Ownership Verification Protocols for Deep Neural Network Watermarks

Li, Fangqi; Wang, Shilin

doi:10.1007/978-981-19-7554-7_2

Fangqi Li⁴ &
Shilin Wang⁴

274 Accesses
2 Citations

Abstract

To protect deep neural networks as intellectual properties, it is necessary to accurately identify their author or registered owner. Numerous techniques, spearheaded by the watermark, have been proposed to establish the connection between a deep neural network and its owner; however, it is until that such connection is provably unambiguous and unforgeable that it can be leveraged for copyright protection. The ownership proof is feasible only after multiple parties, including the owner, the adversary, and the third party to whom the owner wants to present a proof operate under deliberate protocols. The design of these ownership verification protocols requires more careful insight into the knowledge and privacy concerns of participants, during which process several extra security risks emerge. This chapter briefly reviews ordinary security requirements in deep neural network watermarking schemes, formulates several additional requirements regarding ownership proof under elementary protocols, and puts forward the necessity of analyzing and regulating the ownership verification procedure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 129.00; Price excludes VAT (USA)

Softcover Book: USD 169.99; Price excludes VAT (USA)

Hardcover Book: USD 169.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Adi, Y., Baum, C., Cisse, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In: 27th {USENIX} Security Symposium ({USENIX} Security 18), pp. 1615–1631 (2018)
Google Scholar
Chen, J., Wang, J., Peng, T., Sun, Y., Cheng, P., Ji, S., Ma, X., Li, B., Song, D.: Copy, right? a testing framework for copyright protection of deep learning models. In: 2022 IEEE Security and Privacy, pp. 1–6
Google Scholar
Darvish Rouhani, B., Chen, H., Koushanfar, F.: DeepSigns: An end-to-end watermarking framework for ownership protection of deep neural networks. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 485–497 (2019)
Google Scholar
Fan, L., Ng, K.W., Chan, C.S., Yang, Q.: DeepIP: Deep neural network intellectual property protection with passports. IEEE Trans. Pattern Analy. Mach. Intell. 1, 1–1 (2021)
Google Scholar
Guo, S., Zhang, T., Qiu, H., Zeng, Y., Xiang, T., Liu, Y.: Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In: ICML (2020)
Google Scholar
Jia, H., Choquette-Choo, C.A., Chandrasekaran, V., Papernot, N.: Entangled watermarks as a defense against model extraction. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1937–1954. USENIX Association, Berkeley (2021)
Google Scholar
Li, Z., Hu, C., Zhang, Y., Guo, S.: How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN. In: Proceedings of ACSAC, pp. 126–137 (2019)
Google Scholar
Li, T., Sahu, A.K., Talwalkar, A., Smith, V.: Federated learning: Challenges, methods, and future directions. IEEE Signal Process. Mag. 37(3), 50–60 (2020)
Article Google Scholar
Li, F.Q., Wang, S.L., Liew, A.W.-C.: Regulating ownership verification for deep neural networks: Scenarios, protocols, and prospects. In: IJCAI Workshop (2021)
Google Scholar
Li, F., Yang, L., Wang, S., Liew, A. W.-C.: Leveraging multi-task learning for unambiguous and flexible deep neural network watermarking. In: AAAI SafeAI Workshop (2021)
Google Scholar
Li, F.-Q., Wang, S.-L., Zhu, Y.: Fostering the robustness of white-box deep neural network watermarks by neuron alignment. In: 2022 IEEE ICASSP, pp. 1–6 (2022)
Google Scholar
Li, F.Q., Wang, S., Liew, A.W.-C.: Watermarking protocol for deep neural network ownership regulation in federated learning. In: 2022 IEEE International Conference on Multimedia Expo Workshops (ICMEW), pp. 1–5 (2022)
Google Scholar
Liu, K., Dolan-Gavitt, B., Garg, S.: Fine-pruning: Defending against backdooring attacks on deep neural networks. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 273–294. Springer, Berlin (2018)
Google Scholar
Liu, Y., Lee, W.C., Tao, G., Ma, S., Aafer, Y., Zhang, X.: ABS: Scanning neural networks for back-doors by artificial brain stimulation. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1265–1282 (2019)
Google Scholar
Namba, R., Sakuma, J.: Robust watermarking of neural network with exponential weighting. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 228–240 (2019)
Google Scholar
Uchida, Y., Nagai, Y., Sakazawa, S., Satoh, S.: Embedding watermarks into deep neural networks. In: Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, pp. 269–277 (2017)
Google Scholar
Wang, T., Kerschbaum, F.: RIGA: Covert and robust white-box watermarking of deep neural networks. In: Proceedings of the Web Conference 2021, pp. 993–1004 (2021)
Google Scholar
Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., Zhao, B.Y.: Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 707–723. IEEE, Piscataway (2019)
Google Scholar
Xue, M., Zhang, Y., Wang, J., Liu, W.: Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations. IEEE Trans. Artif. Intell. 3(6) 908–923 (2021)
Article Google Scholar
Yang, Q., Liu, Y., Chen, T., Tong, Y.: Federated machine learning: concept and applications. ACM Trans. Intell. Syst. Technol. 10(2), 1–19 (2019)
Article Google Scholar
Zhang, J., Gu, Z., Jang, J., Wu, H., Stoecklin, M.P., Huang, H., Molloy, I.: Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 159–172 (2018)
Google Scholar
Zhao, J., Hu, Q., Liu, G., Ma, X., Chen, F., Hassan, M.M.: AFA: adversarial fingerprinting authentication for deep neural networks. Comput. Commun. 150, 488–497 (2020)
Article Google Scholar
Zhu, R., Zhang, X., Shi, M., Tang, Z.: Secure neural network watermarking protocol against forging attack. EURASIP J. Image Video Process. 2020(1), 1–12 (2020)
Article Google Scholar

Download references

Author information

Authors and Affiliations

Shanghai Jiao Tong University, Shanghai, China
Fangqi Li & Shilin Wang

Authors

Fangqi Li
View author publications
You can also search for this author in PubMed Google Scholar
Shilin Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fangqi Li .

Editor information

Editors and Affiliations

AI Lab, WeBank, Shenzhen, China
Lixin Fan
Department of Artificial Intelligence, Universiti Malaya, Kuala Lumpur, Malaysia
Chee Seng Chan
Department of CS and Engineering, Hong Kong University of Science and Tech, Hong Kong, China
Qiang Yang

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Li, F., Wang, S. (2023). Ownership Verification Protocols for Deep Neural Network Watermarks. In: Fan, L., Chan, C.S., Yang, Q. (eds) Digital Watermarking for Machine Learning Model. Springer, Singapore. https://doi.org/10.1007/978-981-19-7554-7_2

Download citation

DOI: https://doi.org/10.1007/978-981-19-7554-7_2
Published: 28 November 2022
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-7553-0
Online ISBN: 978-981-19-7554-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics