CN110610082A

CN110610082A - DNN-based system and method for passport to resist fuzzy attack

Info

Publication number: CN110610082A
Application number: CN201910832529.2A
Authority: CN
Inventors: 范力欣
Original assignee: Daocheng Technology Nanjing Co Ltd
Current assignee: Daocheng Technology Nanjing Co Ltd
Priority date: 2019-09-04
Filing date: 2019-09-04
Publication date: 2019-12-24
Also published as: WO2021042665A1

Abstract

The invention designs a system and a method for passport to resist fuzzy attack based on DNN, which comprises a DNN model, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I; embedding a private passport and a trigger set but not distributing during ownership verification, wherein the private passport and the trigger set are embedded into a passport and a set of trigger images, and ownership of a suspicious DNN model is detected and declared through a remote calling service API; declaring ownership in black-box mode first, and then declaring ownership again through passport validation in white-box mode triggers the set of images to alternately minimize the original mission loss and reduce the joint loss function containing passport constraints; for the trained CIFAR10 and CIFAR100 classification tasks AlexNet and ResNet, network performance ranged significantly from 3% to 80%, the DNN model that provided valid passports was more than 90% as accurate as the original network, while the same DNN model used for fake passports achieved approximately 10% classification accuracy.

Description

DNN-based system and method for passport to resist fuzzy attack

Technical Field

The invention relates to the field of passport security, in particular to a system and a method for defending a passport against fuzzy attacks based on DNN.

Background

As for the method for embedding watermarks used in machine learning, the existing methods can be roughly divided into two schools: a) embedding the specified watermark into the network weight by adding an additional optimization target constraint term based on a characteristic method; b) the trigger set based approach relies on the antagonistic training samples with specific labels, i.e. the back door trigger set. Both schemes embedded watermarks have been successfully demonstrated to be robust against removal attacks, which mainly consist in modifying the network weights, such as trimming or pruning. However, our studies reveal the existence and validity of a blurring attack whose purpose is to challenge and pan the uniqueness of model ownership verification by forging watermarks of the DNN model. Our research also shows that even if the original training data set is not needed, the watermark can be forged and the fuzzy attack can be implemented by reverse engineering with low calculation cost.

Disclosure of Invention

In view of the above problems, the present invention provides a DNN-based system and method for protecting passports against fuzzy attacks, wherein the performance of a real passport is maintained, and the network performance is severely degraded once a modified or forged passport is used, and is robust against removal attacks, while at the same time being able to protect against fuzzy attacks. The technical scheme adopted by the invention is as follows:

a system and a method for passport to resist fuzzy attack based on DNN comprise a DNN model, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I, and the specific steps are as follows:

s11, the embedding process E is a DNN learning process that takes training data D as input, including trigger set data T or signatures S, and optimizes the model N by minimizing a given loss function L;

s12 the fidelity assessment procedure F ═ { False, True } assesses whether the performance difference is less than a threshold, i.e., (M-M)_t)<Where M is the DNN performance tested against a set of test data D, M_tIs the target performance, epsilon is the threshold, F is the fidelity assessment result;

s13, the signature verification process V ═ { False, True } checks whether the predetermined signature or trigger set S, T was successfully verified for the given neural network N;

s14, when the following conditions are met, there is a reversible process i (N) ═ N', and a successful fuzzy attack a is caused_a:

a) For a given DNN model, a new set of trigger sets T 'and/or signatures s' may be inferred by reverse engineering;

b) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;

c) the fidelity evaluation result F is still True;

s15 definition of DNN verification scheme V with reversible process as reversible scheme V^lOtherwise, it is defined as an irreversible scheme

Optionally, the method based on the feature and based on the trigger set adopts a combined loss function as follows:

L＝L_c(f(W，X_r)，y_r)+λ^tL_c(f(W，X_T)，y_T)+λ^rR(W，s)， (1)

wherein λ^t，λ^rIs the weight of the associated hyperparameter, f (W, X) is the input X_rOr X_tAnd outputs a prediction value, L_cIs the predicted value and the target label y_rOr y_TIs used as a loss function of cross entropy. The signature s is { P, B }, and consists of a passport P and a signature character string B, and the constraint term is R-L_c(σ (W, P), B), or R ═ MSE (B-PW); MSE is a mean square error function.

