WO2021042665A1 - Dnn-based method for protecting passport against fuzzy attack - Google Patents

Dnn-based method for protecting passport against fuzzy attack Download PDF

Info

Publication number
WO2021042665A1
WO2021042665A1 PCT/CN2020/072809 CN2020072809W WO2021042665A1 WO 2021042665 A1 WO2021042665 A1 WO 2021042665A1 CN 2020072809 W CN2020072809 W CN 2020072809W WO 2021042665 A1 WO2021042665 A1 WO 2021042665A1
Authority
WO
WIPO (PCT)
Prior art keywords
passport
dnn
layer
signature
dnn model
Prior art date
Application number
PCT/CN2020/072809
Other languages
French (fr)
Chinese (zh)
Inventor
范力欣
范力颖
Original Assignee
笵成科技南京有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 笵成科技南京有限公司 filed Critical 笵成科技南京有限公司
Publication of WO2021042665A1 publication Critical patent/WO2021042665A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • the present disclosure relates to the field of passport security, and specifically is a method based on Deep Neural Networks (DNN) for passports to resist ambiguity attacks.
  • DNN Deep Neural Networks
  • the embedded watermarking methods used by related technologies in the field of machine learning can generally be divided into the following two types:
  • Method 1 Feature-based method, which embeds the specified watermark into the network weight by adding additional optimization target constraints;
  • Method 2 The method based on the trigger set relies on the adversarial training samples with specific labels, that is, the backdoor trigger set.
  • At least some of the embodiments of the present disclosure provide a method for passports to resist ambiguity attacks based on DNN.
  • the performance remains unchanged. Once a modified or forged passport is used, the network performance will be severely degraded. Robust, while being able to resist fuzzing attacks.
  • the technical solutions adopted in the present disclosure are as follows:
  • a method based on DNN for passports to resist fuzzing attacks including a DNN model.
  • the ownership verification scheme of the DNN model includes an embedding process E, a fidelity evaluation process F, a signature verification process V, and a reversible process I.
  • the processing steps are as follows :
  • the embedding process E is a DNN learning process, which takes training data D as input, the training data includes trigger set data T or signature s, and optimizes the model N by minimizing the given loss function L;
  • Fidelity evaluation process F ⁇ False, True ⁇ , used to evaluate whether the performance difference is less than the threshold, that is (MM t ) ⁇ , where M is the DNN performance tested against a set of test data D, and M t is Target performance, ⁇ is the threshold, F is the fidelity evaluation result;
  • the feature-based and trigger-set-based methods use the combined loss function as follows:
  • ⁇ t , ⁇ r are the weights of related hyperparameters
  • f(W, X_) is the prediction function with input X r or X t and output prediction value
  • L c is the prediction value and target label y r or y T Loss function of cross entropy.
  • the DNN model based on the watermarking method of the trigger set also embeds a private passport and a trigger set, but does not distribute it.
  • the trigger set is a set of trigger images, and the ownership of the suspicious DNN model is detected and declared by remotely calling the service API; Declare ownership in black box mode, and then declare ownership again through passport verification in white box mode.
  • Trigger set images alternately minimize the original mission loss and reduce the joint loss function containing passport constraints.
  • the original mission loss does not include the passport layer, and GroupNormalisation is used. algorithm.
  • the passport is a passport generated after random shuffling.
  • the specific method is: sending a set of N selected images into a training DNN model with the same structure, and collecting N corresponding feature maps in each layer ; Among the N options, only one of each layer is randomly selected as a passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.
  • the DNN model based on the watermarking method of the trigger set uses the following steps to add the trainable noise component to the randomly selected basic image:
  • the DNN structure is pre-determined by the optimization model N, and after the DNN weight W is learned, the trigger set T or signature s will be embedded in the model; the signature verification process V first calls the DNN prediction process, and sets the trigger set samples T x is taken as an input, and then it is checked whether the prediction function f generates the designated label Ty under the condition of the false detection rate less than the threshold value.
  • the DNN model further includes a passport layer and a convolution layer.
  • the scale factor ⁇ and the offset ⁇ of the passport layer depend on the convolution kernel W p and the designated passport layer P.
  • the formula is as follows:
  • * represents the convolution operation
  • l is the number of layers
  • X p is the input of the passport layer
  • X c is the input of the convolution layer
  • O() is the corresponding linear transformation output
  • P ⁇ l and P ⁇ l are respectively Derive the passport layer of the scale factor ⁇ and the bias term ⁇ ;
  • each convolution layer in the convolution layer is composed of several convolution units, and the parameters of each convolution unit are optimized through the backpropagation algorithm, The different features of the fuzzy attack are extracted by convolution operation.
  • the passport layer s e ⁇ P ⁇ l , P ⁇ l ⁇ l for the trained DNN model, whose prediction performance M depends on the digital passport provided when using the network, namely:
  • the mid-fidelity evaluation result F depends on the presented signature s or trigger set T. If the forged passport s t ⁇ s e , the performance M deteriorates sharply, and the performance difference is greater than the threshold, that is ⁇ f is the threshold.
  • the signature is an embedded binary signature.
  • the following symbol loss constraints are added to the combined loss function to force the scale factor to adopt a specified positive or negative sign:
  • B ⁇ b 1 , ⁇ ,b C ⁇ -1,1 ⁇ C , consisting of the specified binary bits of the C convolution kernel
  • ⁇ 0 is a positive control parameter
  • the default is 0.1
  • the value of the excitation scale factor is greater than ⁇ 0 .
  • the parameters of the DNN model are divided into a public convolutional layer parameter W and a hidden passport layer scale factor ⁇ and a bias term ⁇ .
  • W the parameters of the DNN model
  • the deep neural networks targeted by the embodiments of the present disclosure include all the various forms mentioned above, different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers. Any neural network with the same principle, regardless of its operating environment.
  • neural networks can run on computer central processing units (CPU), graphics accelerators (GPU), tensor processors (TPU), dedicated artificial intelligence chips, and cloud computing centers, mobile devices, wearable devices, and smart videos Terminals, in-vehicle equipment and other vehicles, IoT devices (IoT devices) and other equipment.
  • the DNN-based method for passports to resist obfuscation attacks can be applied to the above-mentioned terminal devices to generate passports resisting obscuration attacks.
  • the terminal equipment includes an embedded module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport. Generate modules.
  • the embedding module inputs training data D, including trigger set data T or signature s, and optimizes model N by minimizing a given loss function L;
  • the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, that is, (MM t ) ⁇ , where M is the DNN performance tested against a set of test data D, M t is the target performance, and ⁇ is Threshold, F is the fidelity evaluation result;
  • the signature verification module V checks whether the predetermined signature s or trigger set data T is successfully verified for the given neural network N;
  • the DNN verification scheme V of the reversible module is defined as a reversible scheme, otherwise it is defined as an irreversible scheme;
  • the passport generation module sends a set of N selected images into the training DNN model with the same structure, and collects N corresponding feature maps in each layer; among the N options, there is only one in each layer Was randomly selected as a passport.
  • N L may be generated a total of possible combinations of the passport.
  • the DNN model embeds a private passport and trigger set but does not distribute it, alternately minimizes the original mission loss and reduces the joint loss function containing passport constraints, minimizes the original mission loss such as CIFAR10 classification, but does not include the passport layer.
  • Figure 1 is a structural diagram of the disclosed digital passport layer
  • Figure 2 is a diagram showing the performance of the DNN model of different passports of the present disclosure
  • Figure 3 is a diagram of an ownership verification scheme embedded with a private passport and trigger set but not distributed;
  • Figure 4 is a performance diagram of the disclosed CIFAR10 classification against attacks
  • Figure 5 is a diagram showing the performance of the disclosed CIFAR100 classification against attacks
  • Figure 6 is a performance diagram of the defensive power of the present disclosure
  • Figure 7 is a diagram of the passport and the trained DNN model distributed together with the ownership verification scheme
  • Figure 8 is a diagram of the ownership verification scheme in which the private passport is embedded in the DNN model but not distributed;
  • 1 is a fake passport
  • 2 is a passport obtained by reverse engineering
  • 3 is a valid passport
  • 4 is the original network DNN
  • 5 is Signature
  • 6 is CIFAR10
  • 7 is CIFAR100
  • 8 is fake1
  • 9 is fake2
  • 10 is valid
  • 11 is orig.
  • the overall technical idea of the present disclosure is to reveal the existence and effectiveness of the obfuscation attack.
  • the purpose of this attack is to question and shake the uniqueness of model ownership verification by forging the watermark of the DNN model. Furthermore, even if the original training data set is not needed, it is possible to use a small computational cost and reverse engineering to forge the watermark to implement the blur attack.
  • a method for passports to resist ambiguity attacks based on DNN is provided.
