WO2020173252A1 - 运用自锁机制保护深度神经网络的方法、系统及终端 - Google Patents
运用自锁机制保护深度神经网络的方法、系统及终端 Download PDFInfo
- Publication number
- WO2020173252A1 WO2020173252A1 PCT/CN2020/072807 CN2020072807W WO2020173252A1 WO 2020173252 A1 WO2020173252 A1 WO 2020173252A1 CN 2020072807 W CN2020072807 W CN 2020072807W WO 2020173252 A1 WO2020173252 A1 WO 2020173252A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- neural network
- deep neural
- digital key
- self
- Prior art date
Links
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 204
- 238000000034 method Methods 0.000 title claims abstract description 80
- 230000007246 mechanism Effects 0.000 title claims abstract description 34
- 238000012549 training Methods 0.000 claims abstract description 35
- 230000008569 process Effects 0.000 claims abstract description 24
- 230000006870 function Effects 0.000 claims description 70
- 238000012545 processing Methods 0.000 claims description 37
- 238000004891 communication Methods 0.000 claims description 24
- 230000015556 catabolic process Effects 0.000 claims description 9
- 238000006731 degradation reaction Methods 0.000 claims description 9
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 230000009466 transformation Effects 0.000 claims description 8
- 238000003058 natural language processing Methods 0.000 claims description 7
- 238000010606 normalization Methods 0.000 claims description 7
- 238000002372 labelling Methods 0.000 claims description 5
- 230000007423 decrease Effects 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000008717 functional decline Effects 0.000 claims description 2
- 238000013473 artificial intelligence Methods 0.000 abstract description 8
- 239000010410 layer Substances 0.000 description 40
- 238000010586 diagram Methods 0.000 description 12
- 238000003860 storage Methods 0.000 description 11
- 238000009826 distribution Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 238000013527 convolutional neural network Methods 0.000 description 4
- 238000013135 deep learning Methods 0.000 description 3
- 238000005265 energy consumption Methods 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 239000000969 carrier Substances 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000002346 layers by function Substances 0.000 description 2
- 238000002156 mixing Methods 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 108010025037 T140 peptide Proteins 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013501 data transformation Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/18—Legal services
Definitions
- the embodiments of the present disclosure relate to the field of artificial intelligence, and in particular, to a method, system, and terminal for using a self-locking mechanism to protect a deep neural network. Background technique
- Deep neural network Also referred to as neural network or network, it refers to artificial intelligence technology that has made major breakthroughs in the early 21st century. Its basic feature is to learn the intelligent processing ability of the input signal through multi-level feature extraction from local to global.
- the input signal may be a one-dimensional voice signal, or a high-dimensional image, video, and other multimedia digital signals.
- the deep learning algorithm masters the required data processing capabilities by adjusting and optimizing the massive parameters of the deep neural network. Different digital samples and network structures determine the different types of data processing capabilities of neural networks. Different network parameter values determine the ability of the same type of processing capability.
- neural networks In terms of network structure, deep neural networks have many different forms (such as convolutional neural network CNN, recurrent neural network RNN, generative confrontation network GAN, etc.). In terms of application functions, neural networks can be used for speech recognition, natural language processing NLP, computer vision CV, big data mining and so on. On computing carriers, neural networks can run on computer central processing units (CPU), graphics accelerators (GPU), tensor processors (TPU), dedicated artificial intelligence chips, cloud computing centers, mobile devices, wearable devices, smart videos Terminals, in-vehicle devices and other vehicles, IoT devices, etc. Digital convolution operation: It is the core operation of various deep neural networks.
- Neural network learning and training algorithm For a given digital signal sample, the deep learning algorithm masters the required data processing capabilities by adjusting and optimizing the massive parameters of the neural network.
- the specific learning and training algorithm is not only related to the network structure (such as generating a confrontation network GAN), but also related to the selected optimization objective function.
- Neural network development costs usually include the following aspects. a) Hardware costs, including computers used for calculations, Central processing unit (CPU) or/and graphics processing unit (GPU), etc., where the graphics processor is used to accelerate the processing of digital convolution operations. b) Software cost, including the cost of installing related operating systems, supporting software, and deep learning algorithms.
- the cost of learning and training including the cost of data collection, the cost of data labeling, the cost of development and debugging of learning and training algorithms, the energy consumption during operation, and the time spent.
- the cost of using neural networks usually includes the following aspects. a) Hardware cost, including the cost of computing computer, central processing unit (CPU) or/and graphics processing unit (GPU), etc., where the graphics processor is used to accelerate the processing of digital convolution operations.
- Software cost including the cost of installing related operating systems and supporting software.
- Operating cost energy consumption during operation, time cost, etc.
- the operating cost of only use is greatly reduced compared to the cost of the aforementioned neural network development: because this does not include the cost of data collection, the cost of data labeling, the development and debugging cost of learning and training algorithms, and the cost of running during use
- the energy consumption is lower and it takes less time.
- the running time when in use is only a few seconds or even milliseconds, and there is no need to run repeatedly. Since the use cost and time cost of the neural network are several orders of magnitude lower than the corresponding cost at the time of development, the temptation of infringements such as illegal copying and illegal use is huge, and infringers are rushing. Therefore, it is urgent to protect the intellectual property rights of deep neural networks.