Optionally, the DNN model of the trigger set-based watermarking method is further embedded with a private passport and a trigger set, but not distributed, where the trigger set is a set of trigger images, and ownership of a suspicious DNN model is detected and declared by remotely calling a service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.

Optionally, the passport is generated after random shuffling, and the specific method includes: a set of N selected graphs is fed into a training DNN model having the same structure and at eachCollecting N corresponding characteristic graphs in a layer; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

Optionally, based on the DNN model of the watermark method of the trigger set, the trainable noise component is added to the randomly selected base image using the following steps:

s31: randomly selecting a set of N elementary images T_b；

S32: generating the same size T as the trainable parameters_nRandom noise pattern of (2);

s33: using the sum X_T＝T_b+ηT_nAs a trigger set image, where η is 0.04 to make the noise component invisible;

s34 random distribution trigger set label y_T；

Minimizing and trainable parameters T S35_nThe associated cross entropy loss Lc.

Optionally, the DNN framework is predetermined by the optimization model N, and after the DNN weights W are learned, the trigger set T or signature s will be embedded in the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set T_xAs an input, it is then checked whether the prediction function f generates the specified label T with a false detection rate less than a threshold value_y。

Optionally, the DNN model further includes a passport layer and a convolution layer, where the scale factor γ and the offset β of the passport layer depend on the convolution kernel W_pAnd specifying a passport layer P as follows:

where denotes convolution operation, l is the number of layers, X_pIs an input to the passport layer, X_cIs an input to the convolutional layer; o () is phaseThe corresponding linear transformation outputs, P_γ ^lAnd P_β ^lPassport layers from which the scaling factor gamma and the deviation term beta are derived, respectively; each convolutional layer in the convolutional layer is composed of a plurality of convolution units, parameters of each convolution unit are obtained through optimization of a back propagation algorithm, and different characteristics of fuzzy attack are extracted through convolution operation.

Alternatively, using a passport layer s_e＝{P_γ ^l，P_β ^l}^lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:

if not, true digital passports s_t≠s_eThe network operation performance is significantly deteriorated.

Alternative, irreversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T. If the passport is forged_t≠s_eThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈_fIs a threshold value.

Optionally, the signature is an embedded binary signature, and in the DNN weight learning process, the following sign loss constraint terms are added to the combined loss function to force the scale factor to take a specified positive or negative sign:

wherein B ═ B₁，···，b_C}∈{-1,1}^CConsisting of a given binary bit of a C convolution kernel, γ₀Is a positive control parameter, defaults to 0.1 to excite a value of the scale factor greater thanγ0。

Optionally, the parameters of the DNN model are divided into a public convolution layer parameter W, a scaling factor γ and a deviation term β of the hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)_p ^l*P_γ ^l)＝c_γ ^l，Avg(W_p ^l*P_y ^l)＝cβ^l(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. C_γ ^lAnd c beta^lIs the parameter gamma^lAnd beta^lConverging to a constant value, the scale factor can only take positive or negative values away from zero.

The deep neural network targeted by the embodiment of the invention includes all the mentioned various forms, different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers, and any neural network which is the same in principle, regardless of the operation environment. Optionally, the neural network may run in a computer Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Tensor Processor (TPU), a dedicated artificial intelligence chip, and a cloud computing center, a mobile device, a wearable device, an intelligent video terminal, a vehicle-mounted device, and other vehicles, internet of things devices (IoT devices), and the like.

Optionally, the DNN-based system and method for protecting passport against fuzzy attack may be applied to the terminal device to generate a passport against fuzzy attack, and include an embedding module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport generation module.

Optionally, the embedding module inputs training data D, including trigger set data T or signature s, and optimizes the model N by minimizing a given loss function L;

optionally, the fidelity assessment module F assesses whether the performance difference is less than a threshold, i.e. (M-M)_t)<Where M is the DNN performance tested against a set of test data D, M_tIs the target performance, epsilon is the threshold, F is the fidelity assessment result;

optionally, the signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N;

optionally, the reversible module i (N) ═ N' exists that satisfies the following condition and causes a successful fuzzy attack a_a：

d) For a given DNN model, a new set of trigger sets T 'and/or signatures s' is deduced by reverse engineering;

e) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;

f) the fidelity evaluation result F is still True;

optionally, the DNN verification scheme V of the reversible module is defined as a reversible scheme V^lOtherwise, it is defined as an irreversible scheme

Optionally, the passport generation module sends a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each layer; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

According to the technical scheme, the invention has the beneficial effects that: the performance remains unchanged with a real passport, while the network performance is severely degraded once a modified or forged passport is used, robust against removal attacks, while at the same time being able to resist fuzzy attacks; the DNN model embeds private passports and trigger sets but does not distribute, alternating minimizing original task losses such as CIFAR10 classification, but not including the passport layer, and reducing joint loss functions that contain passport constraints.

