HufuNet: Embedding the Left Piece as Watermark and Keeping the Right Piece for Ownership Verification in Deep Neural Networks

• URL: http://arxiv.org/abs/2103.13628v1
• Date: Thu, 25 Mar 2021 06:55:22 GMT
• Title: HufuNet: Embedding the Left Piece as Watermark and Keeping the Right Piece for Ownership Verification in Deep Neural Networks
• Authors: Peizhuo Lv, Pan Li, Shengzhi Zhang, Kai Chen, Ruigang Liang, Yue Zhao, Yingjiu Li
• Abstract summary: We propose a novel solution for watermarking deep neural networks (DNNs) HufuNet is highly robust against model fine-tuning/pruning, kernels cutoff/supplement, functionality-equivalent attack, and fraudulent ownership claims.
• Score: 16.388046449021466
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Due to the wide use of highly-valuable and large-scale deep neural networks (DNNs), it becomes crucial to protect the intellectual property of DNNs so that the ownership of disputed or stolen DNNs can be verified. Most existing solutions embed backdoors in DNN model training such that DNN ownership can be verified by triggering distinguishable model behaviors with a set of secret inputs. However, such solutions are vulnerable to model fine-tuning and pruning. They also suffer from fraudulent ownership claim as attackers can discover adversarial samples and use them as secret inputs to trigger distinguishable behaviors from stolen models. To address these problems, we propose a novel DNN watermarking solution, named HufuNet, for protecting the ownership of DNN models. We evaluate HufuNet rigorously on four benchmark datasets with five popular DNN models, including convolutional neural network (CNN) and recurrent neural network (RNN). The experiments demonstrate HufuNet is highly robust against model fine-tuning/pruning, kernels cutoff/supplement, functionality-equivalent attack, and fraudulent ownership claims, thus highly promising to protect large-scale DNN models in the real-world.

Related papers

• Harnessing Neuron Stability to Improve DNN Verification [42.65507402735545]
  We present VeriStable, a novel extension of recently proposed DPLL-based constraint DNN verification approach. We evaluate the effectiveness of VeriStable across a range of challenging benchmarks including fully-connected feed networks (FNNs), convolutional neural networks (CNNs) and residual networks (ResNets) Preliminary results show that VeriStable is competitive and outperforms state-of-the-art verification tools, including $alpha$-$beta$-CROWN and MN-BaB, the first and second performers of the VNN-COMP, respectively.
  arXiv  Detail & Related papers  (2024-01-19T23:48:04Z)
• Model Copyright Protection in Buyer-seller Environment [35.2914055333853]
  We propose a novel copyright protection scheme for a deep neural network (DNN) using an input-sensitive neural network (ISNN) During the training phase, we add a specific perturbation to the clean images and mark them as legal inputs, while the other inputs are treated as illegal input. Experimental results demonstrate that the proposed scheme is effective, valid, and secure.
  arXiv  Detail & Related papers  (2023-12-05T07:15:10Z)
• ELEGANT: Certified Defense on the Fairness of Graph Neural Networks [94.10433608311604]
  Graph Neural Networks (GNNs) have emerged as a prominent graph learning model in various graph-based tasks. malicious attackers could easily corrupt the fairness level of their predictions by adding perturbations to the input graph data. We propose a principled framework named ELEGANT to study a novel problem of certifiable defense on the fairness level of GNNs.
  arXiv  Detail & Related papers  (2023-11-05T20:29:40Z)
• Robust and Lossless Fingerprinting of Deep Neural Networks via Pooled Membership Inference [17.881686153284267]
  Deep neural networks (DNNs) have already achieved great success in a lot of application areas and brought profound changes to our society. How to protect the intellectual property (IP) of DNNs against infringement is one of the most important yet very challenging topics. This paper proposes a novel technique called emphpooled membership inference (PMI) so as to protect the IP of the DNN models.
  arXiv  Detail & Related papers  (2022-09-09T04:06:29Z)
• A Comprehensive Survey on Trustworthy Graph Neural Networks: Privacy, Robustness, Fairness, and Explainability [59.80140875337769]
  Graph Neural Networks (GNNs) have made rapid developments in the recent years. GNNs can leak private information, are vulnerable to adversarial attacks, can inherit and magnify societal bias from training data. This paper gives a comprehensive survey of GNNs in the computational aspects of privacy, robustness, fairness, and explainability.
  arXiv  Detail & Related papers  (2022-04-18T21:41:07Z)
• Toward Robust Spiking Neural Network Against Adversarial Perturbation [22.56553160359798]
  spiking neural networks (SNNs) are deployed increasingly in real-world efficiency critical applications. Researchers have already demonstrated an SNN can be attacked with adversarial examples. To the best of our knowledge, this is the first analysis on robust training of SNNs.
  arXiv  Detail & Related papers  (2022-04-12T21:26:49Z)
• Robustness of Bayesian Neural Networks to White-Box Adversarial Attacks [55.531896312724555]
  Bayesian Networks (BNNs) are robust and adept at handling adversarial attacks by incorporating randomness. We create our BNN model, called BNN-DenseNet, by fusing Bayesian inference (i.e., variational Bayes) to the DenseNet architecture. An adversarially-trained BNN outperforms its non-Bayesian, adversarially-trained counterpart in most experiments.
  arXiv  Detail & Related papers  (2021-11-16T16:14:44Z)
• Deep Serial Number: Computational Watermarking for DNN Intellectual Property Protection [53.40245698216239]
  DSN (Deep Serial Number) is a watermarking algorithm designed specifically for deep neural networks (DNNs) Inspired by serial numbers in safeguarding conventional software IP, we propose the first implementation of serial number embedding within DNNs.
  arXiv  Detail & Related papers  (2020-11-17T21:42:40Z)
• Spiking Neural Networks with Single-Spike Temporal-Coded Neurons for Network Intrusion Detection [6.980076213134383]
  Spiking neural network (SNN) is interesting due to its strong bio-plausibility and high energy efficiency. However, its performance is falling far behind conventional deep neural networks (DNNs)
  arXiv  Detail & Related papers  (2020-10-15T14:46:18Z)
• Enhancing Graph Neural Network-based Fraud Detectors against Camouflaged Fraudsters [78.53851936180348]
  We introduce two types of camouflages based on recent empirical studies, i.e., the feature camouflage and the relation camouflage. Existing GNNs have not addressed these two camouflages, which results in their poor performance in fraud detection problems. We propose a new model named CAmouflage-REsistant GNN (CARE-GNN) to enhance the GNN aggregation process with three unique modules against camouflages.
  arXiv  Detail & Related papers  (2020-08-19T22:33:12Z)
• Noise-Response Analysis of Deep Neural Networks Quantifies Robustness and Fingerprints Structural Malware [48.7072217216104]
  Deep neural networks (DNNs) have structural malware' (i.e., compromised weights and activation pathways) It is generally difficult to detect backdoors, and existing detection methods are computationally expensive and require extensive resources (e.g., access to the training data) Here, we propose a rapid feature-generation technique that quantifies the robustness of a DNN, fingerprints' its nonlinearity, and allows us to detect backdoors (if present) Our empirical results demonstrate that we can accurately detect backdoors with high confidence orders-of-magnitude faster than existing approaches (seconds versus
  arXiv  Detail & Related papers  (2020-07-31T23:52:58Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.