CN110610082A - DNN-based system and method for passport to resist fuzzy attack - Google Patents
DNN-based system and method for passport to resist fuzzy attack Download PDFInfo
- Publication number
- CN110610082A CN110610082A CN201910832529.2A CN201910832529A CN110610082A CN 110610082 A CN110610082 A CN 110610082A CN 201910832529 A CN201910832529 A CN 201910832529A CN 110610082 A CN110610082 A CN 110610082A
- Authority
- CN
- China
- Prior art keywords
- passport
- dnn
- fuzzy
- model
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Credit Cards Or The Like (AREA)
- Editing Of Facsimile Originals (AREA)
Abstract
The invention designs a system and a method for passport to resist fuzzy attack based on DNN, which comprises a DNN model, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I; embedding a private passport and a trigger set but not distributing during ownership verification, wherein the private passport and the trigger set are embedded into a passport and a set of trigger images, and ownership of a suspicious DNN model is detected and declared through a remote calling service API; declaring ownership in black-box mode first, and then declaring ownership again through passport validation in white-box mode triggers the set of images to alternately minimize the original mission loss and reduce the joint loss function containing passport constraints; for the trained CIFAR10 and CIFAR100 classification tasks AlexNet and ResNet, network performance ranged significantly from 3% to 80%, the DNN model that provided valid passports was more than 90% as accurate as the original network, while the same DNN model used for fake passports achieved approximately 10% classification accuracy.
Description
Technical Field
The invention relates to the field of passport security, in particular to a system and a method for defending a passport against fuzzy attacks based on DNN.
Background
As for the method for embedding watermarks used in machine learning, the existing methods can be roughly divided into two schools: a) embedding the specified watermark into the network weight by adding an additional optimization target constraint term based on a characteristic method; b) the trigger set based approach relies on the antagonistic training samples with specific labels, i.e. the back door trigger set. Both schemes embedded watermarks have been successfully demonstrated to be robust against removal attacks, which mainly consist in modifying the network weights, such as trimming or pruning. However, our studies reveal the existence and validity of a blurring attack whose purpose is to challenge and pan the uniqueness of model ownership verification by forging watermarks of the DNN model. Our research also shows that even if the original training data set is not needed, the watermark can be forged and the fuzzy attack can be implemented by reverse engineering with low calculation cost.
Disclosure of Invention
In view of the above problems, the present invention provides a DNN-based system and method for protecting passports against fuzzy attacks, wherein the performance of a real passport is maintained, and the network performance is severely degraded once a modified or forged passport is used, and is robust against removal attacks, while at the same time being able to protect against fuzzy attacks. The technical scheme adopted by the invention is as follows:
a system and a method for passport to resist fuzzy attack based on DNN comprise a DNN model, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I, and the specific steps are as follows:
s11, the embedding process E is a DNN learning process that takes training data D as input, including trigger set data T or signatures S, and optimizes the model N by minimizing a given loss function L;
s12 the fidelity assessment procedure F ═ { False, True } assesses whether the performance difference is less than a threshold, i.e., (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result;
s13, the signature verification process V ═ { False, True } checks whether the predetermined signature or trigger set S, T was successfully verified for the given neural network N;
s14, when the following conditions are met, there is a reversible process i (N) ═ N', and a successful fuzzy attack a is causeda:
a) For a given DNN model, a new set of trigger sets T 'and/or signatures s' may be inferred by reverse engineering;
b) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
c) the fidelity evaluation result F is still True;
s15 definition of DNN verification scheme V with reversible process as reversible scheme VlOtherwise, it is defined as an irreversible scheme
Optionally, the method based on the feature and based on the trigger set adopts a combined loss function as follows:
L=Lc(f(W,Xr),yr)+λtLc(f(W,XT),yT)+λrR(W,s), (1)
wherein λt,λrIs the weight of the associated hyperparameter, f (W, X) is the input XrOr XtAnd outputs a prediction value, LcIs the predicted value and the target label yrOr yTIs used as a loss function of cross entropy. The signature s is { P, B }, and consists of a passport P and a signature character string B, and the constraint term is R-Lc(σ (W, P), B), or R ═ MSE (B-PW); MSE is a mean square error function.
Optionally, the DNN model of the trigger set-based watermarking method is further embedded with a private passport and a trigger set, but not distributed, where the trigger set is a set of trigger images, and ownership of a suspicious DNN model is detected and declared by remotely calling a service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.
Optionally, the passport is generated after random shuffling, and the specific method includes: a set of N selected graphs is fed into a training DNN model having the same structure and at eachCollecting N corresponding characteristic graphs in a layer; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
Optionally, based on the DNN model of the watermark method of the trigger set, the trainable noise component is added to the randomly selected base image using the following steps:
s31: randomly selecting a set of N elementary images Tb;
S32: generating the same size T as the trainable parametersnRandom noise pattern of (2);
s33: using the sum XT=Tb+ηTnAs a trigger set image, where η is 0.04 to make the noise component invisible;
s34 random distribution trigger set label yT;
Minimizing and trainable parameters T S35nThe associated cross entropy loss Lc.