Drawings

FIG. 1 is an architectural diagram of a digital passport layer of the present invention;

FIG. 2 is a representation of a DNN model of a different passport of the present invention;

FIG. 3 is a diagram of a proprietary verification scheme that embeds a private passport and trigger set but does not distribute;

FIG. 4 is a representation of the present invention of the classification of CIFAR10 against attacks;

FIG. 5 is a representation of the present invention of the CIFAR100 classification against attacks;

FIG. 6 is a defensive performance representation of the invention;

FIG. 7 is a diagram of a passport and trained DNN model together distributing ownership verification scheme;

FIG. 8 is a diagram of a proprietary verification scheme in which a private passport is embedded in the DNN model but not distributed;

1 is a fake passport, 2 is a passport obtained by reverse engineering, 3 is a valid passport, 4 is an original network DNN, 5 is Signature, 6 is CIFAR10, 7 is CIFAR100, 8 is fake1, 9 is fake2, 10 is valid, and 11 is orig.

The specific implementation mode is as follows:

a system and a method for defending a passport against fuzzy attacks based on DNN are constructed, the performance is kept unchanged by using a real passport, and the network performance is seriously degraded once a modified or forged passport is used, so that the system and the method are robust to removal attacks, and meanwhile, the fuzzy attacks can be defended.

c) the fidelity evaluation result F is still True;

s15: the DNN verification scheme V in which a reversible process exists is defined as a reversible scheme V¹Otherwise, it is defined as an irreversible scheme

L＝L_c(f(W，X_r)，y_r)+λ^tL_c(f(W，X_T)，y_T)+λ^rR(W，s)， (1)

The following table shows the effect of the combined loss function employed by the feature-based and trigger set-based watermarking methods:

TABLE 1

The accuracy of the detected watermark before and after the transfer learning task fine-tuning in table 1. L1 represents a network trained using CIFAR10, and weight trimming is performed on CIFAR100 (top row); l2 represents the fine tuning to Caltech-101 (bottom row). Outside the parenthesis is the accuracy of the transfer task, while inside the parenthesis is the original task. Wmdet denotes the detection accuracy of the watermark, wherein the out-of-number/in-number accuracies correspond to after/before the fine adjustment, respectively.

For DNN models that perform classification tasks, test data set D is utilized_t＝{X_T，y_TThe obtained network performance M ═ L }_cIs independent of the embedded signature s or trigger set T, it is this independence that results in the reversibility of existing watermark-based methods.

As shown in fig. 3, the DNN model of the trigger set based watermarking method is also embedded with a private passport and a trigger set, which is a set of trigger images, but not distributed, and the ownership of the suspect DNN model is detected and declared by remotely calling a service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.

The passport is generated after random shuffling, and the specific method comprises the following steps: feeding a set of N selected maps into a training DNN model having the same structure and collecting N corresponding feature maps at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

Based on the DNN model of the trigger set watermarking method, a trainable noise component is added to the randomly selected base image using the following steps:

s31 random selection of a set of N elementary images T_b；

S32 generating a trainable parameter of the same size T_nRandom noise pattern of (2);

s33 Using the summation X_T＝T_b+ηT_nAs a trigger set image, where η is 0.04 to make the noise component invisible;

s34, randomly distributing a trigger set label yT;

The DNN framework is predetermined by the optimization model N and after the DNN weights W are learned, the trigger set T or signature s will be embedded into the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set T_xAs an input, it is then checked whether the prediction function f generates the specified label T with a false detection rate less than a threshold value_y。

The DNN model also comprises a passport layer and a convolution layer, wherein the scale factor gamma and the offset beta of the passport layer depend on the convolution kernel W_pAnd specifying a passport layer P as follows:

where denotes convolution operation, l is the number of layers, X_pIs an input to the passport layer, X_cIs an input to the convolutional layer; o () is the corresponding linear transform output, and P_γ ^lAnd P_β ^lPassport layers from which the scaling factor gamma and the deviation term beta are derived, respectively; each convolutional layer in the convolutional layer is composed of a plurality of convolution units, parameters of each convolution unit are obtained through optimization of a back propagation algorithm, and different characteristics of fuzzy attack are extracted through convolution operation.