- Unprotected network The original network without any additional digital features can realize the given data processing function through learning, but cannot prove its ownership. In the face of illegal copying, illegal use and other infringements, there is no technical solution to protect its intellectual property.
- Digital watermark It is a specific digital feature (or digital fingerprint) that can be attached to digital multimedia products, such as pictures and movies, through special algorithms. Using the corresponding algorithm again, the digital features that have been added can be extracted and identified from the media product, so as to prove the ownership of the product.
- the ideal digital watermark should be robust. In other words, even if the digital product undergoes various data transformation processing (such as image cropping, video compression codec, etc.), the additional digital watermark can still be reliably extracted and identified.
- the digital watermark can be secret or public. In form, the digital watermark can be invisible or visible.
- Watermarking network Refers to a deep neural network that uses digital watermarking technology and adds a secret digital watermark. This kind of watermark network can prove its ownership, but cannot prevent the copying and illegal use of the network itself. The rights protection of the watermark network must take legal means through proof, which is inefficient and costly. Summary of the invention
- At least some embodiments of the present disclosure provide a method and system for protecting a deep neural network using a self-locking mechanism And terminal.
- the deep neural network targeted by the embodiments of the present disclosure includes all the various forms mentioned above, different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers. Any neural network with the same principle, for example: Convolutional Neural Network (CNN), Recurrent Neural Network (RNN), Generative Adversarial Network (GAN), etc., regardless of its operating environment.
- CNN Convolutional Neural Network
- RNN Recurrent Neural Network
- GAN Generative Adversarial Network
- a method for using a self-locking mechanism to protect a deep neural network including: cooperating with a predetermined digital key and learning and training data samples to self-lock the deep neural network to obtain a self-locking Deep neural network; if the self-locking deep neural network is used in conjunction with a predetermined digital key, first characteristic information that normally performs a predetermined function is obtained; if the self-locking depth is not used in conjunction with the predetermined digital key Neural network, the second characteristic information of lack of function or performance degradation is obtained; wherein, in the case that the self-locking deep neural network is illegally unlocked, the self-locking deep neural network is used in conjunction with the predetermined digital key
- the network obtains third feature information, where the third feature information is a statistical feature that proves the ownership of the self-locking deep neural network.
- self-locking the deep neural network includes: training and updating according to the learning training data sample with or without labeling information
- the first part of the network parameters of the deep neural network wherein the first part of the network parameters participate in realizing the predetermined function of the deep neural network, and determine the value of the second part of the network parameter together with the predetermined digital key;
- the predetermined digital key and the value of the first part of the network parameters are calculated and updated during the training process to obtain the predetermined function of the deep neural network, where the depth
- the predetermined function of the neural network includes at least one of the following: image classification, natural language processing.
- the deep neural network is trained in this way, and the first part of the network parameters have a strict correlation with the predetermined digital key, and the correlation is the key to providing intellectual property protection for the self-locking deep neural network.
- using the self-locking deep neural network with the predetermined digital key includes: calculating and setting the second partial network parameter according to the first partial network parameter and the predetermined digital key Using the first part of the network parameters and the second part of the network parameters to control the self-locking deep neural network to perform data processing operations.
- the first part of network parameters and the second part of network parameters are both indispensable and important components for realizing normal network functions.
- using the self-locking deep neural network without cooperating with the predetermined digital key includes: obtaining the first part of the network parameters of the non-predetermined digital key and the illegal copy, and calculating the abnormal second part of the network parameters; Using the illegally copied first part of the network parameters and the abnormal second part of the network parameters to obtain the second characteristic information of lack of function or performance degradation.
- the infringer cannot benefit from the infringement, and there is no motivation for infringement, thereby preventively protecting the intellectual property rights of the self-locking neural network.
- the infringed deep neural network can perform normal functions.
- using the self-locking deep neural network in cooperation with the predetermined digital key to obtain the third characteristic information includes: in the case that the self-locking deep neural network is illegally unlocked, removing the illegal unlocking result
- the second part of the network parameters in the deep neural network uses the predetermined digital key to use and display the predetermined function of the deep neural network to obtain the first result, and to use and display the non-scheduled digital key
- the deep neural network is unable to perform the predetermined function, or the performance of the predetermined function is reduced and the degree of decrease is consistent with the expected amplitude, and a second result is obtained; the predetermined number is determined by combining the first result and the second result
- the key has an association with the first part of the network parameters, where the association is given when the deep neural network is generated.
- the first partial network parameters and the second partial network parameters together constitute all parameters of the deep neural network.
- the first part of the network parameters, the second part of the network parameters and the predetermined digital key together constitute all the prerequisite information required to use the deep neural network and act together on the input digital signal to be processed.
- the above-mentioned first part of network parameters may be public or undisclosed;
- the above-mentioned second part of network parameters are not public, but when using the deep neural network, according to The first part of the network parameters and the predetermined digital key are calculated.
- the whole of the first part of network parameters is combined with the predetermined digital key to jointly determine the second part of network parameters.
- a part of the first part of network parameters is combined with the predetermined digital key to jointly determine the second part of network parameters.
- the above-mentioned data samples with or without annotated information used for learning and training may be public or unpublished.
- the aforementioned digital key includes: any pre-selected non-public, one or more sets of digital information
- the predetermined digital key is only distributed to legally authorized users of the deep neural network.