Optionally, the DNN framework is predetermined by the optimization model N, and after the DNN weights W are learned, the trigger set T or signature s will be embedded in the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set TxAs an input, it is then checked whether the prediction function f generates the specified label T with a false detection rate less than a threshold valuey。
Optionally, the DNN model further includes a passport layer and a convolution layer, where the scale factor γ and the offset β of the passport layer depend on the convolution kernel WpAnd specifying a passport layer P as follows:
where denotes convolution operation, l is the number of layers, XpIs an input to the passport layer, XcIs an input to the convolutional layer; o () is phaseThe corresponding linear transformation outputs, Pγ lAnd Pβ lPassport layers from which the scaling factor gamma and the deviation term beta are derived, respectively; each convolutional layer in the convolutional layer is composed of a plurality of convolution units, parameters of each convolution unit are obtained through optimization of a back propagation algorithm, and different characteristics of fuzzy attack are extracted through convolution operation.
Alternatively, using a passport layer se={Pγ l,Pβ l}lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:
if not, true digital passports st≠seThe network operation performance is significantly deteriorated.
Alternative, irreversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T. If the passport is forgedt≠seThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈fIs a threshold value.
Optionally, the signature is an embedded binary signature, and in the DNN weight learning process, the following sign loss constraint terms are added to the combined loss function to force the scale factor to take a specified positive or negative sign:
wherein B ═ B1,···,bC}∈{-1,1}CConsisting of a given binary bit of a C convolution kernel, γ0Is a positive control parameter, defaults to 0.1 to excite a value of the scale factor greater thanγ0。
Optionally, the parameters of the DNN model are divided into a public convolution layer parameter W, a scaling factor γ and a deviation term β of the hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)p l*Pγ l)=cγ l,Avg(Wp l*Py l)=cβl(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. Cγ lAnd c betalIs the parameter gammalAnd betalConverging to a constant value, the scale factor can only take positive or negative values away from zero.
The deep neural network targeted by the embodiment of the invention includes all the mentioned various forms, different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers, and any neural network which is the same in principle, regardless of the operation environment. Optionally, the neural network may run in a computer Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Tensor Processor (TPU), a dedicated artificial intelligence chip, and a cloud computing center, a mobile device, a wearable device, an intelligent video terminal, a vehicle-mounted device, and other vehicles, internet of things devices (IoT devices), and the like.
Optionally, the DNN-based system and method for protecting passport against fuzzy attack may be applied to the terminal device to generate a passport against fuzzy attack, and include an embedding module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport generation module.
Optionally, the embedding module inputs training data D, including trigger set data T or signature s, and optimizes the model N by minimizing a given loss function L;
optionally, the fidelity assessment module F assesses whether the performance difference is less than a threshold, i.e. (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result;
optionally, the signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N;
optionally, the reversible module i (N) ═ N' exists that satisfies the following condition and causes a successful fuzzy attack aa:
d) For a given DNN model, a new set of trigger sets T 'and/or signatures s' is deduced by reverse engineering;
e) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
f) the fidelity evaluation result F is still True;
optionally, the DNN verification scheme V of the reversible module is defined as a reversible scheme VlOtherwise, it is defined as an irreversible scheme
Optionally, the passport generation module sends a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each layer; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
According to the technical scheme, the invention has the beneficial effects that: the performance remains unchanged with a real passport, while the network performance is severely degraded once a modified or forged passport is used, robust against removal attacks, while at the same time being able to resist fuzzy attacks; the DNN model embeds private passports and trigger sets but does not distribute, alternating minimizing original task losses such as CIFAR10 classification, but not including the passport layer, and reducing joint loss functions that contain passport constraints.
Drawings
FIG. 1 is an architectural diagram of a digital passport layer of the present invention;
FIG. 2 is a representation of a DNN model of a different passport of the present invention;
FIG. 3 is a diagram of a proprietary verification scheme that embeds a private passport and trigger set but does not distribute;
FIG. 4 is a representation of the present invention of the classification of CIFAR10 against attacks;
FIG. 5 is a representation of the present invention of the CIFAR100 classification against attacks;
FIG. 6 is a defensive performance representation of the invention;
FIG. 7 is a diagram of a passport and trained DNN model together distributing ownership verification scheme;
FIG. 8 is a diagram of a proprietary verification scheme in which a private passport is embedded in the DNN model but not distributed;
1 is a fake passport, 2 is a passport obtained by reverse engineering, 3 is a valid passport, 4 is an original network DNN, 5 is Signature, 6 is CIFAR10, 7 is CIFAR100, 8 is fake1, 9 is fake2, 10 is valid, and 11 is orig.