The architecture of the digital passport layer used in the ResNet layer is depicted in FIG. 1, which is a sample of a ResNet layer, comprising two convolutional layers and two passport layers. P^l＝{P_γ ^l，P_β ^lIs a digital passport. F ═ Avg (W)_p ^l*P_γ,β ^l) Is a passport function that calculates the hidden parameters (i.e. gamma and beta) which is given in equation (2).

The DNN model representation of the different passports is shown in fig. 2, comparing the distribution of CIFAR10 classification accuracy (expressed in% on the x-axis) of passport 2 obtained by reverse engineering of the original network DNN4, DNN with the valid passport 3, DNN with the fake passport 1 and DNN.

Using layers of passports s_e＝{P_γ ^l，P_β ^l}^lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:

if not, true digital passports s_t≠s_eThe network operation performance is significantly deteriorated. Since the corresponding scaling factor gamma and the deviation term beta are calculated from the wrong passport. For example, as shown in fig. 2, the DNN model that provides a valid passport 3 shows almost the same accuracy as the original network DNN4, whereas the same DNN model using a fake passport 1 only achieves a classification rate of about 10%. The key to the passport layer is to ensure the dependency between the scale factor, bias term and network weights.

Non-reversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T. If the passport is forged_t≠s_eThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈_fIs a threshold value.

The signature is an embedded binary signature, and the following sign loss constraint terms are added to the combined loss function in the learning process of the DNN weight to force the scale factor to take a specified positive or negative sign:

wherein B ═ B₁，···，b_C}∈{-1,1}^CBy fingers of C convolution kernelDetermining binary bit composition, gamma₀Is a positive control parameter, defaults to 0.1 to excite the value of the scale factor to be greater than gamma₀。

The parameters of the DNN model are divided into public convolution layer parameters W and a scale factor gamma and a deviation term beta of a hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)_p ^l*P_γ ^l)＝c_γ ^l，Avg(W_p ^l*P_y ^l)＝c_β ^l(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. C_γ ^lAnd c_β ^lIs the parameter gamma^lAnd beta^lConverging to a constant value, the scale factor can only take positive or negative values away from zero.

We next performed experimental tests on robustness of fine tuning, pruning and various kinds of blur attacks.

Robustness to fine tuning, table 2 below, the performance (%) of the passport network and the robustness to fine tuning, where BN is batch normalized GN is group normalized. (left: training with CIFAR10 and transfer to CIFAR100/Caltech-101 tasks; right: training with CIFAR100 and transfer to CIFAR 10/Caltech-101).

In this experiment, we repeated training five times for each DNN model, with the assigned scale factor symbols we embedded. For the three ownership verification schemes, the passport signature is detected at 100% detection rate. As shown in table 2 below, the embedded passport maintains 100% detection even after network trimming for other classification tasks (e.g., from CIFAR10 to Caltech-101). Note that the detected passport signature is only declared if all the bits match exactly. We attribute this superior robustness to the unique control property of the scale factor-if the scale factor value decreases to near zero, the channel output is almost zero, its gradient will disappear and lose power, and thus cannot continue to move in the opposite direction, and the sign cannot change. From experimental experience, we have not observed a counter example of this interpretation.

TABLE 2

Robustness to pruning, DNN performance and passport signature detection rate are shown in relation to pruning weight ratio, as shown in fig. 4 and 5. In this experiment, we tested the behavior of the embedded passport model against attacks with a certain proportion of DNN weights clipped. This weight pruning strategy has been used in network compression. For the CIFAR10 classification, the passport signature detection accuracy approaches 100% when the percentage trim remains around 60%. Even with 90% of the DNN weight trimmed, the detection rate still reached 70%. We will address the robustness of the modification attack due to the superior persistence exhibited by the embedded features in the exemplars.