- the predetermined digital key is selected by a user owner of the deep neural network.
- the aforementioned digital key includes: any pre-selected undisclosed one or more sets of pictures; the predetermined digital key picture is only distributed to the legally authorized deep neural network users.
- the above-mentioned digital key pictures include: passport photos, ID photos, signatures, fingerprint pictures, iris pictures of the deep neural network owner, and any pictures that can determine the identity of the deep neural network owner.
- the aforementioned digital key picture includes: a legally authorized passport picture of the deep neural network user legal person, an ID picture, a signature, a fingerprint picture, an iris picture, or any picture that can determine the user's identity.
- the above-mentioned digital key picture includes: any picture that can determine a legal person's identity (ID), such as a corporate logo with ownership of the deep neural network, a company logo (logo).
- ID legal person's identity
- the above-mentioned digital key picture includes: a legal person logo of the deep neural network user legally authorized, a company logo (logo), and any picture that can determine the legal person identity (ID) of the user.
- the aforementioned digital key includes: any pre-selected undisclosed one or more sets of voice signals; the digital key voice signal is only distributed to the legally authorized deep neural network users.
- the aforementioned digital key voice signal includes: any voice signal that can determine the identity of the owner of the deep neural network, such as a voiceprint recording of the owner of the deep neural network.
- the aforementioned digital key voice signal includes: a legally authorized voiceprint recording of the legal person of the deep neural network user, and any voice signal that can determine the user's identity.
- the aforementioned digital key includes: any pre-selected undisclosed one or more sets of digital passwords; the digital password is selected by a legally authorized user of the deep neural network.
- the above-mentioned digital key includes: any pre-selected undisclosed one or more sets of digital passwords; the digital password is a legally authorized user of the deep neural network through a specific password generation tool produce.
- the above-mentioned digital key includes: any pre-selected non-public, one or more sets of digital passwords; the digital password is selected by the legal person that owns the deep neural network.
- the above-mentioned digital key includes: any pre-selected, undisclosed, one or more sets of digital passwords; the digital password is generated by the legal person that owns the deep neural network through a specific password generation tool.
- a system that uses a self-locking mechanism to protect a deep neural network includes: cooperating with a predetermined digital key and learning and training data samples to self-lock the deep neural network to obtain a first module of the self-locking deep neural network; cooperating with the predetermined digital key to lock the self-locking The second module legally used by the deep neural network; when the predetermined digital key is not given, the third module that protects the self-locking deep neural network; in conjunction with the predetermined digital key, The deep neural network that is illegally unlocked determines the fourth module of ownership.
- the second module, the third module, and the fourth module may physically have a common reusable sub-module, but they are implemented independently of each other in terms of functions.
- the first module is further configured to perform the following steps: training and updating the first part of the network parameters of the deep neural network according to the learning and training data samples with or without annotated information, where the The first part of the network parameters participate in the realization of the predetermined function of the deep neural network, and determine the value of the second part of the network parameter together with the predetermined digital key; according to the predetermined digital key and the first part of the network parameter The value of the second part of the network parameters is calculated and updated during the training process to obtain the predetermined function of the deep neural network, where the predetermined function of the deep neural network includes at least one of the following: image classification, natural Language processing.
- the second module is further configured to perform the following steps: calculate and set the value of the second part of the network parameter according to the first part of the network parameter and the predetermined digital key; A part of the network parameters and the second part of the network parameters control the self-locking deep neural network to perform data processing operations.
- the third module is further configured to perform the following steps: obtain an unpredetermined digital key and the first part of the network parameters of the illegal copy, and calculate the abnormal second part of the network parameters; use the first part of the illegal copy
- the network parameters and the abnormal second part of the network parameters obtain the second characteristic information of lack of function or performance degradation.
- the fourth module is further configured to perform the following steps: in the case that the self-locking deep neural network is illegally unlocked, removing the second part of the network parameters in the deep neural network obtained by the illegal unlocking, Use the predetermined digital key to use and display the predetermined function of the deep neural network to obtain the first result, and use the non-predetermined digital key to use and display that the deep neural network cannot perform the predetermined function, or, The performance of the predetermined function declines and the degree of decline is consistent with the expected amplitude, and a second result is obtained; combining the first result and the second result to determine that the predetermined digital key is associated with the first part of network parameters, where , The correlation is given when the deep neural network is generated.
- a terminal that uses a self-locking mechanism to protect a deep neural network including: Including: processor, memory, communication interface and communication bus.
- the processor, the memory, and the communication interface communicate with each other through the communication bus;
- the memory is configured to store at least one executable instruction, and the executable instruction causes the processor to execute the aforementioned depth
- the memory is configured to store at least one executable instruction and the deep neural network, and the executable instruction causes the processor to execute the aforementioned deep neural network self-locking protection.
- a computer-readable storage medium stores: digital information used to protect a deep neural network using the self-locking mechanism described above, including: A predetermined digital key for the locking mechanism; a learning and training data sample for using the self-locking mechanism; in conjunction with the predetermined digital key and the learning and training data sample, the arbitrary deep neural network is self-locking Executable instructions; in conjunction with the predetermined digital key, the executable instructions for the legal use of the self-locking deep neural network; when the predetermined digital key is not given, perform the self-locking deep neural network Protected executable instruction; in conjunction with the predetermined digital key, an executable instruction to prove the ownership of the illegally unlocked deep neural network.