The specific implementation mode is as follows:
a system and a method for defending a passport against fuzzy attacks based on DNN are constructed, the performance is kept unchanged by using a real passport, and the network performance is seriously degraded once a modified or forged passport is used, so that the system and the method are robust to removal attacks, and meanwhile, the fuzzy attacks can be defended.
A system and a method for passport to resist fuzzy attack based on DNN comprise a DNN model, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I, and the specific steps are as follows:
s11, the embedding process E is a DNN learning process that takes training data D as input, including trigger set data T or signatures S, and optimizes the model N by minimizing a given loss function L;
s12 the fidelity assessment procedure F ═ { False, True } assesses whether the performance difference is less than a threshold, i.e., (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result;
s13, the signature verification process V ═ { False, True } checks whether the predetermined signature or trigger set S, T was successfully verified for the given neural network N;
s14, when the following conditions are met, there is a reversible process i (N) ═ N', and a successful fuzzy attack a is causeda:
a) For a given DNN model, a new set of trigger sets T 'and/or signatures s' may be inferred by reverse engineering;
b) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
c) the fidelity evaluation result F is still True;
s15: the DNN verification scheme V in which a reversible process exists is defined as a reversible scheme V1Otherwise, it is defined as an irreversible scheme
Optionally, the method based on the feature and based on the trigger set adopts a combined loss function as follows:
L=Lc(f(W,Xr),yr)+λtLc(f(W,XT),yT)+λrR(W,s), (1)
wherein λt,λrIs the weight of the associated hyperparameter, f (W, X) is the input XrOr XTAnd outputs a prediction value, LcIs the predicted value and the target label yrOr yTIs used as a loss function of cross entropy. The signature s is { P, B }, and consists of a passport P and a signature character string B, and the constraint term is R-Lc(σ (W, P), B), or R ═ MSE (B-PW); MSE is a mean square error function.
The following table shows the effect of the combined loss function employed by the feature-based and trigger set-based watermarking methods:
TABLE 1
The accuracy of the detected watermark before and after the transfer learning task fine-tuning in table 1. L1 represents a network trained using CIFAR10, and weight trimming is performed on CIFAR100 (top row); l2 represents the fine tuning to Caltech-101 (bottom row). Outside the parenthesis is the accuracy of the transfer task, while inside the parenthesis is the original task. Wmdet denotes the detection accuracy of the watermark, wherein the out-of-number/in-number accuracies correspond to after/before the fine adjustment, respectively.
For DNN models that perform classification tasks, test data set D is utilizedt={XT,yTThe obtained network performance M ═ L }cIs independent of the embedded signature s or trigger set T, it is this independence that results in the reversibility of existing watermark-based methods.
As shown in fig. 3, the DNN model of the trigger set based watermarking method is also embedded with a private passport and a trigger set, which is a set of trigger images, but not distributed, and the ownership of the suspect DNN model is detected and declared by remotely calling a service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.
The passport is generated after random shuffling, and the specific method comprises the following steps: feeding a set of N selected maps into a training DNN model having the same structure and collecting N corresponding feature maps at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
Based on the DNN model of the trigger set watermarking method, a trainable noise component is added to the randomly selected base image using the following steps:
s31 random selection of a set of N elementary images Tb;
S32 generating a trainable parameter of the same size TnRandom noise pattern of (2);
s33 Using the summation XT=Tb+ηTnAs a trigger set image, where η is 0.04 to make the noise component invisible;
s34, randomly distributing a trigger set label yT;
minimizing and trainable parameters T S35nThe associated cross entropy loss Lc.
The DNN framework is predetermined by the optimization model N and after the DNN weights W are learned, the trigger set T or signature s will be embedded into the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set TxAs an input, it is then checked whether the prediction function f generates the specified label T with a false detection rate less than a threshold valuey。
The DNN model also comprises a passport layer and a convolution layer, wherein the scale factor gamma and the offset beta of the passport layer depend on the convolution kernel WpAnd specifying a passport layer P as follows:
where denotes convolution operation, l is the number of layers, XpIs an input to the passport layer, XcIs an input to the convolutional layer; o () is the corresponding linear transform output, and Pγ lAnd Pβ lPassport layers from which the scaling factor gamma and the deviation term beta are derived, respectively; each convolutional layer in the convolutional layer is composed of a plurality of convolution units, parameters of each convolution unit are obtained through optimization of a back propagation algorithm, and different characteristics of fuzzy attack are extracted through convolution operation.
The architecture of the digital passport layer used in the ResNet layer is depicted in FIG. 1, which is a sample of a ResNet layer, comprising two convolutional layers and two passport layers. Pl={Pγ l,Pβ lIs a digital passport. F ═ Avg (W)p l*Pγ,β l) Is a passport function that calculates the hidden parameters (i.e. gamma and beta) which is given in equation (2).