The defense against fuzzy attacks, as shown in fig. 6, shows the performance of DNN, a valid passport and two different types of fake passports, namely a random attack fake18 and a fuzzy attack fake 29. For AlexNet and ResNet trained by the CIFAR10 classification task, the network performance varies greatly, depending on the authenticity of the passport-DNN models that provide valid passports show almost the same accuracy as the original DNN models. While a fake passport achieves a classification rate of about 10% with the same DNN model (in this case fake18 ═ random attack), which is only comparable to random guessing. In the case of fake29, we assume that the attacker has obtained the original training data set and attempted to infer the scale factors and bias terms in reverse by freezing the trained DNN weights. As a result, as shown in FIG. 6, AlexNet reached only 84% at the maximum, and ResNet reached only 70% at the maximum. In the CIFAR100 classification task, for the fake18 cases, the attack success rate of AlexNet and ResNet is about 1%; for fake29, the attack success rate for AlexNet is 44% and the attack success rate for ResNet is 35%. Based on these experimental studies, we can set the threshold ε f in definition 1 to be 3% and 20% of AlexNet and ResNet, respectively. The fidelity evaluation process can effectively resist any potential fuzzy attack. In summary, a number of experimental studies have shown that it is not possible for an adversary to maintain the performance of the original DNN model by using a fake passport, whether it was randomly generated or reverse inferred using the original training data set. This passport-related capability plays an essential role in designing secure ownership verification schemes.

In addition, two ownership verification methods, namely, the scheme V2 is distributed by the passport together with the trained DNN model, and the scheme V3 is not distributed by the private passport embedded in the DNN model, are researched.

First, as shown in FIG. 7, during the distribution of the passport with the trained DNN model, the learning process aims to minimize the combined loss function (equation 1), where λ_t0 because no trigger set image is used in this scheme and the sign loss (equation 5) is added as a constraint term. The trained DNN model is distributed with passports to legitimate users who use a given passport as passport level input for network prediction. Network ownership is automatically verified by the distributed passport. This ownership verification is robust to fine-tuning and pruning of DNN weights. Furthermore, a fuzzy attack cannot successfully forge a set of passports and signatures that can maintain network performance. The disadvantage of this approach is the need to use a passport in the prediction phase, which results in an additional computational cost, about 10%, we show the experimental results in table 5 of appendix E. Furthermore, the distribution of passports to end users can interfere with the user experience and assume the additional responsibility of ensuring that digital passports are secure and not compromised.

Next, as shown in fig. 8, we talk about private passport embedding DNN model but not distribution, this learning process aims to achieve two goals simultaneously, where the first goal is to minimize the original task loss (e.g., CIFAR10 classification), excluding the passport layer; the second is to minimize the joint loss function (equation 1) that contains the passport constraints. Algorithmically, this multitask learning is achieved by alternately minimizing these two objectives. The successfully trained DNN model is then distributed to end users who can perform network prediction without the need for a passport. Note that this is achievable because the passport layer is not included in the distributed network. Ownership verification is only performed at the request of law enforcement, by adding a passport layer to the relevant network and validating the embedded logo signature using the undegraded network performance.

This solution is easy to use for the end user compared to solution V2, since no passport is required and no additional computational costs are incurred. Meanwhile, ownership verification is effective for removal attacks and fuzzy attacks. However, it has the disadvantage of requiring access to DNN weights and the addition of a passport layer for ownership verification, i.e. white-box protected mode. We therefore propose to combine this with a trigger set based verification, i.e. the scheme in the claims, see claim 2.

The deep neural network targeted by the embodiment of the invention includes all the mentioned various forms, different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers, and any neural network which is the same in principle, regardless of the operation environment. Optionally, the neural network may operate in a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Tensor Processor (TPU), a dedicated artificial intelligence chip, a cloud computing center, a mobile device, a wearable device, an intelligent video terminal, an in-vehicle device, other vehicles, an internet of things device (iot devices), and other devices.