- FIG. 1 is a flow chart of the method of using a self-locking mechanism to protect a deep neural network according to an optional embodiment of the present disclosure.
- Fig. 2 is a flow chart of the steps of a method for preparing and obtaining a deep neural network with a self-locking mechanism according to an alternative embodiment of the present disclosure.
- FIG. 3 is a flow chart of the steps of a method for using a deep neural network with a self-locking mechanism according to an optional embodiment of the present disclosure.
- FIG. 4 is a flow chart of the steps of a method for protecting a deep neural network with a self-locking mechanism according to an optional embodiment of the present disclosure.
- Fig. 1 is a flow chart of the method of using a self-locking mechanism to protect a deep neural network according to an optional embodiment of the present disclosure.
- Fig. 2 is a flow chart of the steps of a method for preparing and obtaining a deep neural network with a self-locking mechanism according to an alternative embodiment of the present disclosure
- FIG. 5 is a flow chart of the steps of a method for determining the ownership of a deep neural network suspected of infringement according to an optional embodiment of the present disclosure.
- Fig. 6 is a schematic diagram of a basic functional layer of a deep residual network implemented by a combination of a convolutional layer and a self-locking layer of the network according to one of the optional embodiments of the present disclosure.
- Fig. 7 is a flow chart of the steps of a method for preparing a digital key according to an alternative embodiment of the present disclosure.
- FIG. 8 is a flow of steps for preparing a specific digital key using a single picture according to an optional embodiment of the present disclosure Cheng Tu.
- FIG. 8 is a flow of steps for preparing a specific digital key using a single picture according to an optional embodiment of the present disclosure Cheng Tu.
- FIG. 9 is a flowchart of steps for preparing a specific digital key using several pictures according to an optional embodiment of the present disclosure.
- Fig. 10 is a flowchart of steps for preparing a specific digital key using a number of digital information according to an optional embodiment of the present disclosure.
- Fig. 11 is a histogram of statistical results during normal use and network protection according to one of the alternative embodiments of the present disclosure.
- Fig. 12 is a diagram illustrating the extent of performance degradation of illegally unlocking a network according to an alternative embodiment of the present disclosure.
- FIG. 13 is a block diagram of a system structure of an arbitrary deep neural network for intellectual property protection according to an optional embodiment of the present disclosure.
- FIG. 14 is a schematic structural diagram of a first terminal according to an optional embodiment of the present disclosure.
- FIG. 14 is a schematic structural diagram of a first terminal according to an optional embodiment of the present disclosure.
- FIG. 15 is a schematic structural diagram of a second terminal according to an optional embodiment of the present disclosure.
- FIG. 16 is a schematic structural diagram of a third terminal according to an optional embodiment of the present disclosure.
- FIG. 17 is a schematic structural diagram of a fourth terminal according to an optional embodiment of the present disclosure. Concrete age
- Embodiment 1 Referring to FIG. 1, there is shown a flow chart of the method for protecting a deep neural network using a self-locking mechanism according to Embodiment 1 of the present disclosure.
- This embodiment provides a method for using a self-locking mechanism to protect a deep neural network, which includes the following steps. Step S100, according to the target network structure information to be locked and the self-locking performance requirements, prepare and obtain a specific digital key that meets the requirements. Step S102, according to the specific digital key, self-locking performance requirements, training data samples, and basic functions of the target network, a deep neural network with self-locking function that meets the basic function requirements is prepared and obtained.
- Step S104 according to the provided correct digital key, open the basic functions of the network, process the input data, and obtain the normal data processing result.
- Step S106 According to the provided incorrect digital key, block the basic functions of the network, process the input data, and obtain the result that the performance is seriously degraded or the basic functions of the network cannot be realized.
- Step S108 according to the provided correct digital key, display and prove the ownership of the suspected infringing deep neural network.
- steps S104, S106, and S108 do not need to follow a certain sequence or logical sequence, and do not need to be executed all.
- Embodiment 2 shows a flowchart of the steps of a method for preparing and obtaining a deep neural network with a self-locking mechanism according to a second embodiment of the present disclosure and according to a specific digital key.
- the method for preparing and obtaining a deep neural network with a self-locking mechanism according to a specific digital key includes the following steps.
- Step S1020 Train and obtain the first part of the network parameters of the deep neural network according to the data samples with or without the label information.
- Step S1022 According to the undisclosed digital key and the values of the first part of the network parameters, calculate and obtain the values of the second part of the network parameters during the training process.
- Step S1024 according to the network performance, repeatedly train and update to obtain the first part of the deep neural network Part and the second part of the network parameters, until the network performance reaches the design requirements.
- Embodiment 3 shows a flow chart of the steps of using a deep neural network method with a self-locking mechanism according to a correct digital key according to the third embodiment of the present disclosure.
- the method of using a deep neural network with a self-locking mechanism according to a specific digital key includes the following steps.
- Step S1040 Calculate and obtain the correct value of the second part of the network parameter according to the provided correct digital key and the value of the first part of the network parameter.
- Step S1042 according to the first part of the deep neural network and the correct second part of the network parameter Numerical value, the basic function of the open network to process the input data, and get the normal data processing result.
- Step S1060 According to the provided incorrect digital key and the value of the first part of the network parameter, calculate and obtain the incorrect value of the second part of the network parameter.