  • the performance remains unchanged.
  • a modified or forged passport is used, the network performance will be severely degraded.
  • the removal attack is robust, and at the same time it can resist the ambiguity attack.
  • This DNN-based method for passports to resist fuzzing attacks includes a DNN model.
  • the ownership verification scheme of the DNN model includes an embedding process E, a fidelity evaluation process F, a signature verification process V, and a reversible process I.
  • the processing steps are as follows:
  • the embedding process E is a DNN learning process, which takes training data D as input, the training data includes trigger set data T or signature s, and optimizes the model N by minimizing the given loss function L;
  • Fidelity evaluation process F ⁇ False, True ⁇ , used to evaluate whether the performance difference is less than the threshold, that is (MM t ) ⁇ , where M is the DNN performance tested against a set of test data D, and M t is Target performance, ⁇ is the threshold, F is the fidelity evaluation result;
  • the feature-based and trigger-set-based methods use the combined loss function as follows:
  • ⁇ t , ⁇ r are the weights of related hyperparameters
  • f(W, X_) is the prediction function with input X r or X T and output prediction value
  • L c is the prediction value and target label y r or y T Loss function of cross entropy.
  • Trans.L1 represents the network trained with CIFAR10 and fine-tune the weight of CIFAR100 (top row);
  • Trans.L2 represents the fine-tuning of Caltech-101 (bottom row).
  • the accuracy of the transfer task is outside the brackets, and the original task is inside the brackets.
  • WMDet. represents the detection accuracy of the watermark, where the accuracy outside the brackets correspond to after fine-tuning, and the accuracy inside the brackets correspond to before the fine-tuning.
  • the DNN model based on the watermarking method of the trigger set also embeds a private passport and a trigger set, but does not distribute it.
  • the trigger set is a set of trigger images, and the ownership of the suspicious DNN model is detected and declared by remotely calling the service API. ; First declare the ownership in the black box mode, and then declare the ownership again through passport verification in the white box mode.
  • the trigger set image alternately minimizes the original mission loss and reduces the joint loss function containing passport constraints.
  • the original mission loss does not include the passport layer. Using GroupNormalisation algorithm.
  • the aforementioned passport is a passport generated after random shuffling.
  • a set of N selected maps are sent to the training DNN model with the same structure, and N corresponding feature maps are collected in each layer; among the N options, only one is selected in each layer. Randomly selected as a passport.
  • N L may be generated a total of possible combinations of the passport.
  • the DNN model of the watermarking method based on the trigger set uses the following steps to add the trainable noise component to the randomly selected basic image:
  • the DNN architecture is pre-determined by the optimization model N, and after the DNN weight W is learned, the trigger set T or signature s will be embedded in the model; the signature verification process V first calls the DNN prediction process and takes the trigger set sample T x as input , And then check whether the prediction function f generates the specified label Ty under the condition of the false detection rate less than the threshold.
  • the DNN model also includes a passport layer and a convolution layer.
  • the scale factor ⁇ and offset ⁇ of the passport layer depend on the convolution kernel W p and the designated passport layer P.
  • the formula is as follows:
  • * represents the convolution operation
  • l is the number of layers
  • X p is the input of the passport layer
  • X c is the input of the convolution layer
  • O() is the corresponding linear transformation output
  • P ⁇ l and P ⁇ l are respectively Derive the passport layer of the scale factor ⁇ and the bias term ⁇ ;
  • each convolution layer in the convolution layer is composed of several convolution units, and the parameters of each convolution unit are optimized through the backpropagation algorithm, The different features of the fuzzy attack are extracted by convolution operation.
  • Figure 1 depicts the architecture of the digital passport layer used in the ResNet layer. This is an example of the ResNet layer, including two convolutional layers and two passport layers.
  • P l ⁇ P ⁇ l
  • P ⁇ l ⁇ is a digital passport.
  • F Avg(W p l *P ⁇ , ⁇ l ) is a passport function for calculating hidden parameters (ie, ⁇ and ⁇ ), and it has been given in formula (2).
  • Figure 2 shows the performance of the DNN model of different passports. Compare the CIFAR10 classification accuracy of the original network DNN4, DNN and valid passport 3, DNN and fake passport 1, and passport 2 obtained by DNN through reverse engineering. % Means) distribution.
  • the network performance will deteriorate significantly.
  • the corresponding scale factor ⁇ and bias term ⁇ are calculated based on the wrong passport.
  • the DNN model that provides a valid passport 3 shows almost the same accuracy as the original network DNN4, while the same DNN model that uses the fake passport 1 only achieves a classification rate of about 10%.
  • the key to the passport layer is to ensure the dependency between the scale factor, the bias term, and the network weight.
  • the mid-fidelity evaluation result F depends on the presented signature s or trigger set data T. If the forged passport s t ⁇ s e , the performance M deteriorates sharply, and the performance difference is greater than the threshold, that is ⁇ f is the threshold.
  • the signature is an embedded binary signature.
  • the following symbol loss constraints are added to the combined loss function to force the scale factor to adopt a specified positive or negative sign:
  • B ⁇ b 1 , ⁇ ,b C ⁇ -1,1 ⁇ C , composed of the specified binary bits of the C convolution kernel, ⁇ 0 is a positive control parameter, and the default is 0.1 to the value of the excitation scale factor Greater than ⁇ 0 .
  • the parameters of the DNN model are divided into the public convolutional layer parameter W and the scale factor ⁇ and the bias term ⁇ of the hidden passport layer.
  • W the public convolutional layer parameter
  • the weight distribution of the convolutional layer is the same as that of the original DNN without a passport layer;
  • c ⁇ l and c ⁇ l are the parameters ⁇ l and ⁇ l converge to a constant value, and the scale factor can only take a positive or negative value away from zero.
  • the defense against obfuscation attacks shows the performance of DNN, valid passports and two different types of fake passports, namely random attack fake18 and fuzzy attack fake29.
  • the network performance is very different, which depends on the authenticity of the passport-the DNN model that provides a valid passport shows almost the same accuracy as the original DNN model.
  • fake29 it is assumed that the attacker has obtained the original training data set and attempts to reversely infer the scale factor and bias terms by freezing the trained DNN weights.
  • AlexNet can only reach 84% at most, and ResNet can only reach 70% at most.
  • the attack success rate of AlexNet and ResNet is about 1%; for fake29, the attack success rate of AlexNet is 44%, and the attack success rate of ResNet is 35%.
  • the threshold ⁇ f in Definition 1 can be set to 3% and 20% of AlexNet and ResNet, respectively. This fidelity evaluation process can effectively resist any potential ambiguity attacks.
  • a large number of experimental studies have shown that it is impossible for opponents to maintain the performance of the original DNN model by using fake passports, regardless of whether the fake passports are randomly generated or using the original training data set for reverse inference. This passport-related performance plays an indispensable role in the design of secure ownership verification schemes.
  • Equation 1 the combined loss function
  • Equation 5 the symbol loss
  • Network ownership is automatically verified by distributed passport. This ownership verification is robust to the fine-tuning and pruning of DNN weights.
  • obfuscation attacks cannot successfully forge a set of passports and signatures that can maintain network performance.
  • the deep neural networks targeted by the embodiments of the present disclosure include all the various forms mentioned above, different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers. Any neural network with the same principle, regardless of its operating environment.
  • neural networks can run on computer central processing units (CPU), graphics accelerators (GPU), tensor processors (TPU), dedicated artificial intelligence chips, and cloud computing centers, mobile devices, wearable devices, and smart videos Terminals, in-vehicle equipment and other vehicles, IoT devices (IoT devices) and other equipment.
  • the DNN-based method for passports to resist obfuscation attacks can be applied to the above-mentioned terminal devices to generate passports resisting obscuration attacks.
  • the terminal devices include: an embedded module, a fidelity evaluation module, a signature verification module, a reversible module, Passport generation module.
  • the embedding module inputs training data D, including trigger set data T or signature s, and optimizes the model N by minimizing a given loss function L;
  • the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, that is ( MM t ) ⁇ ⁇ , where M is the performance of the DNN tested against a set of test data D, M t is the target performance, ⁇ is the threshold, and F is the fidelity evaluation result;
  • the signature verification module V checks for a given nerve Whether the network N successfully verifies the predetermined signature s or the trigger set data T;
  • the DNN verification scheme V of the reversible module is defined as a reversible scheme V l , otherwise it is defined as an irreversible scheme
  • the passport generation module sends a set of N selected images into the training DNN model with the same structure, and collects N corresponding feature maps in each layer; among the N options, only one of each layer is randomly selected as passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Credit Cards Or The Like (AREA)
  • Editing Of Facsimile Originals (AREA)

