership verification. Experimental results show that, for authorized users, the test accuracy of LeNet-5 and Wide Residual Network (WRN) models are 99.15% and 91.46%, respectively, while for unauthorized users, the test accuracy of the two DNNs are only 8.92% (LeNet-5) and 10% (WRN), respectively. Besides, each authorized user can pass the fingerprint authentication with a high success rate (up to 100%). For ownership verification, the embedded watermark can be successfully extracted, while the normal performance of the DNN model will not be affected. Further, ActiveGuard is demonstrated to be robust against fingerprint forgery attack, model fine-tuning attack and pruning attack.