- Step S1062 According to the first part of the network parameters of the deep neural network and the incorrect second part of the network parameter values, the basic functions of the network are locked to process the input data, and the result of severely degraded performance or failure to realize the basic functions of the network is obtained.
- Embodiment 5 Referring to FIG. 5, there is shown a flow chart of the method for determining the ownership of a deep neural network suspected of infringement according to a specific digital key according to Embodiment 5 of the present disclosure.
- the method for determining the ownership of the suspected infringing deep neural network according to a specific digital key includes the following steps. Step S1080, removing the second part of the network parameters for illegally unlocking the network, replacing it with a correct digital key, using and demonstrating that the network can perform its normal functions and obtain normal data processing results. Step S1082, remove the second part of the network parameters for illegally unlocking the network, and replace it with an incorrect digital key.
- FIG. 12 shows the performance degradation rate of illegally unlocking the network when a specific incorrect digital key is used according to the implementation of the present disclosure.
- the dark histogram on the right represents the image recognition accuracy distribution when the correct digital key is used
- the other three histograms represent the image recognition accuracy distribution when the digital key with different degrees of error is used. Compare the histogram distribution obtained by illegally unlocking the network with the histogram distribution provided by the claimant to check whether they are consistent.
- Step S 1084 combining the results of S 1080 and S 1082 above, shows that the first part of the network parameters for unlocking the network can only work with the correct digital key provided, which proves that the ownership of the network belongs to the right to provide the correct key Requesting party.
- all or part of the first part of the network parameters is used as a convolution kernel applied to the predetermined digital key, and the digital convolution operation jointly determines the The second part of the network parameters.
- the second part of the network parameters of the aforementioned neural network may be calculated according to the following formula:
- all or part of the first part of the network parameters is used as a convolution kernel applied to the predetermined digital key, and the digital convolution operation
- the further mathematical transformation of the result jointly determines the network parameters of the second part.
- the mathematical transformation described above includes numerical average, maximum, minimum, median, etc., any The mathematical calculation of the determination result can be obtained.
- the above-mentioned digital convolution operation may be implemented using a convolution layer of a neural network.
- the second part of the network parameters of the above neural network can be used to realize the self-locking layer of the neural network.
- the input and output signal processing method is calculated according to the following formula:
- the convolutional layer and the self-locking layer of the network can be combined to implement more complex deep neural network functions.
- the convolutional layer and the self-locking layer of the network can be combined to implement the basic functional layer of the deep residual network.
- the first partial network level may be a convolutional layer or a fully connected layer.
- the second portion of the network hierarchy may be normalized batch layer (batch normalization) o
- the network structure in combination with one embodiment of the present disclosure provides The parameter of the second partial network layer may be a bias term of the batch normalization layer.
- the parameter of the second partial network layer may be a scaling factor of the batch normalization layer.
- the parameters of the second part of the network layer may be the bias term and the scale factor of the batch normalization layer ( scaling factor).
- the second part of the network level may be an additional key conversion layer, or any network layer that implements scale conversion and bias functions.
- the parameters of the second part of the network layer may be a bias term and a scaling factor of the key transformation layer.
- the bias term and the scaling factor of the key transformation layer may be elementwise.
- the bias term and the scaling factor of the key transformation layer may be channel-operated (channel- wise).
- the bias term and the scaling factor of the key transformation layer may be a mixture of the element-wise operation and The operation is based on the channel (hybrid elementwise and channel-wise).
- Embodiment 6 shows a flowchart of the steps of a method for preparing a digital key according to network structure information in Embodiment 6 of the present disclosure.
- the method for preparing a digital key according to network structure information includes the following steps.
- Step S1000 according to the structure information of the network, determine the structure size of the digital key of each level.
- Step S1002 Prepare a specific digital key according to the structural size of the digital key. According to different key usage requirements, there are different preparation steps.
- step S10020 shows a flow chart of steps for preparing a specific digital key using a single picture according to the structural size of the digital key according to the embodiment of the present disclosure.
- Step S 100200 select a specific picture (including personal identification photos, company trademark pictures, logos, etc.).
- Step S100202 using the deep neural network without lock protection, normally process the selected single picture.
- Step S100204 Collect the output result of the intermediate layer when processing the picture.
- step S100206 the selected picture and the collected intermediate layer output result are used as the finally obtained digital key.
- step S10022 shows a flowchart of steps for preparing a specific digital key using several pictures according to the structural size of the digital key according to the embodiment of the present disclosure. Compared with the digital key prepared in step S 10020, the digital key prepared in step S 10022 can provide stronger protection performance.
- Step S 100220 Select a number of specific pictures (including, for example, a number of personal identification photos, a number of company trademark pictures, logos, etc.).
- Step S100222 using a deep neural network that is not protected by a lock to normally process several selected pictures.
- Step S 100224 Collect the output results of the intermediate layer when processing several pictures, and each picture corresponds to a set of results.
- step S10024 shows a flow chart of steps for preparing a specific digital key by using a number of digital information according to the structural size of the digital key according to the embodiment of the present disclosure.
- Step S100240 Select a number of specific digital information (including, for example, a number of personal voice signals, digital passwords, etc.).
- Step S 100242 using a deep neural network that is not protected by a lock to normally process a number of selected digital information.
- Step S 100244 Collect the output results of the intermediate layer when processing a number of digital information, and each type of input corresponds to a set of results.
- the digital key prepared according to step S 10024 can provide more comprehensive digital information (not limited to pictures) to prove ownership.
- Embodiment 7 Referring to FIG. 11, there is shown a histogram of statistical results when the embodiment of the present disclosure is applied to a locked picture recognition deep neural network, and the network is normally used and protected.
- the horizontal axis in the figure is the image recognition accuracy rate, and the vertical axis is the histogram distribution of the results of multiple experiments.
- the vertical line with a height of 1.0 on the right represents the image recognition accuracy (about 92%) of the CIFAR10 test set without the locked network.
- the histogram on the right of the figure represents the distribution of image recognition accuracy when the locked network is used normally when the correct digital key is provided in several locking experiments. The average value is still 92%, that is, the original unlocked network
- the image recognition function is not affected by the self-locking mechanism.
- the histogram on the left in the figure represents the distribution of image recognition accuracy of the protection network when incorrect keys are provided in several experiments.
- the average value is about 10%, which is equivalent to the result of random guessing, that is, the original unlocked network
- the image recognition function is completely suppressed by the self-locking function.
- Embodiment 8 shows a block diagram of a system structure that uses a self-locking mechanism to protect a deep neural network according to an embodiment of the present disclosure.
- the system that uses a self-locking mechanism to protect the deep neural network in this embodiment includes the following modules.
- the module M100 is set to prepare and obtain a specific digital key that meets the requirements according to the target network structure information to be locked and the self-locking performance requirements.
- the module M102 is set to prepare and obtain a deep neural network with self-locking function that meets the basic function requirements according to a specific digital key, self-locking performance requirements, training data samples, and basic functions of the target network.
- the module M104 is set to process the input data according to the correct digital key provided, open the basic functions of the network, and obtain normal data processing results.
- the module M106 is set to block the basic functions of the network according to the incorrect digital key provided, process the input data, and obtain the result that the performance is severely degraded or the basic functions of the network cannot be realized.
- Module M108 is set to display and prove the ownership of the suspected infringing deep neural network based on the correct digital key provided.
- the modules M104, M106, and M108 do not need to follow a certain sequence or logical sequence, so the modules do not need to be all included in the same physical system.
- Embodiment 9 Referring to FIG. 14, there is shown a schematic structural diagram of a first terminal according to Embodiment 9 of the present disclosure.
- the first terminal T110 includes a processor (processor) TmO, a communications interface (Communications Interface) 1120, a memory (memory array) T1130, and a bus T1140.
- the processor T1110, the communication interface T1120, and the memory T1130 communicate with each other through the bus T1140.
- the communication interface T1120 is set to communicate with other devices, including other clients, servers, and shared storage.
- the processor T1110 is configured to execute the program T1100, which specifically executes the relevant steps in the foregoing method embodiment.
- the processor T1110 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present disclosure.
- the processor T1110 can be a central processing unit used in cloud computing centers, mobile devices, wearable devices, smart video terminals, in-vehicle devices and other vehicles, IoT devices, etc., or it can be used in graphics accelerators (GPU), tensor processor (TPU), dedicated artificial intelligence chip, etc., logic and numerical operation unit in specific hardware architecture.
- the storage T1130 is set to store files.
- the memory T1130 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory.
- the memory T1130 may also be a memory array.
- the storage T1130 can also be divided into blocks, and the blocks can be combined into a virtual volume according to certain rules.
- the foregoing program may be program code including computer operation instructions. The program can be specifically used to: Provide a method for preparing a digital key according to the network structure information, including: Determine the structure size of the digital key at each level according to the network structure information.
- a single picture is provided to prepare a specific number
- the key method includes: selecting a specific picture (including personal identification photos, company trademark pictures, logos, etc.); using a deep neural network without lock protection to normally process the selected single picture; when collecting and processing pictures The output result of the intermediate layer; the selected picture and the collected intermediate layer output result are used as the final digital key; in an optional embodiment, according to the structure size of the digital key, it is provided that a number of pictures are used to prepare a specific number
- the key method includes: selecting a number of specific pictures (including, for example, a number of personal identification photos, a number of company trademark pictures, logos, etc.); using a deep neural network without lock protection to normally process selected pictures; collecting and processing a number The intermediate layer output result when the picture is a picture, each picture corresponds to a set of results; a number of pictures and
- Embodiment 10 shows a schematic structural diagram of a second terminal according to Embodiment 10 of the present disclosure.
- the second terminal T120 includes a processor (processor) T1210, a communications interface (Communications Interface) 1220, a memory (memory array) T1230, and a bus T1240.
- the processor T1210, the communication interface T1220, and the memory T1230 communicate with each other through the bus T1240.
- the communication interface T1220 is set to communicate with other devices, including other clients, servers, and shared storage.
- the processor T1210 is configured to execute the program T1200, which specifically executes the relevant steps in the foregoing method embodiment.
- the processor T1210 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present disclosure.
- the processor T1210 is a central processing unit used in cloud computing centers, mobile devices, wearable devices, smart video terminals, in-vehicle devices and other vehicles, IoT devices, etc. It can also be used in graphics accelerators ( GPU), tensor processor (TPU), dedicated artificial intelligence chips, etc., logic and numerical operation units in a specific hardware architecture.
- the memory T1230 is set to store files.
- the memory T1230 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory.
- the memory T1230 can also be a memory array.
- the storage T1230 can also be divided into blocks, and the blocks can be combined into a virtual volume according to certain rules.
- the foregoing program may be program code including computer operation instructions.
- the program can be specifically used to: According to a specific digital key, provide a method for preparing and obtaining a deep neural network with a self-locking mechanism, including: training and obtaining a deep neural network based on data samples with or without annotated information The first part of the network parameters; According to the undisclosed digital key and the first part of the network parameters, the second part of the network parameters are calculated and obtained during the training process; According to the network performance, the first part of the deep neural network is repeatedly trained and updated. Part and the second part of the network parameters, until the network performance reaches the design requirements.
- the third terminal T130 includes a processor (processor) T1310, a communications interface (Communications Interface) 1320, a memory (memory array) T1330, and a bus T1340.
- the processor T1310, the communication interface T1320, and the memory T1330 communicate with each other through the bus T1340.
- the communication interface T1320 is set to communicate with other devices, including other clients, servers, and shared storage.
- the processor T1310 is configured to execute the program T1300, which specifically executes the relevant steps in the foregoing method embodiment.
- the processor T1310 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present disclosure.
- the processor T1310 can be a central processing unit used in cloud computing centers, mobile devices, wearable devices, smart video terminals, in-vehicle devices and other vehicles, IoT devices, etc., or can be used in graphics accelerators (GPU), tensor processor (TPU), dedicated artificial intelligence chip, etc., logic and numerical operation unit in specific hardware architecture.
- the memory T1330 is set to store files.
- the memory T1330 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory.
- the memory T1330 can also be a memory array.
- the storage T1330 can also be divided into blocks, and the blocks can be combined into a virtual volume according to certain rules.
- the foregoing program may be program code including computer operation instructions.
- the program can be specifically used to:
- a method of using a deep neural network with a self-locking mechanism including: according to the correct digital key provided and the first part of the network parameters Calculate and get the correct value of the second part of the network parameter; According to the first part of the deep neural network and the correct value of the second part of the network parameter, the basic functions of the open network process the input data and get the normal data process result.
- a method for protecting a deep neural network with a self-locking mechanism including: calculating according to the provided incorrect digital key and the value of the first part of the network parameter And get the incorrect value of the second part of the network parameters; According to the first part of the deep neural network and the incorrect value of the second part of the network parameter, lock the basic functions of the network to process the input data, and get the severely degraded performance, Or the result of not being able to realize the basic functions of the network.
- Embodiment 12 shows a schematic structural diagram of a fourth terminal according to Embodiment 12 of the present disclosure.
- the fourth terminal T140 includes a processor (processor) T1410, a communications interface (Communications Interface) 1420, a memory (memory array) T1430, and a bus T1440.
- the processor T1410, the communication interface T1420, and the memory T1430 communicate with each other through the bus T1440.
- the communication interface T1420 is set to communicate with other devices, including other clients, servers, and shared storage.
- the processor T1410 is configured to execute the program T1400, which specifically executes the relevant steps in the foregoing method embodiment.
- the processor T1410 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present disclosure.
- the processor T1410 can be a central processing unit used in cloud computing centers, mobile devices, wearable devices, smart video terminals, in-vehicle devices and other vehicles, IoT devices, etc., or it can be used in graphics accelerators (GPU), tensor processor (TPU), dedicated artificial intelligence chip, etc., logic and numerical operation unit in specific hardware architecture.
- the memory T1430 is set to store files.
- the memory T1430 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one disk memory.
- the memory T1430 can also be a memory array.
- the storage T1430 can also be divided into blocks, and the blocks can be combined into a virtual volume according to certain rules.
- the foregoing program may be program code including computer operation instructions.
- a method for determining the ownership of a suspected infringing deep neural network based on a specific digital key including: In an optional embodiment, removing illegal network unlocking The second part of the network parameters is replaced by the correct digital key, using and showing that the network can perform its normal functions and obtain normal data processing results; in an optional embodiment, the second part of the network that illegally unlocks the network is removed The parameter is replaced by an incorrect digital key. Using and showing that the network cannot perform its normal functions, it can only get the result of severely degraded performance or unable to achieve the basic functions of the network.
- the performance degradation is consistent with expectations; combining the above results, it is shown that the first part of the network parameters for unlocking the network can only work with the correct digital key provided, which proves the ownership of the network and belongs to the right to provide the correct key. square.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Tourism & Hospitality (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Economics (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Primary Health Care (AREA)
- Storage Device Security (AREA)
- Lock And Its Accessories (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910158611.1A CN109919303B (zh) | 2019-02-28 | 2019-02-28 | 一种深度神经网络的知识产权保护方法、系统及终端 |
CN201910158611.1 | 2019-02-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020173252A1 true WO2020173252A1 (zh) | 2020-09-03 |
Family
ID=66963044
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/072807 WO2020173252A1 (zh) | 2019-02-28 | 2020-01-17 | 运用自锁机制保护深度神经网络的方法、系统及终端 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109919303B (zh) |
WO (1) | WO2020173252A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109919303B (zh) * | 2019-02-28 | 2023-09-19 | 笵成科技南京有限公司 | 一种深度神经网络的知识产权保护方法、系统及终端 |
CN110610082A (zh) * | 2019-09-04 | 2019-12-24 | 笵成科技南京有限公司 | 一种基于dnn用于护照抵御模糊攻击的系统与方法 |
CN112750064A (zh) | 2019-10-29 | 2021-05-04 | 阿里巴巴集团控股有限公司 | 一种水印信息嵌入方法以及装置 |
CN111581671B (zh) * | 2020-05-11 | 2021-05-25 | 笵成科技南京有限公司 | 一种深度神经网络与区块链相结合的数字护照保护方法 |
CN112395635B (zh) * | 2021-01-18 | 2021-05-04 | 北京灵汐科技有限公司 | 图像处理、密钥生成、训练方法及装置、计算机可读介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108629193A (zh) * | 2018-04-26 | 2018-10-09 | 成都大象分形智能科技有限公司 | 一种针对人工神经网络模型的加密保护系统及方法 |
US20180341848A1 (en) * | 2016-01-06 | 2018-11-29 | International Business Machines Corporation | Personalized eeg-based encryptor |
CN108985448A (zh) * | 2018-06-06 | 2018-12-11 | 北京大学 | 神经网络表示标准框架结构 |
CN109002883A (zh) * | 2018-07-04 | 2018-12-14 | 中国科学院计算技术研究所 | 卷积神经网络模型计算装置及计算方法 |
CN109919303A (zh) * | 2019-02-28 | 2019-06-21 | 范力欣 | 一种深度神经网络的知识产权保护方法、系统及终端 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108038544B (zh) * | 2017-12-04 | 2020-11-13 | 华南师范大学 | 基于大数据和深度学习的神经网络深度学习方法和系统 |
US10726858B2 (en) * | 2018-06-22 | 2020-07-28 | Intel Corporation | Neural network for speech denoising trained with deep feature losses |
-
2019
- 2019-02-28 CN CN201910158611.1A patent/CN109919303B/zh active Active
-
2020
- 2020-01-17 WO PCT/CN2020/072807 patent/WO2020173252A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180341848A1 (en) * | 2016-01-06 | 2018-11-29 | International Business Machines Corporation | Personalized eeg-based encryptor |
CN108629193A (zh) * | 2018-04-26 | 2018-10-09 | 成都大象分形智能科技有限公司 | 一种针对人工神经网络模型的加密保护系统及方法 |
CN108985448A (zh) * | 2018-06-06 | 2018-12-11 | 北京大学 | 神经网络表示标准框架结构 |
CN109002883A (zh) * | 2018-07-04 | 2018-12-14 | 中国科学院计算技术研究所 | 卷积神经网络模型计算装置及计算方法 |
CN109919303A (zh) * | 2019-02-28 | 2019-06-21 | 范力欣 | 一种深度神经网络的知识产权保护方法、系统及终端 |
Also Published As
Publication number | Publication date |
---|---|
CN109919303A (zh) | 2019-06-21 |
CN109919303B (zh) | 2023-09-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020173252A1 (zh) | 运用自锁机制保护深度神经网络的方法、系统及终端 | |
Darvish Rouhani et al. | Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural networks | |
Monga et al. | A clustering based approach to perceptual image hashing | |
CN107240061B (zh) | 一种基于动态bp神经网络的水印嵌入、提取方法与装置 | |
Wen et al. | Romark: A robust watermarking system using adversarial training | |
Wang et al. | Non-transferable learning: A new approach for model ownership verification and applicability authorization | |
Cui et al. | Diffusionshield: A watermark for copyright protection against generative diffusion models | |
Xiang et al. | A new convolutional neural network-based steganalysis method for content-adaptive image steganography in the spatial domain | |
Pan et al. | Metav: A meta-verifier approach to task-agnostic model fingerprinting | |
Liu et al. | Making DeepFakes more spurious: evading deep face forgery detection via trace removal attack | |
Zheng et al. | A DNN fingerprint for non-repudiable model ownership identification and piracy detection | |
Singh et al. | Steganalysis using learned denoising kernels | |
CN112231745A (zh) | 一种基于几何变形的大数据安全隐私保护方法、存储介质 | |
Xie et al. | Deepmark: Embedding watermarks into deep neural network using pruning | |
Jia et al. | Subnetwork-lossless robust watermarking for hostile theft attacks in deep transfer learning models | |
Pan et al. | Cracking white-box dnn watermarks via invariant neuron transforms | |
Ren et al. | Protecting intellectual property with reliable availability of learning models in ai-based cybersecurity services | |
WO2020233322A1 (zh) | 一种基于描述熵的大数据移动软件相似性智能检测方法 | |
Zhao et al. | Constructing near-optimal double-layered syndrome-trellis codes for spatial steganography | |
Wójtowicz et al. | Biometric watermarks based on face recognition methods for authentication of digital images | |
Chandrashekar et al. | Fusion of multiple data mining techniques for effective network intrusion detection: a contemporary approach | |
Shen et al. | Relational database watermarking for data tracing | |
Latha et al. | An efficient wavelet transform based steganography technique using chaotic map | |
Ye et al. | Deep neural networks watermark via universal deep hiding and metric learning | |
Xiong et al. | Perceptual image hashing based on multitask neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20762295 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20762295 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20762295 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 180322) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20762295 Country of ref document: EP Kind code of ref document: A1 |