Abstract

The present invention provides a DNN-based method for protecting a passport against the fuzzy attack. A DNN model is comprised. The ownership verification scheme of the DNN model comprises an embedding process, a fidelity evaluation process, a signature verification process, and a reversible process. During ownership verification, a private passport and a trigger set are embedded but not distributed, which comprises: embedding the passport and embedding a group of trigger images; detecting and declaring the ownership of a suspicious DNN model by remotely calling a service API; first, declaring the ownership in a black box mode, and then declaring the ownership of a trigger set image again in a white box mode by means of the passport verification, alternately minimizing the original task loss, and reducing a joint loss function containing passport constraints. The range of the network performance significantly changes from 3% to 80% for AlexNet and ResNet trained for classification tasks CIFAR10 and CIFAR100. The similarity between the accuracy of a DNN model providing a valid passport, and the accuracy of an original network exceeds 90%, and a classification accuracy rate of about 10% is achieved for the same DNN model using a fake passport.

Description

一种基于DNN用于护照抵御模糊攻击的方法A method based on DNN for passport to resist ambiguity attack 技术领域Technical field
本公开涉及护照安全领域,具体而言是一种基于深度神经网络(Deep Neural Networks,简称为DNN)用于护照抵御模糊攻击的方法。The present disclosure relates to the field of passport security, and specifically is a method based on Deep Neural Networks (DNN) for passports to resist ambiguity attacks.
背景技术Background technique
目前,相关技术在机器学习领域所采用的嵌入水印方法通常可以分为以下两种:At present, the embedded watermarking methods used by related technologies in the field of machine learning can generally be divided into the following two types:
方法一、基于特征的方法,通过加入额外的优化目标约束项将指定的水印嵌入网络权重之中;Method 1: Feature-based method, which embeds the specified watermark into the network weight by adding additional optimization target constraints;
方法二、基于触发集的方法,依赖于具有特定标签的对抗训练样本,即后门触发集。Method 2: The method based on the trigger set relies on the adversarial training samples with specific labels, that is, the backdoor trigger set.
上述两种方案嵌入的水印都已被成功地证明具备针对去除攻击的鲁棒性,这种攻击主要在于对网络权重的修改,例如微调或修剪。The watermarks embedded in the above two schemes have been successfully proven to be robust against removal attacks, which mainly consist in modifying network weights, such as fine-tuning or pruning.
发明内容Summary of the invention
本公开至少部分实施例提供了一种基于DNN用于护照抵御模糊攻击的方法,使用真实护照则性能维持不变,而一旦使用经过修改或伪造的护照,网络性能会严重退化,对于去除攻击具有鲁棒性,而同时能够抵御模糊攻击。本公开采用的技术方案如下:At least some of the embodiments of the present disclosure provide a method for passports to resist ambiguity attacks based on DNN. When using real passports, the performance remains unchanged. Once a modified or forged passport is used, the network performance will be severely degraded. Robust, while being able to resist fuzzing attacks. The technical solutions adopted in the present disclosure are as follows:
一种基于DNN用于护照抵御模糊攻击的方法,包括DNN模型,所述DNN模型的所有权验证方案包括嵌入过程E、保真度评估过程F、签名验证过程V以及可逆过程I,其处理步骤如下:A method based on DNN for passports to resist fuzzing attacks, including a DNN model. The ownership verification scheme of the DNN model includes an embedding process E, a fidelity evaluation process F, a signature verification process V, and a reversible process I. The processing steps are as follows :
S11:嵌入过程E是DNN学习过程,其将训练数据D作为输入,该训练数据包括触发集数据T或签名s,并通过最小化给定的损失函数L来优化模型N;S11: The embedding process E is a DNN learning process, which takes training data D as input, the training data includes trigger set data T or signature s, and optimizes the model N by minimizing the given loss function L;
S12:保真度评估过程F={False,True},用于评估性能差异是否小于阈值,即(M-M t)≤ε,其中,M是针对一组测试数据D测试的DNN性能,M t是目标表现,ε为阈值,F为保真度评估结果; S12: Fidelity evaluation process F={False, True}, used to evaluate whether the performance difference is less than the threshold, that is (MM t )≤ε, where M is the DNN performance tested against a set of test data D, and M t is Target performance, ε is the threshold, F is the fidelity evaluation result;
S13:签名验证过程V={False,True}用于检查对给定神经网络N是否成功验证预定的签名s或触发集数据T;S13: The signature verification process V={False, True} is used to check whether the predetermined signature s or trigger set data T is successfully verified for the given neural network N;
S14:当满足以下条件,存在可逆过程I(N)=N',并造成成功的模糊攻击A aS14: When the following conditions are met, there is a reversible process I(N)=N', and a successful ambiguity attack A a is caused:
a)对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据T'和/或签名s';a) For a given DNN model, infer a new set of trigger set data T'and/or signature s'through reverse engineering;
b)伪造的T',s'可以相对于给定的DNN权重W成功验证,即V=True;b) The fake T', s'can be successfully verified with respect to the given DNN weight W, that is, V=True;
c)保真度评估结果F仍为True;c) The fidelity evaluation result F is still True;
S15:存在可逆过程的DNN验证方案V定义为可逆方案V l,否则定义为不可逆方案
Figure PCTCN2020072809-appb-000001
S15: The DNN verification scheme V with a reversible process is defined as a reversible scheme V l , otherwise it is defined as an irreversible scheme
Figure PCTCN2020072809-appb-000001
可选的,基于特征和基于触发集的方法采用组合损失函数如下:Optionally, the feature-based and trigger-set-based methods use the combined loss function as follows:
Figure PCTCN2020072809-appb-000002
Figure PCTCN2020072809-appb-000002
其中,λ t,λ r是相关超参数的权重,f(W,X_)是输入为X r或X t的预测函数并输出预测值,L c是预测值和目标标签y r或y T的交叉熵的损失函数。签名s={P,B},由护照P和签名字符串B组成,约束项是R=L c(σ(W,P),B),或R=MSE(B-PW);MSE为均方误差函数。 Among them, λ t , λ r are the weights of related hyperparameters, f(W, X_) is the prediction function with input X r or X t and output prediction value, L c is the prediction value and target label y r or y T Loss function of cross entropy. Signature s={P,B}, consisting of passport P and signature string B, the constraint item is R=L c (σ(W,P), B), or R=MSE(B-PW); MSE is both Square error function.
可选的,基于触发集的水印方法的DNN模型还嵌入私有护照和触发集但不分发,所述触发集为一组触发图像,通过远程调用服务API来探测和声明可疑DNN模型的所有权;首先在黑盒模式下声明所有权,然后在白盒模式下通过护照验证再次声明所有权触发集图像交替最小化原始任务损失和减少包含护照约束项的联合损失函数,原始任务损失不包括护照层,采用GroupNormalisation算法。Optionally, the DNN model based on the watermarking method of the trigger set also embeds a private passport and a trigger set, but does not distribute it. The trigger set is a set of trigger images, and the ownership of the suspicious DNN model is detected and declared by remotely calling the service API; Declare ownership in black box mode, and then declare ownership again through passport verification in white box mode. Trigger set images alternately minimize the original mission loss and reduce the joint loss function containing passport constraints. The original mission loss does not include the passport layer, and GroupNormalisation is used. algorithm.
可选的,所述护照为随机洗牌后产生的护照,具体方法为:将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照。具体地,对于具有L层的DNN模型的一组N个基本图像,总共可以生成N L个可能的护照组合。 Optionally, the passport is a passport generated after random shuffling. The specific method is: sending a set of N selected images into a training DNN model with the same structure, and collecting N corresponding feature maps in each layer ; Among the N options, only one of each layer is randomly selected as a passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.
可选的,基于触发集的水印方法的DNN模型,使用以下步骤将可训练的噪声分量添加到随机选择的基本图像中:Optionally, the DNN model based on the watermarking method of the trigger set uses the following steps to add the trainable noise component to the randomly selected basic image:
S31:随机选择一组N个基本图像T bS31: randomly select a group of N basic images T b ;
S32:生成与可训练参数相同大小T n的随机噪声模式; S32: Generate a random noise pattern with the same size T n as the trainable parameter;
S33:使用求和量X T=T b+ηT n作为触发集图像,其中η=0.04以使噪声分量不可见; S33: Use the summation X T =T b +ηT n as the trigger set image, where η=0.04 to make the noise component invisible;
S34:随机分配触发集标签y TS34: randomly assign a trigger set label y T ;
S35:最小化和可训练参数T n有关的交叉熵损失Lc。 S35: Minimize the cross-entropy loss Lc related to the trainable parameter T n.
可选的,DNN构架由优化模型N预先确定,并且在DNN权重W学习完之后,触发集T或签名s将被嵌入模型之中;签名验证过程V先调用DNN预测过程,将触发器集样本T x作为输入,然后检查预测函数f是否在小于阈值的错误检测率的条件下生成指定标签T yOptionally, the DNN structure is pre-determined by the optimization model N, and after the DNN weight W is learned, the trigger set T or signature s will be embedded in the model; the signature verification process V first calls the DNN prediction process, and sets the trigger set samples T x is taken as an input, and then it is checked whether the prediction function f generates the designated label Ty under the condition of the false detection rate less than the threshold value.
可选的,所述DNN模型还包括护照层、卷积层,护照层的比例因子γ和偏移量β依赖于卷积核W p和指定护照层P,公式如下: Optionally, the DNN model further includes a passport layer and a convolution layer. The scale factor γ and the offset β of the passport layer depend on the convolution kernel W p and the designated passport layer P. The formula is as follows:
Figure PCTCN2020072809-appb-000003
Figure PCTCN2020072809-appb-000003
Figure PCTCN2020072809-appb-000004
Figure PCTCN2020072809-appb-000004
其中,*表示卷积运算,l是层数,X p是护照层的输入,X c是卷积层的输入;O()是相应的线性变换输出,而P γ l和P β l分别是导出比例因子γ和偏差项β的护照层;所述卷积层中每层卷积层由若干卷积单元组成,每个卷积单元的参数都是通过反向传播算法最佳化得到的,通过卷积运算提取模糊攻击的不同特征。 Among them, * represents the convolution operation, l is the number of layers, X p is the input of the passport layer, X c is the input of the convolution layer; O() is the corresponding linear transformation output, and P γ l and P β l are respectively Derive the passport layer of the scale factor γ and the bias term β; each convolution layer in the convolution layer is composed of several convolution units, and the parameters of each convolution unit are optimized through the backpropagation algorithm, The different features of the fuzzy attack are extracted by convolution operation.
可选的,使用护照层s e={P γ l,P β l} l进行过训练的DNN模型,其预测性能M取决于使用网络时所提供的数字护照,即: Optionally, use the passport layer s e = {P γ l , P β l } l for the trained DNN model, whose prediction performance M depends on the digital passport provided when using the network, namely:
Figure PCTCN2020072809-appb-000005
Figure PCTCN2020072809-appb-000005
若不能提供真实的数字护照s t≠s e,网络运行性能显著恶化。 If the real digital passport s t ≠s e cannot be provided, the network performance will deteriorate significantly.
可选的,不可逆方案
Figure PCTCN2020072809-appb-000006
中保真度评估结果F取决于呈现的签名s或触发集T。若伪造的护照s t≠s e,性能M急剧恶化,性能差异大于阀值,即
Figure PCTCN2020072809-appb-000007
f为阀值。 Optional, irreversible solution
Figure PCTCN2020072809-appb-000006
The mid-fidelity evaluation result F depends on the presented signature s or trigger set T. If the forged passport s t ≠s e , the performance M deteriorates sharply, and the performance difference is greater than the threshold, that is
Figure PCTCN2020072809-appb-000007