The DNN model representation of the different passports is shown in fig. 2, comparing the distribution of CIFAR10 classification accuracy (expressed in% on the x-axis) of passport 2 obtained by reverse engineering of the original network DNN4, DNN with the valid passport 3, DNN with the fake passport 1 and DNN.
Using layers of passports se={Pγ l,Pβ l}lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:
if not, true digital passports st≠seThe network operation performance is significantly deteriorated. Since the corresponding scaling factor gamma and the deviation term beta are calculated from the wrong passport. For example, as shown in fig. 2, the DNN model that provides a valid passport 3 shows almost the same accuracy as the original network DNN4, whereas the same DNN model using a fake passport 1 only achieves a classification rate of about 10%. The key to the passport layer is to ensure the dependency between the scale factor, bias term and network weights.
Non-reversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T. If the passport is forgedt≠seThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈fIs a threshold value.
The signature is an embedded binary signature, and the following sign loss constraint terms are added to the combined loss function in the learning process of the DNN weight to force the scale factor to take a specified positive or negative sign:
wherein B ═ B1,···,bC}∈{-1,1}CBy fingers of C convolution kernelDetermining binary bit composition, gamma0Is a positive control parameter, defaults to 0.1 to excite the value of the scale factor to be greater than gamma0。
The parameters of the DNN model are divided into public convolution layer parameters W and a scale factor gamma and a deviation term beta of a hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)p l*Pγ l)=cγ l,Avg(Wp l*Py l)=cβ l(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. Cγ lAnd cβ lIs the parameter gammalAnd betalConverging to a constant value, the scale factor can only take positive or negative values away from zero.
We next performed experimental tests on robustness of fine tuning, pruning and various kinds of blur attacks.
Robustness to fine tuning, table 2 below, the performance (%) of the passport network and the robustness to fine tuning, where BN is batch normalized GN is group normalized. (left: training with CIFAR10 and transfer to CIFAR100/Caltech-101 tasks; right: training with CIFAR100 and transfer to CIFAR 10/Caltech-101).
In this experiment, we repeated training five times for each DNN model, with the assigned scale factor symbols we embedded. For the three ownership verification schemes, the passport signature is detected at 100% detection rate. As shown in table 2 below, the embedded passport maintains 100% detection even after network trimming for other classification tasks (e.g., from CIFAR10 to Caltech-101). Note that the detected passport signature is only declared if all the bits match exactly. We attribute this superior robustness to the unique control property of the scale factor-if the scale factor value decreases to near zero, the channel output is almost zero, its gradient will disappear and lose power, and thus cannot continue to move in the opposite direction, and the sign cannot change. From experimental experience, we have not observed a counter example of this interpretation.
TABLE 2
Robustness to pruning, DNN performance and passport signature detection rate are shown in relation to pruning weight ratio, as shown in fig. 4 and 5. In this experiment, we tested the behavior of the embedded passport model against attacks with a certain proportion of DNN weights clipped. This weight pruning strategy has been used in network compression. For the CIFAR10 classification, the passport signature detection accuracy approaches 100% when the percentage trim remains around 60%. Even with 90% of the DNN weight trimmed, the detection rate still reached 70%. We will address the robustness of the modification attack due to the superior persistence exhibited by the embedded features in the exemplars.
The defense against fuzzy attacks, as shown in fig. 6, shows the performance of DNN, a valid passport and two different types of fake passports, namely a random attack fake18 and a fuzzy attack fake 29. For AlexNet and ResNet trained by the CIFAR10 classification task, the network performance varies greatly, depending on the authenticity of the passport-DNN models that provide valid passports show almost the same accuracy as the original DNN models. While a fake passport achieves a classification rate of about 10% with the same DNN model (in this case fake18 ═ random attack), which is only comparable to random guessing. In the case of fake29, we assume that the attacker has obtained the original training data set and attempted to infer the scale factors and bias terms in reverse by freezing the trained DNN weights. As a result, as shown in FIG. 6, AlexNet reached only 84% at the maximum, and ResNet reached only 70% at the maximum. In the CIFAR100 classification task, for the fake18 cases, the attack success rate of AlexNet and ResNet is about 1%; for fake29, the attack success rate for AlexNet is 44% and the attack success rate for ResNet is 35%. Based on these experimental studies, we can set the threshold ε f in definition 1 to be 3% and 20% of AlexNet and ResNet, respectively. The fidelity evaluation process can effectively resist any potential fuzzy attack. In summary, a number of experimental studies have shown that it is not possible for an adversary to maintain the performance of the original DNN model by using a fake passport, whether it was randomly generated or reverse inferred using the original training data set. This passport-related capability plays an essential role in designing secure ownership verification schemes.
In addition, two ownership verification methods, namely, the scheme V2 is distributed by the passport together with the trained DNN model, and the scheme V3 is not distributed by the private passport embedded in the DNN model, are researched.