The embedding module inputs training data D, including trigger set data T or signatures s, and optimizes the model N by minimizing a given loss function L; the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, i.e., (M-M)_t)<Where M is the DNN performance tested against a set of test data D, M_tIs the target performance, epsilon is the threshold, F is the fidelity assessment result; said signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N; the reversible module i (N) ═ N' exists satisfying the following conditions and causes a successful fuzzy attack a_a：

f) the fidelity evaluation result F is still True;

the DNN verification scheme V of the reversible module is defined as a reversible scheme V^lOtherwise, it is defined as an irreversible schemeThe passport generation module feeds a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

Claims

1. A system and a method for passport to resist fuzzy attack based on DNN are characterized by comprising a DNN model and a passport, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I, and the specific steps are as follows:

s14, when the following conditions are met, there is a reversible process i (N) ═ N', and a successful fuzzy attack a is caused_a：

c) the fidelity evaluation result F is still True;

2. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the feature-based and trigger set-based methods employ a combined loss function as follows:

L＝L_c(f(W，X_r)，y_r)+λ^tL_c(f(W，X_T)，y_T)+λ^rR(W，s)， (1)

3. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN model of the watermarking method based on the trigger set is also embedded with a private passport and the trigger set but is not distributed, wherein the trigger set is a group of trigger images, and the ownership of a suspicious DNN model is detected and declared through a remote calling service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.

4. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the passport is generated after random shuffling, and the specific method comprises the following steps: feeding a set of N selected maps into a training DNN model having the same structure and collecting N corresponding feature maps at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

5. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: based on the DNN model of the trigger set watermarking method, a trainable noise component is added to the randomly selected base image using the following steps:

s31 random selection of a set of N elementary images T_b；

s34 random distribution trigger set label y_T；

Minimizing and trainable parameters T S35_nRelated cross entropy loss L_c。

6. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN framework is predetermined by the optimization model N and after the DNN weights W are learned, the trigger set T or signature s will be embedded into the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set T_xAs input, then check the predictionWhether the function f generates the specified tag T under the condition of the error detection rate less than the threshold value_y。

7. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN model further comprises a passport layer and a convolution layer, wherein the passport layer is embedded with the digital signature, and the scale factor gamma and the offset beta of the passport layer depend on the convolution kernel W_pAnd specifying a passport layer P as follows:

8. The system and method of claim 6, wherein the system and method for providing a DNN-based passport against hacking is further characterized by: using layers of passports s_e＝{P_γ ^l，P_β ^l}^lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:

9. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: non-reversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T; if the passport is forged_t≠s_eThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈_fIs a threshold value.

10. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the signature is an embedded binary signature, and the following sign loss constraint terms are added to the combined loss function in the learning process of the DNN weight to force the scale factor to take a specified positive or negative sign:

wherein B ═ B₁，…，b_C}∈{-1,1}^CConsisting of a given binary bit of a C convolution kernel, γ₀Is a positive control parameter, defaults to 0.1 to excite the value of the scale factor to be greater than gamma₀。

11. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the parameters of the DNN model are divided into public convolution layer parameters W and a scale factor gamma and a deviation term beta of a hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)_p ^l*P_γ ^l)＝c_γ ^l，Avg(W_p ^l*P_y ^l)＝c_β ^l(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. C_γ ^lAnd c_β ^lIs the parameter gamma^lAnd beta^lConverging to a constant value, the scale factor can only take positive or negative values away from zero.

12. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the system comprises an embedding module, a fidelity evaluation module, a signature verification module, a reversible module and a passport generation module;

the embedding module inputs training data D, including trigger set data T or signatures s, and optimizes the model N by minimizing a given loss function L;

the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, i.e., (M-M)_t)<Where M is the DNN performance tested against a set of test data D, M_tIs the target performance, epsilon is the threshold, F is the fidelity assessment result;

said signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N;

the reversible module i (N) ═ N' exists satisfying the following conditions and causes a successful fuzzy attack a_a：

f) the fidelity evaluation result F is still True;

the DNN verification scheme V of the reversible module is defined as a reversible scheme V^lOtherwise, it is defined as an irreversible scheme

The passport generation module feeds a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each level; of the N options, each layer is onlyOne is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generated^LA possible combination of passports.

13. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the deep neural network aimed by the DNN model comprises different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers and any neural network which is the same in principle.

14. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the system and the method for defending the passport against the fuzzy attack based on the DNN can be operated in a computer central processing unit, a graphic accelerator, a tensor processor, a special artificial intelligence chip, a cloud computing center, mobile equipment, wearable equipment, an intelligent video terminal, vehicle-mounted equipment, other vehicles and equipment of the Internet of things.