f is the threshold.
可选的,所述签名为嵌入的二进制签名,在DNN权重的学习过程中,将以下符号损失约束项添加到组合损失函数中,以强制比例因子采取指定的正号或负号:Optionally, the signature is an embedded binary signature. In the DNN weight learning process, the following symbol loss constraints are added to the combined loss function to force the scale factor to adopt a specified positive or negative sign:
Figure PCTCN2020072809-appb-000008
Figure PCTCN2020072809-appb-000008
其中B={b 1,···,b C}∈{-1,1} C,由C卷积核的指定二进制位组成,γ 0是正控制参数,默认为0.1以激励比例因子的值大于γ 0Where B={b 1 ,···,b C }∈{-1,1} C , consisting of the specified binary bits of the C convolution kernel, γ 0 is a positive control parameter, the default is 0.1, and the value of the excitation scale factor is greater than γ 0 .
可选的,所述DNN模型的参数分为公共卷积层参数W和隐藏护照层的比例因子γ和偏差项β,护照信息被嵌入到权重W后学习完成要强制执行以下约束:Avg(W p l*P γ l)=c γ l,Avg(W p l*P y l)=c β l;卷积层权重的分布与没有护照层的原始DNN的分布相同;c γ l和c β l是参数γ l和β l收敛到的常数值,比例因子只能取正或负的远离零的值。 Optionally, the parameters of the DNN model are divided into a public convolutional layer parameter W and a hidden passport layer scale factor γ and a bias term β. After the passport information is embedded in the weight W, the following constraints must be enforced: Avg(W p l *P γ l )=c γ l , Avg(W p l *P y l )=c β l ; the weight distribution of the convolutional layer is the same as that of the original DNN without a passport layer; c γ l and c β l is the constant value to which the parameters γ l and β l converge, and the scale factor can only take a positive or negative value away from zero.
本公开实施例所针对的深度神经网络,包括了所述提及的所有各种形式,不同输入信号,不同类型,不同网络结构,不同应用功能,不同运算载体上的深度神经网络,也包括在原理上相同的任何神经网络,无论其运行环境如何。可选的,神经网络可以运行在计算机中央处理器(CPU)、图形加速器(GPU)、张量处理器(TPU)、专用人工智能芯片,和云计算中心、移动设备、可穿戴设备、智能视频终端、车载设备及其他交通工具、物联网设备(IoT devices)等设备中。The deep neural networks targeted by the embodiments of the present disclosure include all the various forms mentioned above, different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers. Any neural network with the same principle, regardless of its operating environment. Optionally, neural networks can run on computer central processing units (CPU), graphics accelerators (GPU), tensor processors (TPU), dedicated artificial intelligence chips, and cloud computing centers, mobile devices, wearable devices, and smart videos Terminals, in-vehicle equipment and other vehicles, IoT devices (IoT devices) and other equipment.
可选的,该基于DNN用于护照抵御模糊攻击的方法可应用于上述终端设备,生成抵御模糊攻击的护照,该终端设备包括嵌入模块、 保真度评估模块、签名验证模块、可逆模块、护照生成模块。Optionally, the DNN-based method for passports to resist obfuscation attacks can be applied to the above-mentioned terminal devices to generate passports resisting obscuration attacks. The terminal equipment includes an embedded module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport. Generate modules.
可选的,所述嵌入模块输入训练数据D,包括触发集数据T或签名s,并通过最小化给定的损失函数L来优化模型N;Optionally, the embedding module inputs training data D, including trigger set data T or signature s, and optimizes model N by minimizing a given loss function L;
可选的,所述保真度评估模块F评估性能差异是否小于阈值,即(M-M t)≤ε,其中,M是针对一组测试数据D测试的DNN性能,M t是目标表现,ε为阈值,F为保真度评估结果; Optionally, the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, that is, (MM t )≤ε, where M is the DNN performance tested against a set of test data D, M t is the target performance, and ε is Threshold, F is the fidelity evaluation result;
可选的,所述签名验证模块V检查对给定神经网络N是否成功验证预定的签名s或触发集数据T;Optionally, the signature verification module V checks whether the predetermined signature s or trigger set data T is successfully verified for the given neural network N;
可选的,所述可逆模块I(N)=N'满足以下条件存在,并造成成功的模糊攻击A aOptionally, the reversible module I(N)=N' satisfies the following conditions to exist, and causes a successful obfuscation attack A a :
d)对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据T'和/或签名s';d) For a given DNN model, infer a new set of trigger set data T'and/or signature s'through reverse engineering;
e)伪造的T',s'可以相对于给定的DNN权重W成功验证,即V=True;e) The fake T', s'can be successfully verified with respect to the given DNN weight W, that is, V=True;
f)保真度评估结果F仍为True;f) The fidelity evaluation result F is still True;
可选的,所述可逆模块的DNN验证方案V定义为可逆方案,否则定义为不可逆方案;Optionally, the DNN verification scheme V of the reversible module is defined as a reversible scheme, otherwise it is defined as an irreversible scheme;
可选的,所述护照生成模块将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照。具体地,对于具有L层的DNN模型的一组N个基本图像,总共可以生成N L个可能的护照组合。 Optionally, the passport generation module sends a set of N selected images into the training DNN model with the same structure, and collects N corresponding feature maps in each layer; among the N options, there is only one in each layer Was randomly selected as a passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.
由上述技术方案可知,本公开的有益效果:使用真实护照则性能 维持不变,而一旦使用经过修改或伪造的护照,网络性能会严重退化,对于去除攻击具有鲁棒性,而同时能够抵御模糊攻击;所述DNN模型嵌入私有护照和触发集但不分发,交替最小化原始任务损失和减少包含护照约束项的联合损失函数,最小化原始任务损失例如CIFAR10分类,但不包括护照层。As can be seen from the above technical solutions, the beneficial effects of the present disclosure: using a real passport, the performance remains unchanged, but once a modified or forged passport is used, the network performance will be severely degraded, and it is robust to removal attacks, while being able to resist ambiguity. Attack: The DNN model embeds a private passport and trigger set but does not distribute it, alternately minimizes the original mission loss and reduces the joint loss function containing passport constraints, minimizes the original mission loss such as CIFAR10 classification, but does not include the passport layer.
附图说明Description of the drawings
图1为本公开的数字护照层的体系结构图;Figure 1 is a structural diagram of the disclosed digital passport layer;
图2为本公开的不同护照的DNN模型表现图;Figure 2 is a diagram showing the performance of the DNN model of different passports of the present disclosure;
图3为嵌入私有护照和触发集但不分发的所有权验证方案图;Figure 3 is a diagram of an ownership verification scheme embedded with a private passport and trigger set but not distributed;
图4为本公开的对于CIFAR10分类抵抗攻击的表现图;Figure 4 is a performance diagram of the disclosed CIFAR10 classification against attacks;
图5为本公开的对于CIFAR100分类抵抗攻击的表现图;Figure 5 is a diagram showing the performance of the disclosed CIFAR100 classification against attacks;
图6为本公开的防御力性能表现图;Figure 6 is a performance diagram of the defensive power of the present disclosure;
图7为护照与训练好的DNN模型一起分发所有权验证方案图;Figure 7 is a diagram of the passport and the trained DNN model distributed together with the ownership verification scheme;
图8为私有护照嵌入DNN模型但不分发的所有权验证方案图;Figure 8 is a diagram of the ownership verification scheme in which the private passport is embedded in the DNN model but not distributed;
1为假护照,2为逆向工程获得的护照,3为有效护照,4为原始网络DNN,5为Signature,6为CIFAR10,7为CIFAR100,8为fake1,9为fake2,10为valid,11为orig。1 is a fake passport, 2 is a passport obtained by reverse engineering, 3 is a valid passport, 4 is the original network DNN, 5 is Signature, 6 is CIFAR10, 7 is CIFAR100, 8 is fake1, 9 is fake2, 10 is valid, and 11 is orig.
具体实施方式:detailed description:
本公开的整体技术构思在于:揭示模糊攻击的存在性和有效性,这种攻击的目的是通过伪造DNN模型的水印来质疑并动摇模型所有 权验证的唯一性。进一步地,即使不需要原始训练数据集,也可以利用较小的计算成本并通过逆向工程的方式来伪造水印来实施模糊攻击。The overall technical idea of the present disclosure is to reveal the existence and effectiveness of the obfuscation attack. The purpose of this attack is to question and shake the uniqueness of model ownership verification by forging the watermark of the DNN model. Furthermore, even if the original training data set is not needed, it is possible to use a small computational cost and reverse engineering to forge the watermark to implement the blur attack.
在本公开其中一实施例中,提供了一种基于DNN用于护照抵御模糊攻击的方法,使用真实护照则性能维持不变,而一旦使用经过修改或伪造的护照,网络性能会严重退化,对于去除攻击具有鲁棒性,而同时能够抵御模糊攻击。In one of the embodiments of the present disclosure, a method for passports to resist ambiguity attacks based on DNN is provided. When a real passport is used, the performance remains unchanged. Once a modified or forged passport is used, the network performance will be severely degraded. The removal attack is robust, and at the same time it can resist the ambiguity attack.
该基于DNN用于护照抵御模糊攻击的方法,包括DNN模型,所述DNN模型的所有权验证方案包括嵌入过程E、保真度评估过程F、签名验证过程V以及可逆过程I,其处理步骤如下:This DNN-based method for passports to resist fuzzing attacks includes a DNN model. The ownership verification scheme of the DNN model includes an embedding process E, a fidelity evaluation process F, a signature verification process V, and a reversible process I. The processing steps are as follows:
S11:嵌入过程E是DNN学习过程,其将训练数据D作为输入,该训练数据包括触发集数据T或签名s,并通过最小化给定的损失函数L来优化模型N;S11: The embedding process E is a DNN learning process, which takes training data D as input, the training data includes trigger set data T or signature s, and optimizes the model N by minimizing the given loss function L;
S12:保真度评估过程F={False,True},用于评估性能差异是否小于阈值,即(M-M t)≤ε,其中,M是针对一组测试数据D测试的DNN性能,M t是目标表现,ε为阈值,F为保真度评估结果; S12: Fidelity evaluation process F={False, True}, used to evaluate whether the performance difference is less than the threshold, that is (MM t )≤ε, where M is the DNN performance tested against a set of test data D, and M t is Target performance, ε is the threshold, F is the fidelity evaluation result;
S13:签名验证过程V={False,True}用于检查对给定神经网络N是否成功验证预定的签名s或触发集数据T;S13: The signature verification process V={False, True} is used to check whether the predetermined signature s or trigger set data T is successfully verified for the given neural network N;
S14:当满足以下条件,存在可逆过程I(N)=N',并造成成功的模糊攻击A aS14: When the following conditions are met, there is a reversible process I(N)=N', and a successful ambiguity attack A a is caused:
a)对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据T'和/或签名s';a) For a given DNN model, infer a new set of trigger set data T'and/or signature s'through reverse engineering;
b)伪造的T',s'可以相对于给定的DNN权重W成功验证,即V=True;b) The fake T', s'can be successfully verified with respect to the given DNN weight W, that is, V=True;
c)保真度评估结果F仍为True;c) The fidelity evaluation result F is still True;
S15:存在可逆过程的DNN验证方案V定义为可逆方案V l,否则定义为不可逆方案
Figure PCTCN2020072809-appb-000009
S15: The DNN verification scheme V with a reversible process is defined as a reversible scheme V l , otherwise it is defined as an irreversible scheme
Figure PCTCN2020072809-appb-000009
可选的,基于特征和基于触发集的方法采用组合损失函数如下:Optionally, the feature-based and trigger-set-based methods use the combined loss function as follows:
Figure PCTCN2020072809-appb-000010
Figure PCTCN2020072809-appb-000010
其中,λ t,λ r是相关超参数的权重,f(W,X_)是输入为X r或X T的预测函数并输出预测值,L c是预测值和目标标签y r或y T的交叉熵的损失函数。签名s={P,B},由护照P和签名字符串B组成,约束项是R=L c(σ(W,P),B),或R=MSE(B-PW);MSE为均方误差函数。 Among them, λ t , λ r are the weights of related hyperparameters, f(W, X_) is the prediction function with input X r or X T and output prediction value, L c is the prediction value and target label y r or y T Loss function of cross entropy. Signature s={P,B}, consisting of passport P and signature string B, the constraint item is R=L c (σ(W,P), B), or R=MSE(B-PW); MSE is both Square error function.
下表为基于特征和基于触发集的水印方法所采用的组合损失函数的效果如表1所示:The following table shows the effect of the combined loss function used by the feature-based and trigger-set-based watermarking methods, as shown in Table 1:
表1Table 1
Figure PCTCN2020072809-appb-000011
Figure PCTCN2020072809-appb-000011
表1中转移学习任务微调之前和之后检测水印的准确性。Trans.L1表示使用CIFAR10训练的网络,并且对CIFAR100进行权重微调(顶行);Trans.L2表示对Caltech-101的微调(底行)。括号外是转移任务的准确度,而括号内的是原始任务。WMDet.表示水印的检测精度,其中,括号外的精度分别对应微调之后,括号内的精度分别对应微调之前。In Table 1, the accuracy of the watermark is detected before and after the fine-tuning of the transfer learning task. Trans.L1 represents the network trained with CIFAR10 and fine-tune the weight of CIFAR100 (top row); Trans.L2 represents the fine-tuning of Caltech-101 (bottom row). The accuracy of the transfer task is outside the brackets, and the original task is inside the brackets. WMDet. represents the detection accuracy of the watermark, where the accuracy outside the brackets correspond to after fine-tuning, and the accuracy inside the brackets correspond to before the fine-tuning.
对于执行分类任务的DNN模型,利用测试数据集D t={X T,y T} 得到的网络性能M=L c是独立于嵌入的签名s或触发集T的,正是这种独立性导致了现有的基于水印的方法都具备可逆性。 For the DNN model that performs classification tasks, the network performance M = L c obtained by using the test data set D t ={X T ,y T } is independent of the embedded signature s or the trigger set T. It is this independence that leads to The existing watermark-based methods are all reversible.
如图3所示,基于触发集的水印方法的DNN模型还嵌入私有护照和触发集但不分发,所述触发集为一组触发图像,通过远程调用服务API来探测和声明可疑DNN模型的所有权;首先在黑盒模式下声明所有权,然后在白盒模式下通过护照验证再次声明所有权触发集图像交替最小化原始任务损失和减少包含护照约束项的联合损失函数,原始任务损失不包括护照层,采用GroupNormalisation算法。As shown in Figure 3, the DNN model based on the watermarking method of the trigger set also embeds a private passport and a trigger set, but does not distribute it. The trigger set is a set of trigger images, and the ownership of the suspicious DNN model is detected and declared by remotely calling the service API. ; First declare the ownership in the black box mode, and then declare the ownership again through passport verification in the white box mode. The trigger set image alternately minimizes the original mission loss and reduces the joint loss function containing passport constraints. The original mission loss does not include the passport layer. Using GroupNormalisation algorithm.
上述护照为随机洗牌后产生的护照。在一个可选实施例中,将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照。具体地,对于具有L层的DNN模型的一组N个基本图像,总共可以生成N L个可能的护照组合。 The aforementioned passport is a passport generated after random shuffling. In an alternative embodiment, a set of N selected maps are sent to the training DNN model with the same structure, and N corresponding feature maps are collected in each layer; among the N options, only one is selected in each layer. Randomly selected as a passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.
基于触发集的水印方法的DNN模型,使用以下步骤将可训练的噪声分量添加到随机选择的基本图像中:The DNN model of the watermarking method based on the trigger set uses the following steps to add the trainable noise component to the randomly selected basic image:
S31:随机选择一组N个基本图像T bS31: randomly select a group of N basic images T b ;
S32:生成与可训练参数相同大小T n的随机噪声模式; S32: Generate a random noise pattern with the same size T n as the trainable parameter;
S33:使用求和量X T=T b+ηT n作为触发集图像,其中,η=0.04以使噪声分量不可见; S33: Use the summation X T =T b +ηT n as the trigger set image, where η=0.04 to make the noise component invisible;
S34:随机分配触发集标签y TS34: randomly assign a trigger set label y T ;
S35:最小化和可训练参数T n有关的交叉熵损失Lc。 S35: Minimize the cross-entropy loss Lc related to the trainable parameter T n.
DNN构架由优化模型N预先确定,并且在DNN权重W学习完 之后,触发集T或签名s将被嵌入模型之中;签名验证过程V先调用DNN预测过程,将触发器集样本T x作为输入,然后检查预测函数f是否在小于阈值的错误检测率的条件下生成指定标签T yThe DNN architecture is pre-determined by the optimization model N, and after the DNN weight W is learned, the trigger set T or signature s will be embedded in the model; the signature verification process V first calls the DNN prediction process and takes the trigger set sample T x as input , And then check whether the prediction function f generates the specified label Ty under the condition of the false detection rate less than the threshold.
所述DNN模型还包括护照层、卷积层,护照层的比例因子γ和偏移量β依赖于卷积核W p和指定护照层P,公式如下: The DNN model also includes a passport layer and a convolution layer. The scale factor γ and offset β of the passport layer depend on the convolution kernel W p and the designated passport layer P. The formula is as follows:
Figure PCTCN2020072809-appb-000012
Figure PCTCN2020072809-appb-000012
Figure PCTCN2020072809-appb-000013
Figure PCTCN2020072809-appb-000013
其中,*表示卷积运算,l是层数,X p是护照层的输入,X c是卷积层的输入;O()是相应的线性变换输出,而P γ l和P β l分别是导出比例因子γ和偏差项β的护照层;所述卷积层中每层卷积层由若干卷积单元组成,每个卷积单元的参数都是通过反向传播算法最佳化得到的,通过卷积运算提取模糊攻击的不同特征。 Among them, * represents the convolution operation, l is the number of layers, X p is the input of the passport layer, X c is the input of the convolution layer; O() is the corresponding linear transformation output, and P γ l and P β l are respectively Derive the passport layer of the scale factor γ and the bias term β; each convolution layer in the convolution layer is composed of several convolution units, and the parameters of each convolution unit are optimized through the backpropagation algorithm, The different features of the fuzzy attack are extracted by convolution operation.
如图1所示描绘了ResNet层中使用的数字护照层的体系结构,这是一个ResNet层的样例,包含两个卷积层和两个护照层。P l={P γ l,P β l}是数字护照。F=Avg(W p l*P γ,β l)是计算隐藏参数(即γ和β)的护照函数,它已经在公式(2)中给出。 Figure 1 depicts the architecture of the digital passport layer used in the ResNet layer. This is an example of the ResNet layer, including two convolutional layers and two passport layers. P l ={P γ l , P β l } is a digital passport. F=Avg(W p l *P γ, β l ) is a passport function for calculating hidden parameters (ie, γ and β), and it has been given in formula (2).
如图2所示展示了不同护照的DNN模型表现,比较原始网络DNN4,DNN与有效护照3,DNN与假护照1和DNN通过逆向工程获得的护照2的CIFAR10分类准确度(在x轴上以%表示)分布。Figure 2 shows the performance of the DNN model of different passports. Compare the CIFAR10 classification accuracy of the original network DNN4, DNN and valid passport 3, DNN and fake passport 1, and passport 2 obtained by DNN through reverse engineering. % Means) distribution.
使用护照层s e={P γ l,P β l} l进行过训练的DNN模型,其预测性能M取决于使用网络时所提供的数字护照,公式如下: Using the passport layer s e = {P γ l , P β l } l for the trained DNN model, its prediction performance M depends on the digital passport provided when using the network, the formula is as follows:
Figure PCTCN2020072809-appb-000014
Figure PCTCN2020072809-appb-000014
若不能提供真实的数字护照s t≠s e,网络运行性能显著恶化。因为相应的比例因子γ和偏差项β是根据错误的护照计算的。例如,如图2所示,提供有效护照3的DNN模型显示出与原始网络DNN4几乎相同的准确度,而使用假护照1的相同DNN模型仅实现了约10%的分类率。护照层的关键是保证了比例因子、偏差项和网络权重之间的依赖关系。 If the real digital passport s t ≠s e cannot be provided, the network performance will deteriorate significantly. Because the corresponding scale factor γ and bias term β are calculated based on the wrong passport. For example, as shown in Figure 2, the DNN model that provides a valid passport 3 shows almost the same accuracy as the original network DNN4, while the same DNN model that uses the fake passport 1 only achieves a classification rate of about 10%. The key to the passport layer is to ensure the dependency between the scale factor, the bias term, and the network weight.
不可逆方案
Figure PCTCN2020072809-appb-000015
中保真度评估结果F取决于呈现的签名s或触发集数据T。若伪造的护照s t≠s e,性能M急剧恶化,性能差异大于阀值,即
Figure PCTCN2020072809-appb-000016
f为阀值。 Irreversible scheme
Figure PCTCN2020072809-appb-000015
The mid-fidelity evaluation result F depends on the presented signature s or trigger set data T. If the forged passport s t ≠s e , the performance M deteriorates sharply, and the performance difference is greater than the threshold, that is
Figure PCTCN2020072809-appb-000016
f is the threshold.
所述签名为嵌入的二进制签名,在DNN权重的学习过程中,将以下符号损失约束项添加到组合损失函数中,以强制比例因子采取指定的正号或负号:The signature is an embedded binary signature. In the DNN weight learning process, the following symbol loss constraints are added to the combined loss function to force the scale factor to adopt a specified positive or negative sign:
Figure PCTCN2020072809-appb-000017
Figure PCTCN2020072809-appb-000017
其中,B={b 1,···,b C}∈{-1,1} C,由C卷积核的指定二进制位组成,γ 0是正控制参数,默认为0.1以激励比例因子的值大于γ 0Among them, B={b 1 ,···,b C }∈{-1,1} C , composed of the specified binary bits of the C convolution kernel, γ 0 is a positive control parameter, and the default is 0.1 to the value of the excitation scale factor Greater than γ 0 .
所述DNN模型的参数分为公共卷积层参数W和隐藏护照层的比例因子γ和偏差项β,护照信息被嵌入到权重W后学习完成要强制执行以下约束:Avg(W p l*P γ l)=c γ l,Avg(W p l*P y l)=c β l;卷积层权重的分布与没有护照层的原始DNN的分布相同;c γ l和c β l是参数γ l和β l收敛到的常数值,比例因子只能取正或负的远离零的值。 The parameters of the DNN model are divided into the public convolutional layer parameter W and the scale factor γ and the bias term β of the hidden passport layer. After the passport information is embedded in the weight W, the following constraints must be enforced: Avg(W p l *P γ l )=c γ l , Avg(W p l *P y l )=c β l ; the weight distribution of the convolutional layer is the same as that of the original DNN without a passport layer; c γ l and c β l are the parameters γ l and β l converge to a constant value, and the scale factor can only take a positive or negative value away from zero.
接下来我们针对微调,修剪和各种模糊攻击的鲁棒性方面进行实 验测试。Next, we conduct experimental tests on the robustness of fine-tuning, pruning, and various fuzzing attacks.
针对微调的鲁棒性,如下表2护照网络的性能(%)和对微调的鲁棒性,其中,BN=批标准化GN=组标准化。(左:使用CIFAR10训练并转移到CIFAR100/Caltech-101任务;右:使用CIFAR100训练并转移到CIFAR10/Caltech-101)。Regarding the robustness of fine-tuning, the following Table 2 shows the performance (%) of the passport network and the robustness to fine-tuning, where BN=batch standardization GN=group standardization. (Left: Use CIFAR10 to train and transfer to CIFAR100/Caltech-101 task; Right: Use CIFAR100 to train and transfer to CIFAR10/Caltech-101).
在这个实验中,对于每个DNN模型,我们嵌入的指定比例因子符号,重复训练五次。对于三种所有权验证方案,以100%检测率检测护照签名。如下表2显示,即使在为其他分类任务(例如从CIFAR10到Caltech-101)进行网络微调之后,嵌入式护照仍然保持100%检测率。注意,只有在所有二进制位完全匹配时,才会声明检测到的护照签名。我们将这种优越的鲁棒性归因于比例因子的独特控制性质——如果比例因子值减小到接近零,则通道输出几乎为零,其梯度将消失并失去动力,因而不能继续向相反值方向移动,也就无法改变正负符号。根据实验经验,并没有观察到这种解释的反例,如表2所示:In this experiment, for each DNN model, we embed the specified scale factor symbol and repeat the training five times. For the three ownership verification schemes, passport signatures are detected at a detection rate of 100%. As shown in Table 2 below, even after fine-tuning the network for other classification tasks (for example, from CIFAR10 to Caltech-101), the embedded passport still maintains a 100% detection rate. Note that the detected passport signature will only be declared when all binary digits match exactly. We attribute this superior robustness to the unique control properties of the scale factor-if the scale factor value is reduced to close to zero, the channel output will be almost zero, its gradient will disappear and lose power, so it cannot continue to the opposite If you move in the direction of the value, the sign cannot be changed. According to experimental experience, no counter-examples of this explanation have been observed, as shown in Table 2:
表2Table 2
Figure PCTCN2020072809-appb-000018
Figure PCTCN2020072809-appb-000018
针对修剪的鲁棒性,如图4和图5所示,展示了与修剪权重比例相对应DNN性能和护照签名检测率。在这个实验中,测试了嵌入护照模型在一定比例的DNN权重被修剪的情况下抵抗攻击的表现。这 种权重修剪策略已被用于网络压缩之中。对于CIFAR10分类,在修剪百分比保持在60%左右时,护照签名检测精度接近100%。即使修剪了90%的DNN权重,检测率仍达到70%。我们将针对修改攻击的鲁棒性,归因于例符号中嵌特征而呈现出的优越持久性。Regarding the robustness of pruning, as shown in Figures 4 and 5, the DNN performance and passport signature detection rate corresponding to the pruning weight ratio are shown. In this experiment, the performance of the embedded passport model against attacks is tested when a certain proportion of the DNN weight is pruned. This weight pruning strategy has been used in network compression. For the CIFAR10 classification, the passport signature detection accuracy is close to 100% when the trimming percentage is maintained at about 60%. Even if 90% of the DNN weights are pruned, the detection rate still reaches 70%. We attribute the robustness against modification attacks to the superior persistence presented by the embedded features in the example symbols.
针对模糊攻击的防御力,如图6所示,展示了DNN的性能表现,有效护照和两种不同类型的假护照,即随机攻击fake18和模糊攻击fake29。对于CIFAR10分类任务训练的AlexNet和ResNet,网络性能差异很大,它取决于护照的真伪性——提供有效护照的DNN模型显示出与原始DNN模型几乎相同的准确度。同时假护照用相同的DNN模型(在这种情况下fake18=随机攻击)实现了大约10%的分类率,这仅仅相当于随机猜测。在fake29的情况下,假设攻击者已获得原始训练数据集,并尝试通过冻结训练的DNN权重来反向推断比例因子和偏差项。结果如图6所示,AlexNet最多只能达到84%,ResNet最多只能达到70%。在CIFAR100分类任务中,对于fake18案例,对AlexNet和ResNet的攻击成功率在1%左右;对于fake29,AlexNet的攻击成功率为44%,ResNet的攻击成功率为35%。基于这些实验研究,可以将定义1中的阈值εf分别设置为AlexNet和ResNet的3%和20%。这种保真度评估过程,可以有效地抵御任何潜在的模糊攻击。总之,大量的实验研究表明,对手不可能通过使用假护照维持原始DNN模型的表现,无论假护照是随机生成还是使用原始训练数据集进行逆向推断。这种与护照相关的性能在设计安全的所有权验证方案中发挥着不可或缺的作用。The defense against obfuscation attacks, as shown in Figure 6, shows the performance of DNN, valid passports and two different types of fake passports, namely random attack fake18 and fuzzy attack fake29. For the AlexNet and ResNet trained on the CIFAR10 classification task, the network performance is very different, which depends on the authenticity of the passport-the DNN model that provides a valid passport shows almost the same accuracy as the original DNN model. At the same time, fake passports use the same DNN model (fake18=random attack in this case) to achieve a classification rate of about 10%, which is only equivalent to random guessing. In the case of fake29, it is assumed that the attacker has obtained the original training data set and attempts to reversely infer the scale factor and bias terms by freezing the trained DNN weights. As shown in Figure 6, AlexNet can only reach 84% at most, and ResNet can only reach 70% at most. In the CIFAR100 classification task, for fake18 cases, the attack success rate of AlexNet and ResNet is about 1%; for fake29, the attack success rate of AlexNet is 44%, and the attack success rate of ResNet is 35%. Based on these experimental studies, the threshold εf in Definition 1 can be set to 3% and 20% of AlexNet and ResNet, respectively. This fidelity evaluation process can effectively resist any potential ambiguity attacks. In short, a large number of experimental studies have shown that it is impossible for opponents to maintain the performance of the original DNN model by using fake passports, regardless of whether the fake passports are randomly generated or using the original training data set for reverse inference. This passport-related performance plays an indispensable role in the design of secure ownership verification schemes.
另外,我们还研究了护照与训练好的DNN模型一起分发这个方案V2、私有护照嵌入DNN模型但不分发这个方案V3这两种所有权验证方法。In addition, we also studied the two ownership verification methods of Passport and the trained DNN model to distribute this scheme V2, and private passport embedding the DNN model but not distribute this scheme V3.
首先,如图7所示,护照与训练好的DNN模型一起分发过程中,该学习过程旨在最小化组合损失函数(公式1),其中λ t=0,因为在该方案中不使用触发集图像并且将符号损失(公式5)作为约束项添加。将训练好的DNN模型与护照一起分发给合法用户,合法用户使用给定护照作为护照层输入进行网络预测。网络所有权由分布式护照自动验证。此所有权验证对于DNN权重的微调和修剪是具备鲁棒性的。此外,模糊攻击无法成功伪造一组能够维持网络性能的护照和签名。该方案的缺点是需要在预测阶段使用护照,这导致额外的计算成本,约10%,我们在附录E的表5中展示了实验结果。此外,护照分发给终端用户会干扰用户体验,并要承担保证数字护照安全不泄密的额外责任。 First, as shown in Figure 7, during the distribution process of the passport and the trained DNN model, the learning process aims to minimize the combined loss function (Equation 1), where λ t =0, because the trigger set is not used in this scheme Image and add the symbol loss (Equation 5) as a constraint term. Distribute the trained DNN model together with the passport to legitimate users, and the legitimate users use the given passport as the passport layer input for network prediction. Network ownership is automatically verified by distributed passport. This ownership verification is robust to the fine-tuning and pruning of DNN weights. In addition, obfuscation attacks cannot successfully forge a set of passports and signatures that can maintain network performance. The disadvantage of this scheme is that the passport needs to be used in the prediction stage, which leads to an additional calculation cost, about 10%. We show the experimental results in Table 5 of Appendix E. In addition, the distribution of passports to end users will interfere with the user experience and bear the additional responsibility of ensuring that digital passports are not leaked.
接下来,如图8所示,我们谈一下私有护照嵌入DNN模型但不分发,此学习过程旨在同时实现两个目标,其中第一个目标是最小化原始任务损失(例如CIFAR10分类),不包括护照层;第二是尽量减少包含护照约束项的联合损失函数(公式1)。在算法上,这种多任务学习是通过交替最小化这两个目标来实现的。然后将成功训练的DNN模型分发给终端用户,终端用户可以在不需要护照的情况下执行网络预测。注意,这是可实现的,因为护照层不包含在分布式网络中。所有权验证仅在执法部门的要求下进行,通过将护照层添加到相 关网络并使用未恶化的网络性能证实嵌入的标志签名。Next, as shown in Figure 8, we talk about embedding the private passport into the DNN model but not distributing it. This learning process aims to achieve two goals at the same time. The first goal is to minimize the loss of the original task (such as CIFAR10 classification). Including the passport layer; the second is to minimize the joint loss function that includes passport constraints (Equation 1). Algorithmically, this multi-task learning is achieved by alternately minimizing these two goals. The successfully trained DNN model is then distributed to end users, who can perform network predictions without the need for a passport. Note that this is achievable because the passport layer is not included in the distributed network. Ownership verification is only carried out at the request of law enforcement agencies, by adding the passport layer to the relevant network and verifying the embedded sign signature using undegraded network performance.
与方案V2相比,该方案易于为终端用户使用,因为不需要护照并且不会产生额外的计算成本。与此同时,所有权验证对于去除攻击以及模糊攻击都很有效。然而,它的缺点是需要访问DNN权重并附加护照层以进行所有权验证,即白盒保护模式的缺点。Compared with solution V2, this solution is easy to use for end users because it does not require a passport and does not incur additional calculation costs. At the same time, ownership verification is very effective for removing attacks and obfuscation attacks. However, its disadvantage is that it needs to access the DNN weights and attach a passport layer for ownership verification, which is the disadvantage of the white box protection mode.
本公开实施例所针对的深度神经网络,包括了所述提及的所有各种形式,不同输入信号,不同类型,不同网络结构,不同应用功能,不同运算载体上的深度神经网络,也包括在原理上相同的任何神经网络,无论其运行环境如何。可选的,神经网络可以运行在计算机中央处理器(CPU)、图形加速器(GPU)、张量处理器(TPU)、专用人工智能芯片,和云计算中心、移动设备、可穿戴设备、智能视频终端、车载设备及其他交通工具、物联网设备(IoT devices)等设备中。The deep neural networks targeted by the embodiments of the present disclosure include all the various forms mentioned above, different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers. Any neural network with the same principle, regardless of its operating environment. Optionally, neural networks can run on computer central processing units (CPU), graphics accelerators (GPU), tensor processors (TPU), dedicated artificial intelligence chips, and cloud computing centers, mobile devices, wearable devices, and smart videos Terminals, in-vehicle equipment and other vehicles, IoT devices (IoT devices) and other equipment.
可选的,该基于DNN用于护照抵御模糊攻击的方法可应用于上述终端设备,生成抵御模糊攻击的护照,该终端设备包括:嵌入模块、保真度评估模块、签名验证模块、可逆模块、护照生成模块。Optionally, the DNN-based method for passports to resist obfuscation attacks can be applied to the above-mentioned terminal devices to generate passports resisting obscuration attacks. The terminal devices include: an embedded module, a fidelity evaluation module, a signature verification module, a reversible module, Passport generation module.
所述嵌入模块输入训练数据D,包括触发集数据T或签名s,并通过最小化给定的损失函数L来优化模型N;所述保真度评估模块F评估性能差异是否小于阈值,即(M-M t)≤ε,其中,M是针对一组测试数据D测试的DNN性能,M t是目标表现,ε为阈值,F为保真度评估结果;所述签名验证模块V检查对给定神经网络N是否成功验证预定的签名s或触发集数据T;所述可逆模块I(N)=N'满足以下条件存在,并造成成功的模糊攻击A aThe embedding module inputs training data D, including trigger set data T or signature s, and optimizes the model N by minimizing a given loss function L; the fidelity evaluation module F evaluates whether the performance difference is less than a threshold, that is ( MM t ) ≤ ε, where M is the performance of the DNN tested against a set of test data D, M t is the target performance, ε is the threshold, and F is the fidelity evaluation result; the signature verification module V checks for a given nerve Whether the network N successfully verifies the predetermined signature s or the trigger set data T; the reversible module I(N)=N' satisfies the following conditions to exist, and causes a successful obfuscation attack A a :
d)对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据T'和/或签名s';d) For a given DNN model, infer a new set of trigger set data T'and/or signature s'through reverse engineering;
e)伪造的T',s'可以相对于给定的DNN权重W成功验证,即V=True;e) The fake T', s'can be successfully verified with respect to the given DNN weight W, that is, V=True;
f)保真度评估结果F仍为True;f) The fidelity evaluation result F is still True;
所述可逆模块的DNN验证方案V定义为可逆方案V l,否则定义为不可逆方案
Figure PCTCN2020072809-appb-000019
所述护照生成模块将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照。具体地,对于具有L层的DNN模型的一组N个基本图像,总共可以生成N L个可能的护照组合。 The DNN verification scheme V of the reversible module is defined as a reversible scheme V l , otherwise it is defined as an irreversible scheme
Figure PCTCN2020072809-appb-000019
The passport generation module sends a set of N selected images into the training DNN model with the same structure, and collects N corresponding feature maps in each layer; among the N options, only one of each layer is randomly selected as passport. In particular, for a group of N elementary image having DNN model layer L, N L may be generated a total of possible combinations of the passport.

