(47-6) 16 * << * >> * Russian * English * Content * All Issues

Copyright protection of deep image classification models
Y.D. Vybornova 1, D.I. Ulyanov 1

Samara National Research University,
443086, Samara, Russia, Moskovskoye Shosse 34

 PDF, 10 MB

DOI: 10.18287/2412-6179-CO-1302

Pages: 980-990.

Full text of article: Russian language.

Abstract:
With the growing number of tasks solved using deep learning methods, the need for protection against unauthorized distribution of the intellectual property such as pre-trained models of deep neural networks is growing. To date, one of the most common ways to protect copyright in the digital space is through embedding digital watermarks. When solving the problem of watermark embedding, an important criterion is the preservation of the model prediction accuracy after introducing the protective information. In this paper, we propose a method for embedding digital watermarks into image classification models based on adding images obtained by superimposing pseudo-holograms on images of the original dataset to the training set. A pseudo-hologram is an image synthesized on the basis of a given binary sequence by arranging pulses for bit encoding in the spectral region. Results of the experimental study show that the proposed method allows one to maintain the classification quality, while also retaining its performance regardless of the architecture of the protected neural network. The conducted series of attacks on protected models show that attempts of an attacker to completely remove the watermark will almost inevitably lead to a significant loss in the model prediction quality. The results of the experiments also include recommendations on the choice of method parameters, such as the size of the trigger and training sets, as well as the length of sequences encoded by pseudo-holograms.

Keywords:
image classification models, digital watermarking, copyright protection, pseudo-holographic images.

Citation:
Vybornova YD, Ulyanov DI. Copyright protection of deep image classification models. Computer Optics 2023; 47(6): 980-990. DOI: 10.18287/2412-6179-CO-1302.

Acknowledgements:
The work was funded under RSF (Russian Science Foundation) grant No. 21-71-00106, https://rscf.ru/en/project/21-71-00106/.

References:
  1. Uchida Y, Nagai Y, Sakazawa S, Satoh S. Embedding watermarks into deep neural networks. ICMR '17: Proc 2017 ACM on Int Conf on Multimedia Retrieval 2017: 269-277.
  2. Li Y, Wang H, Barni M. A survey of deep neural network watermarking techniques. Neurocomputing 2021; 461: 171-193.
  3. Boenisch F. A systematic review on model watermarking for neural networks. Front Big Data 2021; 4: 729663. DOI: 10.3389/fdata.2021.729663.
  4. Botta M, Cavagnino D, Esposito R. NeuNAC: A novel fragile watermarking algorithm for integrity protection of neural networks. Inf Sci 2021; 576: 228-241. DOI: 10.1016/j.ins.2021.06.073.
  5. Wang J, Wu H, Zhang X, Yao Y. Watermarking in deep neural networks via error back-propagation. J Electron Imaging 2020; 2020(4): 22.
  6. Kuribayashi M, Tanaka T, Suzuki S, Yasui T, Funabiki N. White-box watermarking scheme for fully-connected layers in fine-tuning model. Proc 2021 ACM Workshop on Information Hiding and Multimedia Security 2021: 165-170.
  7. Wang T, Kerschbaum F. RIGA: Covert and robust whitebox watermarking of deep neural networks. Proc Web Conf 2021; 2021: 993-1004.
  8. Kapusta K, Thouvenot V, Bettan O, Beguinet H, Senet H. A protocol for secure verification of watermarks embedded into machine learning models. Proc 2021 ACM Workshop on Information Hiding and Multimedia Security 2021: 171-176.
  9. Huang ZJ, Zhang YQ, Jia YR. A novel watermarking mechanism for deep learning models based on chaotic boundaries. 2021 15th Int Symp on Medical Information and Communication Technology (ISMICT) 2021: 104-109.
  10. Deeba F, Kun S, Dharejo FA, Langah H. Memon H. Digital watermarking using deep neural network. International Journal of Machine Learning and Computing 2020; 10(2): 277-282. DOI: 10.18178/ijmlc.2020.10.2.932.
  11. Jebreel NM, Domingo-Ferrer J, Sanchez D, Blanco-Justicia A. KeyNet: An asymmetric key-style framework for watermarking deep learning models. Appl Sci 2021; 11(3): 999. DOI: 10.3390/app11030999.
  12. Xu X, Li Y, Yuan C. “Identity Bracelets” for deep neural networks. IEEE Access 2020; 8: 102065-102074.
  13. Li Z, Hu C, Zhang Y, Guo S. How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of DNN. Proc 35th Annual Computer Security Applications Conf 2019: 126-137.
  14. Maung A, Kiya H. Piracy-resistant DNN watermarking by block-wise image transformation with secret key. Proc 2021 ACM Workshop on Information Hiding and Multimedia Security 2021: 159-164. DOI: 10.1145/3437880.3460398.
  15. Zhang Y-Q, Jia Y-R, Niu Q, Chen N-D. DeepTrigger: A watermarking scheme of deep learning models based on chaotic automatic data annotation. IEEE Access 2020; 8: 213296-213305.
  16. Zhong Q, Zhang L, Zhang J, Gao L, Xiang Y. Protecting IP of deep neural networks with watermarking: A new label helps. Advances in Knowledge Discovery and Data Mining 2020; 12085: 462-474.
  17. Zhu R, Zhang X, Shi M, Tang Z. Secure neural network watermarking protocol against forging attack. EURASIP J Image Video Process 2020; 2020: 37.
  18. Vybornova YD. Method for copyright protection of deep neural networks using digital watermarking. Computer Optics 2023; 47(2): 251-261. DOI: 10.18287/2412-6179-CO-1193.
  19. Vybornova YD, Sergeev VV. New method for GIS vector data protection based on the use of secondary watermark. Computer Optics 2019; 43(3): 474-483. DOI: 10.18287/2412-6179-2019-43-3-474-483.
  20. Vybornova YD, Ulyanov DI. Method for protection of deep learning models using digital watermarking. VIII Int Conf on Information Technology and Nanotechnology (ITNT)2022: 1-5.
  21. Bansal N, Deolia VK, Bansal A, Pathak P. Digital image watermarking using least significant bit technique in different bit positions. 2014 Int Conf on Computational Intelligence and Communication Networks 2014: 813-818. DOI: 10.1109/CICN.2014.174.
  22. Zebbiche K, Khelifi F, Loukhaoukha K. Robust additive watermarking in the DTCWT domain based on perceptual masking. Multimed Tools Appl 2018; 77: 21281-21304. DOI: 10.1007/s11042-017-5451-x.
  23. PyTorch. Models and pre-trained weights. 2023. Source: <https://pytorch.org/vision/stable/models.html>.
  24. The CIFAR-10 Dataset. 2023. Source: <http://www.cs.toronto.edu/~kriz/cifar.html>.

© 2009, IPSI RAS
151, Molodogvardeiskaya str., Samara, 443001, Russia; E-mail: journal@computeroptics.ru ; Tel: +7 (846) 242-41-24 (Executive secretary), +7 (846) 332-56-22 (Issuing editor), Fax: +7 (846) 332-56-20