First, as shown in FIG. 7, during the distribution of the passport with the trained DNN model, the learning process aims to minimize the combined loss function (equation 1), where λt0 because no trigger set image is used in this scheme and the sign loss (equation 5) is added as a constraint term. The trained DNN model is distributed with passports to legitimate users who use a given passport as passport level input for network prediction. Network ownership is automatically verified by the distributed passport. This ownership verification is robust to fine-tuning and pruning of DNN weights. Furthermore, a fuzzy attack cannot successfully forge a set of passports and signatures that can maintain network performance. The disadvantage of this approach is the need to use a passport in the prediction phase, which results in an additional computational cost, about 10%, we show the experimental results in table 5 of appendix E. Furthermore, the distribution of passports to end users can interfere with the user experience and assume the additional responsibility of ensuring that digital passports are secure and not compromised.
Next, as shown in fig. 8, we talk about private passport embedding DNN model but not distribution, this learning process aims to achieve two goals simultaneously, where the first goal is to minimize the original task loss (e.g., CIFAR10 classification), excluding the passport layer; the second is to minimize the joint loss function (equation 1) that contains the passport constraints. Algorithmically, this multitask learning is achieved by alternately minimizing these two objectives. The successfully trained DNN model is then distributed to end users who can perform network prediction without the need for a passport. Note that this is achievable because the passport layer is not included in the distributed network. Ownership verification is only performed at the request of law enforcement, by adding a passport layer to the relevant network and validating the embedded logo signature using the undegraded network performance.
This solution is easy to use for the end user compared to solution V2, since no passport is required and no additional computational costs are incurred. Meanwhile, ownership verification is effective for removal attacks and fuzzy attacks. However, it has the disadvantage of requiring access to DNN weights and the addition of a passport layer for ownership verification, i.e. white-box protected mode. We therefore propose to combine this with a trigger set based verification, i.e. the scheme in the claims, see claim 2.
The deep neural network targeted by the embodiment of the invention includes all the mentioned various forms, different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers, and any neural network which is the same in principle, regardless of the operation environment. Optionally, the neural network may operate in a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a Tensor Processor (TPU), a dedicated artificial intelligence chip, a cloud computing center, a mobile device, a wearable device, an intelligent video terminal, an in-vehicle device, other vehicles, an internet of things device (iot devices), and other devices.
Optionally, the DNN-based system and method for protecting passport against fuzzy attack may be applied to the terminal device to generate a passport against fuzzy attack, and include an embedding module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport generation module.
The embedding module inputs training data D, including trigger set data T or signatures s, and optimizes the model N by minimizing a given loss function L; the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, i.e., (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result; said signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N; the reversible module i (N) ═ N' exists satisfying the following conditions and causes a successful fuzzy attack aa:
d) For a given DNN model, a new set of trigger sets T 'and/or signatures s' is deduced by reverse engineering;
e) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
f) the fidelity evaluation result F is still True;
the DNN verification scheme V of the reversible module is defined as a reversible scheme VlOtherwise, it is defined as an irreversible schemeThe passport generation module feeds a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
Claims (14)
1. A system and a method for passport to resist fuzzy attack based on DNN are characterized by comprising a DNN model and a passport, wherein the DNN model ownership verification scheme comprises an embedding process E, a fidelity evaluation process F, a signature verification process V and a reversible process I, and the specific steps are as follows:
s11, the embedding process E is a DNN learning process that takes training data D as input, including trigger set data T or signatures S, and optimizes the model N by minimizing a given loss function L;
s12 the fidelity assessment procedure F ═ { False, True } assesses whether the performance difference is less than a threshold, i.e., (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result;
s13, the signature verification process V ═ { False, True } checks whether the predetermined signature or trigger set S, T was successfully verified for the given neural network N;
s14, when the following conditions are met, there is a reversible process i (N) ═ N', and a successful fuzzy attack a is causeda:
a) For a given DNN model, a new set of trigger sets T 'and/or signatures s' may be inferred by reverse engineering;
b) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
c) the fidelity evaluation result F is still True;
s15 definition of DNN verification scheme V with reversible process as reversible scheme VlOtherwise, it is defined as an irreversible scheme
2. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the feature-based and trigger set-based methods employ a combined loss function as follows:
L=Lc(f(W,Xr),yr)+λtLc(f(W,XT),yT)+λrR(W,s), (1)
wherein λt,λrIs the weight of the associated hyperparameter, f (W, X) is the input XrOr XTAnd outputs a prediction value, LcIs the predicted value and the target label yrOr yTIs used as a loss function of cross entropy. The signature s is { P, B }, and consists of a passport P and a signature character string B, and the constraint term is R-Lc(σ (W, P), B), or R ═ MSE (B-PW); MSE is a mean square error function.
3. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN model of the watermarking method based on the trigger set is also embedded with a private passport and the trigger set but is not distributed, wherein the trigger set is a group of trigger images, and the ownership of a suspicious DNN model is detected and declared through a remote calling service API; the ownership is first declared in black-box mode, and then the ownership trigger set image is declared again by passport validation in white-box mode, alternating minimizing the original mission loss, excluding the passport layers, and reducing the joint loss function containing the passport constraint terms, employing the GroupNormalisation algorithm.
4. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the passport is generated after random shuffling, and the specific method comprises the following steps: feeding a set of N selected maps into a training DNN model having the same structure and collecting N corresponding feature maps at each level; of the N options, only one of each layer is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
5. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: based on the DNN model of the trigger set watermarking method, a trainable noise component is added to the randomly selected base image using the following steps:
s31 random selection of a set of N elementary images Tb;
S32 generating a trainable parameter of the same size TnRandom noise pattern of (2);
s33 Using the summation XT=Tb+ηTnAs a trigger set image, where η is 0.04 to make the noise component invisible;
s34 random distribution trigger set label yT;
Minimizing and trainable parameters T S35nRelated cross entropy loss Lc。
6. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN framework is predetermined by the optimization model N and after the DNN weights W are learned, the trigger set T or signature s will be embedded into the model; the signature verification process V firstly calls a DNN prediction process to sample a trigger set TxAs input, then check the predictionWhether the function f generates the specified tag T under the condition of the error detection rate less than the threshold valuey。
7. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the DNN model further comprises a passport layer and a convolution layer, wherein the passport layer is embedded with the digital signature, and the scale factor gamma and the offset beta of the passport layer depend on the convolution kernel WpAnd specifying a passport layer P as follows:
where denotes convolution operation, l is the number of layers, XpIs an input to the passport layer, XcIs an input to the convolutional layer; o () is the corresponding linear transform output, and Pγ lAnd Pβ lPassport layers from which the scaling factor gamma and the deviation term beta are derived, respectively; each convolutional layer in the convolutional layer is composed of a plurality of convolution units, parameters of each convolution unit are obtained through optimization of a back propagation algorithm, and different characteristics of fuzzy attack are extracted through convolution operation.
8. The system and method of claim 6, wherein the system and method for providing a DNN-based passport against hacking is further characterized by: using layers of passports se={Pγ l,Pβ l}lThe predicted performance M of the trained DNN model depends on the digital passport provided when the network is used, namely:
if not, true digital passports st≠seThe network operation performance is significantly deteriorated.
9. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: non-reversible schemeThe medium fidelity evaluation result F depends on the presented signature s or trigger set T; if the passport is forgedt≠seThe performance M deteriorates sharply, the performance difference is greater than a threshold value, i.e.∈fIs a threshold value.
10. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the signature is an embedded binary signature, and the following sign loss constraint terms are added to the combined loss function in the learning process of the DNN weight to force the scale factor to take a specified positive or negative sign:
wherein B ═ B1,…,bC}∈{-1,1}CConsisting of a given binary bit of a C convolution kernel, γ0Is a positive control parameter, defaults to 0.1 to excite the value of the scale factor to be greater than gamma0。
11. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the parameters of the DNN model are divided into public convolution layer parameters W and a scale factor gamma and a deviation term beta of a hidden passport layer, and the following constraints are enforced after learning is completed after passport information is embedded into the weight W: avg (W)p l*Pγ l)=cγ l,Avg(Wp l*Py l)=cβ l(ii) a The distribution of convolutional layer weights is the same as the distribution of the original DNN without the passport layer; c. Cγ lAnd cβ lIs the parameter gammalAnd betalConverging to a constant value, the scale factor can only take positive or negative values away from zero.
12. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the system comprises an embedding module, a fidelity evaluation module, a signature verification module, a reversible module and a passport generation module;
the embedding module inputs training data D, including trigger set data T or signatures s, and optimizes the model N by minimizing a given loss function L;
the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, i.e., (M-M)t)<Where M is the DNN performance tested against a set of test data D, MtIs the target performance, epsilon is the threshold, F is the fidelity assessment result;
said signature verification module V checks whether a predetermined signature or trigger set s, T is successfully verified for a given neural network N;
the reversible module i (N) ═ N' exists satisfying the following conditions and causes a successful fuzzy attack aa:
d) For a given DNN model, a new set of trigger sets T 'and/or signatures s' is deduced by reverse engineering;
e) forged T ', s' can be successfully verified against a given DNN weight W, i.e. V True;
f) the fidelity evaluation result F is still True;
the DNN verification scheme V of the reversible module is defined as a reversible scheme VlOtherwise, it is defined as an irreversible scheme
The passport generation module feeds a set of N selected images into a training DNN model having the same structure and collects N corresponding feature images at each level; of the N options, each layer is onlyOne is randomly selected to be a passport. In particular, for a set of N base images of a DNN model with L layers, N total may be generatedLA possible combination of passports.
13. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the deep neural network aimed by the DNN model comprises different input signals, different types, different network structures, different application functions, deep neural networks on different operation carriers and any neural network which is the same in principle.