Claims (14)

  1. 一种基于深度神经网络DNN用于护照抵御模糊攻击的方法,包括DNN模型和护照,所述DNN模型的所有权验证方案包括嵌入过程、保真度评估过程、签名验证过程以及可逆过程,所述方法包括:A method for passports to resist ambiguity attacks based on a deep neural network DNN, including a DNN model and a passport. The ownership verification scheme of the DNN model includes an embedding process, a fidelity evaluation process, a signature verification process, and a reversible process. The method include:
    所述嵌入过程是DNN学习过程,将训练数据作为输入,所述训练数据包括触发集数据或签名,并通过最小化给定的损失函数来优化模型;The embedding process is a DNN learning process, which takes training data as input, and the training data includes trigger set data or signatures, and optimizes the model by minimizing a given loss function;
    保真度评估过程采用如下公式评估性能差异是否小于阈值,得到保真度评估结果:The fidelity evaluation process uses the following formula to evaluate whether the performance difference is less than the threshold, and obtain the fidelity evaluation result:
    (M-M t)≤ε, (MM t )≤ε,
    其中,M是针对一组测试数据测试的DNN性能,M t是目标表现,ε为阈值; Among them, M is the DNN performance tested against a set of test data, M t is the target performance, and ε is the threshold;
    签名验证过程用于检查对给定神经网络N是否成功验证预定的签名或触发集数据;The signature verification process is used to check whether the predetermined signature or trigger set data is successfully verified for a given neural network N;
    当满足以下条件,存在可逆过程,并造成成功的模糊攻击:对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据和/或签名;伪造的一组新的触发集数据和/或签名相对于给定的DNN权重W成功验证,签名验证结果为真;保真度评估结果F仍为True;When the following conditions are met, there is a reversible process and a successful fuzzing attack: For a given DNN model, a new set of trigger set data and/or signatures are inferred through reverse engineering; a forged set of new trigger set data and / Or the signature is successfully verified relative to the given DNN weight W, the signature verification result is true; the fidelity evaluation result F is still True;
    存在可逆过程的DNN验证方案定义为可逆方案,否则定义为不可逆方案。A DNN verification scheme with a reversible process is defined as a reversible scheme, otherwise it is defined as an irreversible scheme.
  2. 根据权利要求1所述的方法,其中,基于特征和基于触发集的方法采用组合损失函数如下:The method according to claim 1, wherein the feature-based and trigger-set-based methods adopt a combined loss function as follows:
    L=L c(f(W,X r),y r)+λ tL c(f(W,X T),y T)+λ rR(W,s),  (1) L = L c (f(W, X r ), y r )+λ t L c (f(W, X T ), y T )+λ r R(W, s), (1)
    其中,λ t,λ r是相关超参数的权重,f(W,X_)是输入为X r或X T的预测函数并输出预测值,L c是预测值和目标标签y r或y T的交叉熵的损失函数,签名s={P,B},由护照P和签名字符串B组成,约束项是R=L c(σ(W,P),B),或R=MSE(B-PW);MSE为均方误差函数。 Among them, λ t , λ r are the weights of related hyperparameters, f(W, X_) is the prediction function with input X r or X T and output prediction value, L c is the prediction value and target label y r or y T The loss function of cross entropy, signature s={P,B}, composed of passport P and signature string B, the constraint item is R=L c (σ(W,P), B), or R=MSE(B- PW); MSE is the mean square error function.
  3. 根据权利要求1所述的方法,其中,基于触发集的水印方法的DNN模型还嵌入私有护照和触发集但不分发,所述触发集为一组触发图像,通过远程调用服务API来探测和声明可疑DNN模型的所有权;首先在黑盒模式下声明所有权,然后在白盒模式下通过护照验证再次声明所有权触发集图像交替最小化原始任务损失和减少包含护照约束项的联合损失函数,原始任务损失不包括护照层,采用GroupNormalisation算法。The method according to claim 1, wherein the DNN model of the watermarking method based on the trigger set also embeds a private passport and a trigger set, but does not distribute, the trigger set is a set of trigger images, which are detected and declared by remotely calling the service API Suspicious ownership of the DNN model; first declare the ownership in the black box mode, and then declare the ownership again through passport verification in the white box mode. Trigger set images alternately minimize the original mission loss and reduce the joint loss function containing passport constraints, the original mission loss Excluding the passport layer, the GroupNormalisation algorithm is used.
  4. 根据权利要求1所述的方法,其中,所述护照为随机洗牌后产生的护照,所述方法包括:将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照,其中,对于具有L层的DNN模型的一组N个基本图像,总共生成N L个可能的护照组合。 The method according to claim 1, wherein the passport is a passport generated after random shuffling, and the method comprises: sending a set of N selected images into a training DNN model with the same structure, and in each The layer collects N corresponding feature maps; among the N options, only one of each layer is randomly selected as a passport, where, for a set of N basic images of the DNN model with L layers, a total of N L possible passports are generated combination.
  5. 根据权利要求1所述的方法,其中,基于触发集的水印方法的DNN模型,使用以下步骤将可训练的噪声分量添加到随机选择的基本图像中:The method according to claim 1, wherein the DNN model of the watermarking method based on the trigger set uses the following steps to add a trainable noise component to the randomly selected basic image:
    随机选择一组N个基本图像T bRandomly select a group of N basic images T b ;
    生成与可训练参数相同大小T n的随机噪声模式; Generate a random noise pattern with the same size T n as the trainable parameter;
    使用求和量X T=T b+ηT n作为触发集图像,其中,η=0.04以使噪声分量不可见; Use the summation X T =T b +ηT n as the trigger set image, where η=0.04 to make the noise component invisible;
    随机分配触发集标签y TRandomly assign the trigger set label y T ;
    最小化和可训练参数T n有关的交叉熵损失L cMinimize the cross-entropy loss L c associated with the trainable parameter T n .
  6. 根据权利要求1所述的方法,其中,DNN构架由优化模型预先确定,并且在DNN权重学习完之后,触发集数据或签名将被嵌入模型之中;签名验证过程先调用DNN预测过程,将触发器集样本作为输入,然后检查预测函数是否在小于阈值的错误检测率的条件下生成指定标签。The method according to claim 1, wherein the DNN architecture is predetermined by the optimization model, and after the DNN weights are learned, the trigger set data or signature will be embedded in the model; the signature verification process first calls the DNN prediction process, which will trigger Set samples as input, and then check whether the prediction function generates the specified label under the condition of the false detection rate less than the threshold.
  7. 根据权利要求1所述的方法,其中,所述DNN模型还包括护照层、卷积层,护照层嵌入数字签名,护照层的比例因子γ和偏移量β依赖于卷积核W p和指定护照层P,公式如下: The method according to claim 1, wherein the DNN model further includes a passport layer, a convolutional layer, the passport layer is embedded with a digital signature, and the scale factor γ and the offset β of the passport layer depend on the convolution kernel Wp and the specified Passport layer P, the formula is as follows:
    Figure PCTCN2020072809-appb-100001
    Figure PCTCN2020072809-appb-100001
    Figure PCTCN2020072809-appb-100002
    Figure PCTCN2020072809-appb-100002
    其中,*表示卷积运算,l是层数,X p是护照层的输入,X c是卷积层的输入;O()是相应的线性变换输出,而P γ l和P β l分别是导出比例因子γ和偏差项β的护照层;所述卷积层中每层卷积层由若干卷积单元组成,每个卷积单元的参数都是通过反向传播算法最佳化得到的,通过卷积运算提取模糊攻击的不同特征。 Among them, * represents the convolution operation, l is the number of layers, X p is the input of the passport layer, X c is the input of the convolution layer; O() is the corresponding linear transformation output, and P γ l and P β l are respectively Derive the passport layer of the scale factor γ and the bias term β; each convolution layer in the convolution layer is composed of several convolution units, and the parameters of each convolution unit are optimized through the backpropagation algorithm, The different features of the fuzzy attack are extracted by convolution operation.
  8. 根据权利要求6所述的方法,其中,使用护照层s e={P γ l,P β l} l进行过训练的DNN模型,其预测性能M取决于使用网络时所提供的数字护照,公式如下: The method according to claim 6, wherein the DNN model trained using the passport layer s e = {P γ l , P β l } l , its prediction performance M depends on the digital passport provided when using the network, the formula as follows:
    Figure PCTCN2020072809-appb-100003
    Figure PCTCN2020072809-appb-100003
    若不能提供真实的数字护照s t≠s e,网络运行性能显著恶化。 If the real digital passport s t ≠s e cannot be provided, the network performance will deteriorate significantly.
  9. 根据权利要求1所述的方法,其中,不可逆方案中保真度评估结果取决于呈现的签名或触发集数据;若伪造的护照s t≠s e,性能M急剧恶化,性能差异大于阀值。 The method according to claim 1, wherein the fidelity evaluation result in the irreversible scheme depends on the presented signature or trigger set data; if the forged passport s t ≠s e , the performance M deteriorates sharply, and the performance difference is greater than the threshold.
  10. 根据权利要求1所述的方法,其中,所述签名为嵌入的二进制签名,在DNN权重的学习过程中,将以下符号损失约束项添加到组合损失函数中,以强制比例因子采取指定的正号或负号:The method according to claim 1, wherein the signature is an embedded binary signature. During the learning process of the DNN weights, the following symbol loss constraints are added to the combined loss function to force the scale factor to adopt a specified positive sign Or minus sign:
    Figure PCTCN2020072809-appb-100004
    Figure PCTCN2020072809-appb-100004
    其中,B={b 1,···,b C}∈{-1,1} C,由C卷积核的指定二进制位组成,γ 0是正控制参数,默认为0.1以激励比例因子的值大于γ 0Among them, B={b 1 ,···,b C }∈{-1,1} C , composed of the specified binary bits of the C convolution kernel, γ 0 is a positive control parameter, and the default is 0.1 to the value of the excitation scale factor Greater than γ 0 .
  11. 根据权利要求1所述的方法,其中,所述DNN模型的参数分为公共卷积层参数W和隐藏护照层的比例因子γ和偏差项β,护照信息被嵌入到权重W后学习完成要强制执行以下约束:Avg(W p l*P γ l)=c γ l,Avg(W p l*P y l)=c β l;卷积层权重的分布与没有护照层的原始DNN的分布相同;c γ l和c β l是参数γ l和β l收敛到的常数值,比例因子只能取正或负的远离零的值。 The method according to claim 1, wherein the parameters of the DNN model are divided into the public convolutional layer parameter W and the scale factor γ and the bias term β of the hidden passport layer. The passport information is embedded in the weight W and the learning is compulsory. The following constraints are implemented: Avg(W p l *P γ l )=c γ l , Avg(W p l *P y l )=c β l ; the weight distribution of the convolutional layer is the same as that of the original DNN without the passport layer ; C γ l and c β l are constant values to which the parameters γ l and β l converge, and the scale factor can only take a positive or negative value away from zero.
  12. 根据权利要求1所述的方法,其中,所述方法应用于终端设备,所述终端设备包括:嵌入模块、保真度评估模块、签名验证模块、可逆模块、护照生成模块;The method according to claim 1, wherein the method is applied to a terminal device, the terminal device comprising: an embedded module, a fidelity evaluation module, a signature verification module, a reversible module, and a passport generation module;
    所述嵌入模块输入训练数据,包括触发集数据或签名,并通过最 小化给定的损失函数来优化模型;The embedding module inputs training data, including trigger set data or signatures, and optimizes the model by minimizing a given loss function;
    所述保真度评估模块采用如下公式评估性能差异是否小于阈值,得到保真度评估结果:The fidelity evaluation module uses the following formula to evaluate whether the performance difference is less than the threshold, and obtain the fidelity evaluation result:
    (M-M t)≤ε, (MM t )≤ε,
    其中,M是针对一组测试数据D测试的DNN性能,M t是目标表现,ε为阈值; Among them, M is the DNN performance tested against a set of test data D, M t is the target performance, and ε is the threshold;
    所述签名验证模块检查对给定神经网络是否成功验证预定的签名或触发集数据;The signature verification module checks whether the predetermined signature or trigger set data is successfully verified for a given neural network;
    所述可逆模块满足以下条件存在,并造成成功的模糊攻击:对于给定的DNN模型,通过逆向工程推断出一组新的触发集数据和/或签名;伪造的一组新的触发集数据和/或签名相对于给定的DNN权重成功验证,签名验证结果为真;保真度评估结果仍为真;The reversible module satisfies the following conditions and causes a successful fuzzy attack: for a given DNN model, a new set of trigger set data and/or signatures are inferred through reverse engineering; a forged set of new trigger set data and / Or the signature is successfully verified relative to the given DNN weight, the signature verification result is true; the fidelity evaluation result is still true;
    所述可逆模块的DNN验证方案定义为可逆方案,否则定义为不可逆方案;The DNN verification scheme of the reversible module is defined as a reversible scheme, otherwise it is defined as an irreversible scheme;
    所述护照生成模块将一组N个所选图送入具有相同结构的训练DNN模型,并在每一层收集N个相应的特征图;在N个选项中,每层只有一个被随机选择为护照,其中,对于具有L层的DNN模型的一组N个基本图像,总共生成N L个可能的护照组合。 The passport generation module sends a set of N selected images into the training DNN model with the same structure, and collects N corresponding feature maps in each layer; among the N options, only one of each layer is randomly selected as passport, wherein, for a group of N elementary image having DNN model layer L, L N generated a total possible combinations passport.
  13. 根据权利要求1所述的方法,其中:所述DNN模型针对的深度神经网络,包括不同输入信号,不同类型,不同网络结构,不同应用功能,不同运算载体上的深度神经网络,还包括在原理上相同的任何神经网络。The method according to claim 1, wherein: the deep neural network targeted by the DNN model includes different input signals, different types, different network structures, different application functions, and deep neural networks on different computing carriers, which are also included in the principle Any neural network on the same.
  14. 根据权利要求1所述的方法,其中,所述方法运行在计算机中央处理器、图形加速器、张量处理器、专用人工智能芯片,和云计算中心、移动设备、可穿戴设备、智能视频终端、车载设备及其他交通工具、物联网设备中。The method according to claim 1, wherein the method runs on computer central processing units, graphics accelerators, tensor processors, dedicated artificial intelligence chips, and cloud computing centers, mobile devices, wearable devices, smart video terminals, In-vehicle equipment, other vehicles, and Internet of Things equipment.
PCT/CN2020/072809 2019-09-04 2020-01-17 Dnn-based method for protecting passport against fuzzy attack WO2021042665A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910832529.2 2019-09-04
CN201910832529.2A CN110610082A (en) 2019-09-04 2019-09-04 DNN-based system and method for passport to resist fuzzy attack

