Abstract
The cost of collecting and annotating large-scale datasets is expensive, thus the valuable datasets can be considered as the intellectual property (IP) of the dataset creator. To date, all the copyright protection methods for deep learning focus on the copyright protection of the models, while there are no researches on copyright protection of the dataset. Protecting the intellectual property of dataset is a brand new topic which is very challenging. In this paper, we propose an authorization control method to actively protect the dataset from being used to train Deep Neural Network (DNN) models without authorization. To the best of our knowledge, this is the first work on IP protection for dataset. We generate feature space adversarial examples for clean images. Then, we utilize the modified Reversible Image Transformation to hide the clean images into the corresponding feature space adversarial examples to generate the protected images. For the unauthorized users, the model directly trained on the protected dataset will have poor inference accuracy. For the authorized users, the model can be trained on the recovered dataset and will have normal inference accuracy. Experimental results on CIFAR-10 and TinyImageNet datasets demonstrate the effectiveness of the proposed method. It is also demonstrated that the proposed method has an excellent transferability across different models. Moreover, the proposed method is robust to the adaptive attack.
Similar content being viewed by others
References
He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: IEEE Conference on computer vision and pattern recognition, pp 770–778
Banesh D, Petersen MR, Ahrens J, Turton TL, Samsel F, Schoonover J, Hamann B (2021) An image-based framework for ocean feature detection and analysis. J Geovisualization Spat Anal 5 (2):1–21
Xue M, Zhang Y, Wang J, Liu W (2021) Intellectual property protection for deep learning models: taxonomy, methods, attacks, and evaluations. IEEE Trans Artif Intell:1–16
Du P, Bai X, Tan K, Xue Z, Samat A, Xia J, Li E, Su H, Liu W (2020) Advances of four machine learning methods for spatial data handling: a review. J Geovisualization Spat Anal 4(1):1–25
Adi Y, Baum C, Cissé M, Pinkas B, Keshet J (2018) Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: 27th USENIX security symposium, pp 1615–1631
Uchida Y, Nagai Y, Sakazawa S, Satoh S (2017) Embedding watermarks into deep neural networks. In: Proceedings of the ACM international conference on multimedia retrieval, pp 269–277
Zhang J, Gu Z, Jang J, Wu H, Stoecklin MP, Huang H, Molloy IM (2018) Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the Asia conference on computer and communications security, pp 159–172
Ribeiro M, Grolinger K, Capretz MAM (2015) MLaaS: machine learning as a service. In: Proceedings of the 14th IEEE international conference on machine learning and applications, pp 896–902
Inkawhich N, Wen W, Li HH, Chen Y (2019) Feature space perturbations yield more transferable adversarial examples. In: IEEE conference on computer vision and pattern recognition, pp 7066–7074
Zhang W, Wang H, Hou D, Yu N (2016) Reversible data hiding in encrypted images by reversible image transformation. IEEE Trans Multimed 18(8):1469–1479
Krizhevsky A, Hinton G (2009) Learning multiple layers of features from tiny images. Technical report, University of Toronto
Karpathy A (2016) Tiny imagenet challenge. Technical report, Stanford University
Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: 3rd international conference on learning representations, pp 1–14
Huang G, Liu Z, van der Maaten L, Weinberger KQ (2017) Densely connected convolutional networks. In: IEEE Conference on computer vision and pattern recognition, pp 2261–2269
Guo J, Potkonjak M (2019) Evolutionary trigger set generation for DNN black-box watermarking. arXiv:1906.04411
Zhong Q, Zhang LY, Zhang J, Gao L, Xiang Y (2020) Protecting IP of deep neural networks with watermarking: a new label helps. In: Pacific-Asia advances in knowledge discovery and data mining, vol 12085, pp 462–474
Szyller S, Atli BG, Marchal S, Asokan N (2021) DAWN: dynamic adversarial watermarking of neural networks. In: ACM multimedia conference, pp 4417–4425
Jia H, Choquette-Choo CA, Chandrasekaran V, Papernot N (2021) Entangled watermarks as a defense against model extraction. In: 30th USENIX security symposium, pp 1937–1954
Zhao J, Hu Q, Liu G, Ma X, Chen F, Hassan MM (2020) AFA: Adversarial fingerprinting authentication for deep neural networks. Comput Commun 150:488–497
Chen M, Wu M (2018) Protect your deep neural networks from piracy. In: IEEE international workshop on information forensics and security, pp 1–7
Fan L, Ng K, Chan CS (2019) Rethinking deep neural network ownership verification: embedding passports to defeat ambiguity attacks. In: Annual conference on neural information processing systems, pp 4716–4725
Lin N, Chen X, Lu H, Li X (2021) Chaotic weights: a novel approach to protect intellectual property of deep neural networks. IEEE Trans Comput Aided Des Integr Circ Syst 40(7):1327–1339
Xue M, Wu Z, He C, Wang J, Liu W (2020) Active DNN IP protection: a novel user fingerprint management and DNN authorization control technique. In: 19th IEEE international conference on trust, security and privacy in computing and communications, pp 975–982
Xue M, He C, Wang J, Liu W (2022) One-to-N & N-to-One: two advanced backdoor attacks against deep learning models. IEEE Trans Dependable Secure Comput 19(3):1562–1578
Zhang J, Chen D, Liao J, Fang H, Zhang W, Zhou W, Cui H, Yu N (2020) Model watermarking for image processing networks. In: Proceedings of the AAAI conference on artificial intelligence, pp 12805–12812
Wu H, Liu G, Yao Y, Zhang X (2021) Watermarking neural networks with watermarked images. IEEE Trans Circ Syst Video Technol 31(7):2591–2601
Zhang X (2012) Separable reversible. IEEE Trans Inf Forensic Secur 7(2):826–832
David R (2020) LSB-Steganography. https://github.com/robindavid/LSB-steganography. Accessed 10 Sep 2021
Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: IEEE conference on computer vision and pattern recognition, pp 9185–9193
Yosinski J, Clune J, Bengio Y, Lipson H (2014) How transferable are features in deep neural networks?. In: Annual conference on neural information processing systems, pp 3320–3328
Dworkin M, Barker E, Nechvatal J, Foti J, Bassham L, Roback E, Dray J (2001) Advanced encryption standard (AES). Federal Inf. Process. Stds. (NIST FIPS), National Institute of Standards and Technology, Gaithersburg MD
Kingma DP, Ba J (2015) Adam: a method for stochastic optimization. In: 3rd international conference on learning representations, pp 1–15
Wang Z, Bovik AC, Sheikh HR, Simoncelli EP (2004) Image quality assessment: from error visibility to structural similarity. IEEE Trans Image Process 13(4):600–612
Acknowledgements
This work is supported by the National Natural Science Foundation of China (No. 61602241), and CCF-NSFOCUS Kun-Peng Scientific Research Fund (No. CCF-NSFOCUS 2021012).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interests
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Additional information
Availability of data and materials
The data used to support the findings of this study are available from the corresponding author upon reasonable request.
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Xue, M., Wu, Y., Zhang, Y. et al. Dataset authorization control: protect the intellectual property of dataset via reversible feature space adversarial examples. Appl Intell 53, 7298–7309 (2023). https://doi.org/10.1007/s10489-022-03926-1
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-022-03926-1