Related papers: StegGuard: Fingerprinting Self-supervised Pre-trained Encoders via Secrets Embeder and Extractor

StegGuard: Fingerprinting Self-supervised Pre-trained Encoders via Secrets Embeder and Extractor

URL: http://arxiv.org/abs/2310.03380v1
Date: Thu, 5 Oct 2023 08:30:42 GMT
Title: StegGuard: Fingerprinting Self-supervised Pre-trained Encoders via Secrets Embeder and Extractor
Authors: Xingdong Ren, Tianxing Zhang, Hanzhou Wu, Xinpeng Zhang, Yinggui Wang, Guangling Sun,
Abstract summary: We propose StegGuard, a novel fingerprinting mechanism to verify the ownership of the suspect pre-trained encoder using steganography. A critical perspective in StegGuard is that the unique characteristic of the transformation from an image to an embedding, conducted by the pre-trained encoder, can be equivalently exposed. StegGuard can reliably identify across varied independent encoders, and is robust against model stealing related attacks.
Score: 20.88708866426335
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: In this work, we propose StegGuard, a novel fingerprinting mechanism to verify the ownership of the suspect pre-trained encoder using steganography. A critical perspective in StegGuard is that the unique characteristic of the transformation from an image to an embedding, conducted by the pre-trained encoder, can be equivalently exposed how an embeder embeds secrets into images and how an extractor extracts the secrets from encoder's embeddings with a tolerable error after the secrets are subjected to the encoder's transformation. While each independent encoder has a distinct transformation, the piracy encoder has a similar transformation to the victim. Based on these, we learn a pair of secrets embeder and extractor as the fingerprint for the victim encoder. We introduce a frequency-domain channel attention embedding block into the embeder to adaptively embed secrets into suitable frequency bands. During verification, if the secrets embedded into the query images can be extracted with an acceptable error from the suspect encoder's embeddings, the suspect encoder is determined as piracy, otherwise independent. Extensive experiments demonstrate that depending on a very limited number of query images, StegGuard can reliably identify across varied independent encoders, and is robust against model stealing related attacks including model extraction, fine-tuning, pruning, embedding noising and shuffle.

Related papers

Transferable Watermarking to Self-supervised Pre-trained Graph Encoders by Trigger Embeddings [43.067822791795095]
Graph Self-supervised Learning (GSSL) enables to pre-train foundation graph encoders. Easy-to-plug-in nature of such encoders makes them vulnerable to copyright infringement. We develop a novel watermarking framework to protect graph encoders in GSSL settings.
arXiv Detail & Related papers (2024-06-19T03:16:11Z)
Faster Diffusion: Rethinking the Role of UNet Encoder in Diffusion Models [95.47438940934413]
We conduct the first comprehensive study of the UNet encoder. We find that encoder features change gently, whereas the decoder features exhibit substantial variations across different time-steps. By benefiting from our propagation scheme, we are able to perform in parallel the decoder at certain adjacent time-steps.
arXiv Detail & Related papers (2023-12-15T08:46:43Z)
Downstream-agnostic Adversarial Examples [66.8606539786026]
AdvEncoder is first framework for generating downstream-agnostic universal adversarial examples based on pre-trained encoder. Unlike traditional adversarial example works, the pre-trained encoder only outputs feature vectors rather than classification labels. Our results show that an attacker can successfully attack downstream tasks without knowing either the pre-training dataset or the downstream dataset.
arXiv Detail & Related papers (2023-07-23T10:16:47Z)
Human-imperceptible, Machine-recognizable Images [76.01951148048603]
A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data. This paper proposes an efficient privacy-preserving learning paradigm, where images are encrypted to become human-imperceptible, machine-recognizable'' We show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information.
arXiv Detail & Related papers (2023-06-06T13:41:37Z)
Hiding Images in Deep Probabilistic Models [58.23127414572098]
We describe a different computational framework to hide images in deep probabilistic models. Specifically, we use a DNN to model the probability density of cover images, and hide a secret image in one particular location of the learned distribution. We demonstrate the feasibility of our SinGAN approach in terms of extraction accuracy and model security.
arXiv Detail & Related papers (2022-10-05T13:33:25Z)
AWEncoder: Adversarial Watermarking Pre-trained Encoders in Contrastive Learning [18.90841192412555]
We introduce AWEncoder, an adversarial method for watermarking the pre-trained encoder in contrastive learning. The proposed work enjoys pretty good effectiveness and robustness on different contrastive learning algorithms and downstream tasks.
arXiv Detail & Related papers (2022-08-08T07:23:37Z)
Watermarking Pre-trained Encoders in Contrastive Learning [9.23485246108653]
The pre-trained encoders are an important intellectual property that needs to be carefully protected. It is challenging to migrate existing watermarking techniques from the classification tasks to the contrastive learning scenario. We introduce a task-agnostic loss function to effectively embed into the encoder a backdoor as the watermark.
arXiv Detail & Related papers (2022-01-20T15:14:31Z)
StolenEncoder: Stealing Pre-trained Encoders [62.02156378126672]
We propose the first attack called StolenEncoder to steal pre-trained image encoders. Our results show that the encoders stolen by StolenEncoder have similar functionality with the target encoders.
arXiv Detail & Related papers (2022-01-15T17:04:38Z)
StegaPos: Preventing Crops and Splices with Imperceptible Positional Encodings [0.0]
We present a model for distinguishing between images that are authentic copies of ones published by photographers. The model comprises an encoder that resides with the photographer and a matching decoder that is available to observers. We find that training the encoder and decoder together produces a model that imperceptibly encodes position.
arXiv Detail & Related papers (2021-04-25T23:42:29Z)
Modeling Lost Information in Lossy Image Compression [72.69327382643549]
Lossy image compression is one of the most commonly used operators for digital images. We propose a novel invertible framework called Invertible Lossy Compression (ILC) to largely mitigate the information loss problem.
arXiv Detail & Related papers (2020-06-22T04:04:56Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.