Publications (1)

Publication Number Publication Date
WO2021042665A1 true WO2021042665A1 (en) 2021-03-11

Family

ID=68892263

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/072809 WO2021042665A1 (en) 2019-09-04 2020-01-17 Dnn-based method for protecting passport against fuzzy attack

Country Status (2)

Country Link
CN (1) CN110610082A (en)
WO (1) WO2021042665A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113283520A (en) * 2021-06-03 2021-08-20 浙江工业大学 Member reasoning attack-oriented depth model privacy protection method and device based on feature enhancement
CN114254274A (en) * 2021-11-16 2022-03-29 浙江大学 White-box deep learning model copyright protection method based on neuron output
CN114254275A (en) * 2021-11-16 2022-03-29 浙江大学 Black box deep learning model copyright protection method based on confrontation sample fingerprints
CN114638356A (en) * 2022-02-25 2022-06-17 武汉大学 Static weight guided deep neural network back door detection method and system
CN116308986A (en) * 2023-05-24 2023-06-23 齐鲁工业大学(山东省科学院) Hidden watermark attack algorithm based on wavelet transformation and attention mechanism
CN117473469A (en) * 2023-12-28 2024-01-30 广东佛山联创工程研究生院 Model watermark embedding method and device, electronic equipment and storage medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110610082A (en) * 2019-09-04 2019-12-24 笵成科技南京有限公司 DNN-based system and method for passport to resist fuzzy attack
CN111260059B (en) * 2020-01-23 2023-06-02 复旦大学 Back door attack method of video analysis neural network model
CN111581671B (en) * 2020-05-11 2021-05-25 笵成科技南京有限公司 Digital passport protection method combining deep neural network and block chain
CN112364310A (en) * 2020-11-16 2021-02-12 山西三友和智慧信息技术股份有限公司 Data set protection and verification method based on backdoor attack
CN113518062B (en) * 2020-12-08 2023-04-28 腾讯科技(深圳)有限公司 Attack detection method and device and computer equipment
CN116128700B (en) * 2023-03-29 2023-09-12 中国工程物理研究院计算机应用研究所 Model watermark implantation and verification method and system based on image inherent characteristics
CN116152032B (en) * 2023-04-23 2023-06-23 中国信息通信研究院 Method and device for generating green product digital passport based on industrial Internet

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019087033A1 (en) * 2017-11-01 2019-05-09 International Business Machines Corporation Protecting cognitive systems from gradient based attacks through the use of deceiving gradients
CN109919303A (en) * 2019-02-28 2019-06-21 范力欣 A kind of intellectual property protection method, system and the terminal of deep neural network
CN110084002A (en) * 2019-04-23 2019-08-02 清华大学 Deep neural network attack method, device, medium and calculating equipment
CN110610082A (en) * 2019-09-04 2019-12-24 笵成科技南京有限公司 DNN-based system and method for passport to resist fuzzy attack

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10171993A (en) * 1996-12-10 1998-06-26 Oki Electric Ind Co Ltd Authenticity discriminating device for medium
CN105825243A (en) * 2015-01-07 2016-08-03 阿里巴巴集团控股有限公司 Method and device for certificate image detection
CN108304858B (en) * 2017-12-28 2022-01-04 中国银联股份有限公司 Generation method, verification method and system of confrontation sample recognition model
CN108537206B (en) * 2018-04-23 2021-08-10 山东浪潮科学研究院有限公司 Face verification method based on convolutional neural network
CN109165674A (en) * 2018-07-19 2019-01-08 南京富士通南大软件技术有限公司 A kind of certificate photo classification method based on multi-tag depth convolutional network
CN109190524B (en) * 2018-08-17 2021-08-13 南通大学 Human body action recognition method based on generation of confrontation network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019087033A1 (en) * 2017-11-01 2019-05-09 International Business Machines Corporation Protecting cognitive systems from gradient based attacks through the use of deceiving gradients
CN109919303A (en) * 2019-02-28 2019-06-21 范力欣 A kind of intellectual property protection method, system and the terminal of deep neural network
CN110084002A (en) * 2019-04-23 2019-08-02 清华大学 Deep neural network attack method, device, medium and calculating equipment
CN110610082A (en) * 2019-09-04 2019-12-24 笵成科技南京有限公司 DNN-based system and method for passport to resist fuzzy attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI ZHENG, GUO SHANQING: "DeepStego: Protecting Intellectual Property of Deep Neural Networks by Steganography", ADVANCES IN NEURAL INFORMATION PROCESSING SYSTEM 32 (NIPS 2019), 5 March 2019 (2019-03-05), pages 1 - 7, XP055788691 *
LIXIN FAN; KAM WOH NG; CHEE SENG CHAN: "[Extended version] Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 16 September 2019 (2019-09-16), 201 Olin Library Cornell University Ithaca, NY 14853, XP081527119 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113283520A (en) * 2021-06-03 2021-08-20 浙江工业大学 Member reasoning attack-oriented depth model privacy protection method and device based on feature enhancement
CN113283520B (en) * 2021-06-03 2024-02-13 浙江工业大学 Feature enhancement-based depth model privacy protection method and device for membership inference attack
CN114254274A (en) * 2021-11-16 2022-03-29 浙江大学 White-box deep learning model copyright protection method based on neuron output
CN114254275A (en) * 2021-11-16 2022-03-29 浙江大学 Black box deep learning model copyright protection method based on confrontation sample fingerprints
CN114254275B (en) * 2021-11-16 2024-05-28 浙江大学 Black box deep learning model copyright protection method based on antagonism sample fingerprint
CN114254274B (en) * 2021-11-16 2024-05-31 浙江大学 White-box deep learning model copyright protection method based on neuron output
CN114638356A (en) * 2022-02-25 2022-06-17 武汉大学 Static weight guided deep neural network back door detection method and system
CN116308986A (en) * 2023-05-24 2023-06-23 齐鲁工业大学(山东省科学院) Hidden watermark attack algorithm based on wavelet transformation and attention mechanism
CN116308986B (en) * 2023-05-24 2023-08-04 齐鲁工业大学(山东省科学院) Hidden watermark attack algorithm based on wavelet transformation and attention mechanism
CN117473469A (en) * 2023-12-28 2024-01-30 广东佛山联创工程研究生院 Model watermark embedding method and device, electronic equipment and storage medium
CN117473469B (en) * 2023-12-28 2024-05-10 广东佛山联创工程研究生院 Model watermark embedding method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110610082A (en) 2019-12-24

Similar Documents

Publication Publication Date Title
WO2021042665A1 (en) Dnn-based method for protecting passport against fuzzy attack
Li et al. How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of DNN
Meng et al. Magnet: a two-pronged defense against adversarial examples
AprilPyone et al. Block-wise image transformation with secret key for adversarially robust defense
Li et al. Piracy resistant watermarks for deep neural networks
Fındık et al. A color image watermarking scheme based on hybrid classification method: particle swarm optimization and k-nearest neighbor algorithm
Xu et al. “identity bracelets” for deep neural networks
Zhu et al. Fragile neural network watermarking with trigger image set
Xue et al. Active intellectual property protection for deep neural networks through stealthy backdoor and users’ identities authentication
CN111597551B (en) Protection method for side channel attack aiming at deep learning algorithm
Abuadbba et al. DeepiSign: invisible fragile watermark to protect the integrity and authenticity of CNN
Yan et al. Rethinking {White-Box} Watermarks on Deep Learning Models under Neural Structural Obfuscation
Ren et al. Protecting intellectual property with reliable availability of learning models in ai-based cybersecurity services
Wang et al. Poisoning self-supervised learning based sequential recommendations
Liu et al. Defend Against Adversarial Samples by Using Perceptual Hash.
Xu et al. A novel method for identifying the deep neural network model with the serial number
CN115828188A (en) Method for defending substitute model attack and capable of verifying DNN model copyright
Chakraborty et al. Dynamarks: Defending against deep learning model extraction using dynamic watermarking
Zhang et al. MODA: model ownership deprivation attack in asynchronous federated learning
Hu et al. VeriDIP: Verifying Ownership of Deep Neural Networks through Privacy Leakage Fingerprints
Bansal et al. Securing fingerprint images using a hybrid technique
Chen et al. When deep learning meets watermarking: A survey of application, attacks and defenses
Yuan et al. Deepfake fingerprint detection model Intellectual Property Protection via Ridge Texture Enhancement
Zhang et al. Backdoor Attack through Machine Unlearning
Peng et al. On Model Outsourcing Adaptive Attacks to Deep Learning Backdoor Defenses

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20860771

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20860771

Country of ref document: EP

Kind code of ref document: A1