14. The system and method of claim 1 for a DNN-based passport against fuzzy attacks, wherein: the system and the method for defending the passport against the fuzzy attack based on the DNN can be operated in a computer central processing unit, a graphic accelerator, a tensor processor, a special artificial intelligence chip, a cloud computing center, mobile equipment, wearable equipment, an intelligent video terminal, vehicle-mounted equipment, other vehicles and equipment of the Internet of things.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910832529.2A CN110610082A (en) | 2019-09-04 | 2019-09-04 | DNN-based system and method for passport to resist fuzzy attack |
PCT/CN2020/072809 WO2021042665A1 (en) | 2019-09-04 | 2020-01-17 | Dnn-based method for protecting passport against fuzzy attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910832529.2A CN110610082A (en) | 2019-09-04 | 2019-09-04 | DNN-based system and method for passport to resist fuzzy attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110610082A true CN110610082A (en) | 2019-12-24 |
Family
ID=68892263
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910832529.2A Pending CN110610082A (en) | 2019-09-04 | 2019-09-04 | DNN-based system and method for passport to resist fuzzy attack |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110610082A (en) |
WO (1) | WO2021042665A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111260059A (en) * | 2020-01-23 | 2020-06-09 | 复旦大学 | Back door attack method of video analysis neural network model |
CN111581671A (en) * | 2020-05-11 | 2020-08-25 | 笵成科技南京有限公司 | Digital passport protection method combining deep neural network and block chain |
CN112364310A (en) * | 2020-11-16 | 2021-02-12 | 山西三友和智慧信息技术股份有限公司 | Data set protection and verification method based on backdoor attack |
WO2021042665A1 (en) * | 2019-09-04 | 2021-03-11 | 笵成科技南京有限公司 | Dnn-based method for protecting passport against fuzzy attack |
CN113518062A (en) * | 2020-12-08 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Attack detection method and device and computer equipment |
CN116128700A (en) * | 2023-03-29 | 2023-05-16 | 中国工程物理研究院计算机应用研究所 | Model watermark implantation and verification method and system based on image inherent characteristics |
CN116152032A (en) * | 2023-04-23 | 2023-05-23 | 中国信息通信研究院 | Method and device for generating green product digital passport based on industrial Internet |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113283520B (en) * | 2021-06-03 | 2024-02-13 | 浙江工业大学 | Feature enhancement-based depth model privacy protection method and device for membership inference attack |
CN114254275B (en) * | 2021-11-16 | 2024-05-28 | 浙江大学 | Black box deep learning model copyright protection method based on antagonism sample fingerprint |
CN114254274B (en) * | 2021-11-16 | 2024-05-31 | 浙江大学 | White-box deep learning model copyright protection method based on neuron output |
CN114638356B (en) * | 2022-02-25 | 2024-06-28 | 武汉大学 | Static weight guided deep neural network back door detection method and system |
CN116308986B (en) * | 2023-05-24 | 2023-08-04 | 齐鲁工业大学(山东省科学院) | Hidden watermark attack algorithm based on wavelet transformation and attention mechanism |
CN117473469B (en) * | 2023-12-28 | 2024-05-10 | 广东佛山联创工程研究生院 | Model watermark embedding method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10171993A (en) * | 1996-12-10 | 1998-06-26 | Oki Electric Ind Co Ltd | Authenticity discriminating device for medium |
CN105825243A (en) * | 2015-01-07 | 2016-08-03 | 阿里巴巴集团控股有限公司 | Method and device for certificate image detection |
CN108304858A (en) * | 2017-12-28 | 2018-07-20 | 中国银联股份有限公司 | Fight specimen discerning model generating method, verification method and its system |
CN108537206A (en) * | 2018-04-23 | 2018-09-14 | 济南浪潮高新科技投资发展有限公司 | A kind of face verification method based on convolutional neural networks |
CN109165674A (en) * | 2018-07-19 | 2019-01-08 | 南京富士通南大软件技术有限公司 | A kind of certificate photo classification method based on multi-tag depth convolutional network |
CN109190524A (en) * | 2018-08-17 | 2019-01-11 | 南通大学 | A kind of human motion recognition method based on generation confrontation network |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10657259B2 (en) * | 2017-11-01 | 2020-05-19 | International Business Machines Corporation | Protecting cognitive systems from gradient based attacks through the use of deceiving gradients |
CN109919303B (en) * | 2019-02-28 | 2023-09-19 | 笵成科技南京有限公司 | Intellectual property protection method, system and terminal for deep neural network |
CN110084002A (en) * | 2019-04-23 | 2019-08-02 | 清华大学 | Deep neural network attack method, device, medium and calculating equipment |
CN110610082A (en) * | 2019-09-04 | 2019-12-24 | 笵成科技南京有限公司 | DNN-based system and method for passport to resist fuzzy attack |
-
2019
- 2019-09-04 CN CN201910832529.2A patent/CN110610082A/en active Pending
-
2020
- 2020-01-17 WO PCT/CN2020/072809 patent/WO2021042665A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10171993A (en) * | 1996-12-10 | 1998-06-26 | Oki Electric Ind Co Ltd | Authenticity discriminating device for medium |
CN105825243A (en) * | 2015-01-07 | 2016-08-03 | 阿里巴巴集团控股有限公司 | Method and device for certificate image detection |
CN108304858A (en) * | 2017-12-28 | 2018-07-20 | 中国银联股份有限公司 | Fight specimen discerning model generating method, verification method and its system |
CN108537206A (en) * | 2018-04-23 | 2018-09-14 | 济南浪潮高新科技投资发展有限公司 | A kind of face verification method based on convolutional neural networks |
CN109165674A (en) * | 2018-07-19 | 2019-01-08 | 南京富士通南大软件技术有限公司 | A kind of certificate photo classification method based on multi-tag depth convolutional network |
CN109190524A (en) * | 2018-08-17 | 2019-01-11 | 南通大学 | A kind of human motion recognition method based on generation confrontation network |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021042665A1 (en) * | 2019-09-04 | 2021-03-11 | 笵成科技南京有限公司 | Dnn-based method for protecting passport against fuzzy attack |
CN111260059A (en) * | 2020-01-23 | 2020-06-09 | 复旦大学 | Back door attack method of video analysis neural network model |
CN111260059B (en) * | 2020-01-23 | 2023-06-02 | 复旦大学 | Back door attack method of video analysis neural network model |
CN111581671A (en) * | 2020-05-11 | 2020-08-25 | 笵成科技南京有限公司 | Digital passport protection method combining deep neural network and block chain |
CN112364310A (en) * | 2020-11-16 | 2021-02-12 | 山西三友和智慧信息技术股份有限公司 | Data set protection and verification method based on backdoor attack |
CN113518062A (en) * | 2020-12-08 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Attack detection method and device and computer equipment |
CN116128700A (en) * | 2023-03-29 | 2023-05-16 | 中国工程物理研究院计算机应用研究所 | Model watermark implantation and verification method and system based on image inherent characteristics |
CN116128700B (en) * | 2023-03-29 | 2023-09-12 | 中国工程物理研究院计算机应用研究所 | Model watermark implantation and verification method and system based on image inherent characteristics |
CN116152032A (en) * | 2023-04-23 | 2023-05-23 | 中国信息通信研究院 | Method and device for generating green product digital passport based on industrial Internet |
Also Published As
Publication number | Publication date |
---|---|
WO2021042665A1 (en) | 2021-03-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110610082A (en) | DNN-based system and method for passport to resist fuzzy attack | |
Liao et al. | Adaptive payload distribution in multiple images steganography based on image texture features | |
Guo et al. | Watermarking deep neural networks for embedded systems | |
US11704391B2 (en) | Machine learning model with watermarked weights | |
Meng et al. | Magnet: a two-pronged defense against adversarial examples | |
CN105389770B (en) | Embedded, extracting method and device based on BP and the image watermark of RBF neural | |
Fındık et al. | A color image watermarking scheme based on hybrid classification method: particle swarm optimization and k-nearest neighbor algorithm | |
Ulutas et al. | A new copy move forgery detection method resistant to object removal with uniform background forgery | |
Feng et al. | Watermarking neural network with compensation mechanism | |
Chen et al. | You are caught stealing my winning lottery ticket! making a lottery ticket claim its ownership | |
CN111597551B (en) | Protection method for side channel attack aiming at deep learning algorithm | |
Xu et al. | “identity bracelets” for deep neural networks | |
Zhu et al. | Fragile neural network watermarking with trigger image set | |
Abuadbba et al. | DeepiSign: invisible fragile watermark to protect the integrity and authenticity of CNN | |
Li et al. | Detecting adversarial patch attacks through global-local consistency | |
US6754364B1 (en) | Methods and systems for fingerprinting digital data | |
Pan et al. | Cracking white-box dnn watermarks via invariant neuron transforms | |
Yang et al. | Multi-source data hiding in neural networks | |
CN112861079A (en) | Normalization method with certificate identification function | |
Nazari et al. | A novel image steganography scheme based on morphological associative memory and permutation schema | |
Parah et al. | High capacity data embedding using joint intermediate significant bit (ISB) and least significant bit (LSB) technique | |
Liang et al. | BHI: Embedded invisible watermark as adversarial example based on Basin-Hopping improvement | |
Ruban et al. | Methodology for assessing the effectiveness of methods for embedding digital watermarks | |
Tsai et al. | A Steganographic Method by Pixel–Value Differencing and Exploiting Modification Direction | |
Chakraborty et al. | Dynamarks: Defending against deep learning model extraction using dynamic watermarking |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |