Abstract
Deep learning has been widely applied in solving many tasks, such as image recognition, speech recognition, and natural language processing. It requires a high-quality dataset, advanced expert knowledge, and enormous computation to train a large-scale Deep Neural Network (DNN) model, which makes it valuable enough to be protected as Intellectual Property (IP). Defending DNN models against IP violations such as illegal usage, replication, and reproduction is particularly important to the healthy development of deep learning techniques. Many approaches have been developed to protect the DNN model IP, such as DNN watermarking, DNN fingerprinting, DNN authentication, and inference perturbation. Given its significant importance, DNN IP protection is still in its infancy stage. In this paper, we present a comprehensive survey of the existing DNN IP protection approaches. We first summarize the deployment mode for DNN models and describe the DNN IP protection problem. Then we categorize the existing protection approaches based on their protection strategies and introduce them in detail. Finally, we compare these approaches and discuss future research topics in DNN IP protection.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Zellers, R., Holtzman, A., Rashkin, H., Bisk, Y., Farhadi, A., Roesner, F., Choi, Y.: Defending against neural fake news. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 9051–9062 (2019)
Goldstein, B.F., Patil, V.C., da Cruz Ferreira, V., Nery, A.S., França, F.M.G., Kundu, S.: Preventing DNN model IP theft via hardware obfuscation. IEEE J. Emerg. Sel. Topics Circuits Syst. 11(2), 267–277 (2021)
Zhou, L., Wen, H., Teodorescu, R., Du, D.H.C.: Distributing deep neural networks with containerized partitions at the edge. In: Ahmad, I., Sundararaman, S. (eds.) 2nd USENIX Workshop on Hot Topics in Edge Computing, HotEdge 2019. USENIX Association, (2019)
Guo, P., Hu, B., Hu, W.: Mistify: Automating DNN model porting for on-device inference at the edge. In: Mickens, J., Teixeira, R. (eds.) 18th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2021, pp. 705–719. USENIX Association, (2021)
Reisinger, M., Frangoudis, P.A., Dustdar, S.: System support and mechanisms for adaptive edge-to-cloud DNN model serving. In: IEEE International Conference on Cloud Engineering, IC2E 2021, pp. 278–279. IEEE, San Francisco (2021). https://doi.org/10.1109/IC2E52221.2021.00046
Kesarwani, M., Mukhoty, B., Arya, V., Mehta, S.: Model extraction warning in mlaas paradigm. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, pp. 371–380. ACM, (2018). https://doi.org/10.1145/3274694.3274740
Hanzlik, L., Zhang, Y., Grosse, K., Salem, A., Augustin, M., Backes, M., Fritz, M.: Mlcapsule: Guarded offline deployment of machine learning as a service. In: IEEE Conference on Computer Vision and Pattern Recognition Workshops, CVPR Workshops 2021, pp. 3300–3309. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPRW53098.2021.00368
Sun, Q., Bai, C., Chen, T., Geng, H., Zhang, X., Bai, Y., Yu, B.: Fast and efficient DNN deployment via deep gaussian transfer learning. In: 2021 IEEE/CVF International Conference on Computer Vision, ICCV 2021, pp. 5360–5370. IEEE, (2021). https://doi.org/10.1109/ICCV48922.2021.00533
Hussain, H., Tamizharasan, P.S., Rahul, C.S.: Design possibilities and challenges of DNN models: a review on the perspective of end devices. Artif. Intell. Rev. 55(7), 5109–5167 (2022)
Xia, C., Zhao, J., Cui, H., Feng, X., Xue, J.: Dnntune: Automatic benchmarking DNN models for mobile-cloud computing. ACM Trans. Archit. Code Optim. 16(4), 49–14926 (2020)
Hinton, G.E., Salakhutdinov, R.R.: Reducing the dimensionality of data with neural networks. Science 313(5786), 504–507 (2006). https://doi.org/10.1126/science.1127647
Yosinski, J., Clune, J., Bengio, Y., Lipson, H.: How transferable are features in deep neural networks? In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems 27: Annual Conference on Neural Information Processing Systems 2014, NIPS 2014, Montreal, pp. 3320–3328 (2014)
Hinton, G., Vinyals, O., Dean, J.: Distilling the knowledge in a neural network (2015). Preprint at arxiv: 1503.02531
Fang, G., Song, J., Shen, C., Wang, X., Chen, D., Song, M.: Data-Free adversarial distillation. Preprint at arxiv 1912, 11006 (2019)
Choi, Y., Choi, J.P., El-Khamy, M., Lee, J.: Data-free network quantization with adversarial knowledge distillation. In: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR Workshops 2020, pp. 3047–3057. Computer Vision Foundation / IEEE, (2020). https://doi.org/10.1109/CVPRW50498.2020.00363
Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction apis. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, pp. 601–618. USENIX Association, (2016)
Orekondy, T., Schiele, B., Fritz, M.: Knockoff nets: Stealing functionality of black-box models. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2019, pp. 4954–4963. Computer Vision Foundation / IEEE, (2019). https://doi.org/10.1109/CVPR.2019.00509
Yu, H., Yang, K., Zhang, T., Tsai, Y., Ho, T., Jin, Y.: Cloudleak: Large-scale deep learning models stealing through adversarial examples. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020. The Internet Society, (2020)
Kariyappa, S., Prakash, A., Qureshi, M.K.: MAZE: data-free model stealing attack using zeroth-order gradient estimation. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, pp. 13814–13823. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPR46437.2021.01360
Sanyal, S., Addepalli, S., Babu, R.V.: Towards data-free model stealing in a hard label setting. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022, pp. 13430–13439. Computer Vision Foundation / IEEE, (2022)
Rakin, A.S., Chowdhuryy, M.H.I., Yao, F., Fan, D.: Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 1157–1174. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833743
Milli, S., Schmidt, L., Dragan, A.D., Hardt, M.: Model reconstruction from model explanations. In: danah boyd, Morgenstern, J.H. (eds.) Proceedings of the Conference on Fairness, Accountability, and Transparency, FAT 2019, pp. 1–9. ACM, (2019). https://doi.org/10.1145/3287560.3287562
Batina, L., Bhasin, S., Jap, D., Picek, S.: CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, pp. 515–532. USENIX Association, (2019)
Merrer, E.L., Pérez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. Neural Comput. Appl. 32(13), 9233–9244 (2020)
Yang, P., Lao, Y., Li, P.: Robust watermarking for deep neural networks via bi-level optimization. In: 2021 IEEE/CVF International Conference on Computer Vision, ICCV 2021, pp. 14821–14830. IEEE, (2021). https://doi.org/10.1109/ICCV48922.2021.01457
Adi, Y., Baum, C., Cissé, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In: Enck, W., Felt, A.P. (eds.) 27th USENIX Security Symposium, USENIX Security 2018, pp. 1615–1631. USENIX Association, (2018)
Zhang, J., Gu, Z., Jang, J., Wu, H., Stoecklin, M.P., Huang, H., Molloy, I.M.: Protecting intellectual property of deep neural networks with watermarking. In: Kim, J., Ahn, G., Kim, S., Kim, Y., López, J., Kim, T. (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, pp. 159–172. ACM, (2018). https://doi.org/10.1145/3196494.3196550
Guo, J., Potkonjak, M.: Watermarking deep neural networks for embedded systems. In: Bahar, I. (ed.) Proceedings of the International Conference on Computer-Aided Design, ICCAD 2018, p. 133. ACM, (2018). https://doi.org/10.1145/3240765.3240862
Li, Z., Hu, C., Zhang, Y., Guo, S.: How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN. In: Balenson, D. (ed.) Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, pp. 126–137. ACM, (2019). https://doi.org/10.1145/3359789.3359801
Lukas, N., Jiang, E., Li, X., Kerschbaum, F.: Sok: How robust is image classification deep neural network watermarking? In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 787–804. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833693
Shafieinejad, M., Lukas, N., Wang, J., Li, X., Kerschbaum, F.: On the robustness of backdoor-based watermarking in deep neural networks. In: Borghys, D., Bas, P., Verdoliva, L., Pevný, T., Li, B., Newman, J. (eds.) Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 177–188. ACM, (2021). https://doi.org/10.1145/3437880.3460401
Guo, S., Zhang, T., Qiu, H., Zeng, Y., Xiang, T., Liu, Y.: Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In: Zhou, Z. (ed.) Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, pp. 3635–3641. ijcai.org, (2021). https://doi.org/10.24963/ijcai.2021/500
Hitaj, D., Mancini, L.V.: Have You Stolen My Model? Evasion attacks against deep neural network watermarking techniques. Preprint at arxiv: 1809.00615 (2018)
Wang, T., Kerschbaum, F.: Attacks on digital watermarks for deep neural networks. In: IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP 2019, pp. 2622–2626. IEEE, (2019). https://doi.org/10.1109/ICASSP.2019.8682202
Chen, J., Wang, J., Peng, T., Sun, Y., Cheng, P., Ji, S., Ma, X., Li, B., Song, D.: Copy, right? a testing framework for copyright protection of deep learning models. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 824–841. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833747
Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT Press, (2016)
Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. In: Burstein, J., Doran, C., Solorio, T. (eds.) Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019, pp. 4171–4186. Association for Computational Linguistics, (2019). https://doi.org/10.18653/v1/n19-1423
Cheng, Y., Wang, D., Zhou, P., Zhang, T.: A survey of model compression and acceleration for deep neural networks. Preprint at arxiv: 1710.09282 (2017)
Choudhary, T., Mishra, V.K., Goswami, A., Sarangapani, J.: A comprehensive survey on model compression and acceleration. Artif. Intell. Rev. 53(7), 5113–5155 (2020)
LeCun, Y., Denker, J.S., Solla, S.A.: Optimal brain damage. In: Touretzky, D.S. (ed.) Advances in Neural Information Processing Systems 2, NIPS 1989, pp. 598–605. Morgan Kaufmann, (1989)
Han, S., Pool, J., Tran, J., Dally, W.J.: Learning both weights and connections for efficient neural network. In: Cortes, C., Lawrence, N.D., Lee, D.D., Sugiyama, M., Garnett, R. (eds.) Advances in Neural Information Processing Systems 28: Annual Conference on Neural Information Processing Systems 2015, NIPS 2015, Montreal, pp. 1135–1143 (2015)
Li, H., Kadav, A., Durdanovic, I., Samet, H., Graf, H.P.: Pruning filters for efficient convnets. In: 5th International Conference on Learning Representations, ICLR 2017. OpenReview.net, (2017)
Polino, A., Pascanu, R., Alistarh, D.: Model compression via distillation and quantization. In: 6th International Conference on Learning Representations, ICLR 2018. OpenReview.net, (2018)
Rigamonti, R., Sironi, A., Lepetit, V., Fua, P.: Learning separable filters. In: 2013 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2013, pp. 2754–2761. IEEE Computer Society, (2013). https://doi.org/10.1109/CVPR.2013.355
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High accuracy and high fidelity extraction of neural networks. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, pp. 1345–1362. USENIX Association, (2020)
Gong, X., Wang, Q., Chen, Y., Yang, W., Jiang, X.: Model extraction attacks and defenses on cloud-based machine learning models. IEEE Commun. Mag. 58(12), 83–89 (2020)
Li, Y., Wang, H., Barni, M.: A survey of deep neural network watermarking techniques. Neurocomputing 461, 171–193 (2021)
Uchida, Y., Nagai, Y., Sakazawa, S., Satoh, S.: Embedding watermarks into deep neural networks. In: Ionescu, B., Sebe, N., Feng, J., Larson, M.A., Lienhart, R., Snoek, C. (eds.) Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, ICMR 2017, pp. 269–277. ACM, (2017). https://doi.org/10.1145/3078971.3078974
Chen, H., Rouhani, B.D., Fu, C., Zhao, J., Koushanfar, F.: Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models. In: El-Saddik, A., Bimbo, A.D., Zhang, Z., Hauptmann, A.G., Candan, K.S., Bertini, M., Xie, L., Wei, X. (eds.) Proceedings of the 2019 on International Conference on Multimedia Retrieval, ICMR 2019, pp. 105–113. ACM, (2019). https://doi.org/10.1145/3323873.3325042
Wang, T., Kerschbaum, F.: RIGA: covert and robust white-box watermarking of deep neural networks. In: Leskovec, J., Grobelnik, M., Najork, M., Tang, J., Zia, L. (eds.) Proceedings of the Web Conference 2021, WWW 2021, pp. 993–1004. ACM / IW3C2, (2021). https://doi.org/10.1145/3442381.3450000
Liu, H., Weng, Z., Zhu, Y.: Watermarking deep neural networks with greedy residuals. In: Meila, M., Zhang, T. (eds.) Proceedings of the 38th International Conference on Machine Learning, ICML 2021. Proceedings of Machine Learning Research, vol. 139, pp. 6978–6988. PMLR, (2021)
Rouhani, B.D., Chen, H., Koushanfar, F.: Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural networks. In: Bahar, I., Herlihy, M., Witchel, E., Lebeck, A.R. (eds.) Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, pp. 485–497. ACM, (2019). https://doi.org/10.1145/3297858.3304051
Namba, R., Sakuma, J.: Robust watermarking of neural network with exponential weighting. In: Galbraith, S.D., Russello, G., Susilo, W., Gollmann, D., Kirda, E., Liang, Z. (eds.) Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, pp. 228–240. ACM, (2019). https://doi.org/10.1145/3321705.3329808
Jia, H., Choquette-Choo, C.A., Chandrasekaran, V., Papernot, N.: Entangled watermarks as a defense against model extraction. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, pp. 1937–1954. USENIX Association, (2021)
Szyller, S., Atli, B.G., Marchal, S., Asokan, N.: DAWN: dynamic adversarial watermarking of neural networks. In: Shen, H.T., Zhuang, Y., Smith, J.R., Yang, Y., Cesar, P., Metze, F., Prabhakaran, B. (eds.) Proceedings of the 29th ACM International Conference on Multimedia, MM 2021, pp. 4417–4425. ACM, (2021). https://doi.org/10.1145/3474085.3475591
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: Bengio, Y., LeCun, Y. (eds.) 3rd International Conference on Learning Representations, ICLR 2015, San Diego (2015)
Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: 5th International Conference on Learning Representations, ICLR 2017. OpenReview.net, (2017)
Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adversarial examples are not bugs, they are features. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 125–136 (2019)
Gu, T., Dolan-Gavitt, B., Garg, S.: BadNets: Identifying vulnerabilities in the machine learning model supply chain. Preprint at https://arxiv.org/abs/1708.06733 (2017)
Liu, Y., Ma, S., Aafer, Y., Lee, W., Zhai, J., Wang, W., Zhang, X.: Trojaning attack on neural networks. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018. The Internet Society, (2018)
Jia, H., Yaghini, M., Choquette-Choo, C.A., Dullerud, N., Thudi, A., Chandrasekaran, V., Papernot, N.: Proof-of-learning: Definitions and practice. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, pp. 1039–1056. IEEE, (2021). https://doi.org/10.1109/SP40001.2021.00106
Cao, X., Jia, J., Gong, N.Z.: Ipguard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In: Cao, J., Au, M.H., Lin, Z., Yung, M. (eds.) Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2021, pp. 14–25. ACM, (2021). https://doi.org/10.1145/3433210.3437526
Lukas, N., Zhang, Y., Kerschbaum, F.: Deep neural network fingerprinting by conferrable adversarial examples. In: 9th International Conference on Learning Representations, ICLR 2021. OpenReview.net, (2021)
Peng, Z., Li, S., Chen, G., Zhang, C., Zhu, H., Xue, M.: Fingerprinting deep neural networks globally via universal adversarial perturbations. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022, pp. 13430–13439. Computer Vision Foundation / IEEE, (2022)
Li, Y., Zhang, Z., Liu, B., Yang, Z., Liu, Y.: Modeldiff: Testing-based DNN similarity comparison for model reuse detection. In: Cadar, C., Zhang, X. (eds.) Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021, pp. 139–151. ACM, (2021). https://doi.org/10.1145/3460319.3464816
Maini, P., Yaghini, M., Papernot, N.: Dataset inference: Ownership resolution in machine learning. In: 9th International Conference on Learning Representations, ICLR 2021. OpenReview.net, (2021)
Chen, H., Fu, C., Rouhani, B.D., Zhao, J., Koushanfar, F.: Deepattest: An end-to-end attestation framework for deep neural networks. In: Manne, S.B., Hunter, H.C., Altman, E.R. (eds.) Proceedings of the 46th International Symposium on Computer Architecture, ISCA 2019, pp. 487–498. ACM, (2019). https://doi.org/10.1145/3307650.3322251
Chakraborty, A., Mondal, A., Srivastava, A.: Hardware-assisted intellectual property protection of deep learning models. In: 57th ACM/IEEE Design Automation Conference, DAC 2020, pp. 1–6. IEEE, (2020). https://doi.org/10.1109/DAC18072.2020.9218651
Fan, L., Ng, K.W., Chan, C.S.: Rethinking deep neural network ownership verification: embedding passports to defeat ambiguity attacks. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 4716–4725 (2019)
Zhang, J., Chen, D., Liao, J., Zhang, W., Hua, G., Yu, N.: Passport-aware normalization for deep model protection. In: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H. (eds.) Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020 (2020)
Lin, N., Chen, X., Lu, H., Li, X.: Chaotic weights: A novel approach to protect intellectual property of deep neural networks. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 40(7), 1327–1339 (2021)
Xue, M., Sun, S., He, C., Zhang, Y., Wang, J., Liu, W.: ActiveGuard: An active DNN IP protection technique via adversarial examples. Preprint at arxiv: 2103.01527 (2021)
Lee, T., Edwards, B., Molloy, I.M., Su, D.: Defending against neural network model stealing attacks using deceptive perturbations. In: 2019 IEEE Security and Privacy Workshops, SP Workshops 2019, pp. 43–49. IEEE, (2019). https://doi.org/10.1109/SPW.2019.00020
Orekondy, T., Schiele, B., Fritz, M.: Prediction poisoning: Towards defenses against DNN model stealing attacks. In: 8th International Conference on Learning Representations, ICLR 2020. OpenReview.net, (2020)
Juuti, M., Szyller, S., Marchal, S., Asokan, N.: PRADA: protecting against DNN model stealing attacks. In: IEEE European Symposium on Security and Privacy, EuroS &P 2019, pp. 512–527. IEEE, (2019). https://doi.org/10.1109/EuroSP.2019.00044
Kariyappa, S., Qureshi, M.K.: Defending against model stealing attacks with adaptive misinformation. In: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020, pp. 767–775. Computer Vision Foundation / IEEE, (2020). https://doi.org/10.1109/CVPR42600.2020.00085
Regazzoni, F., Palmieri, P., Smailbegovic, F., Cammarota, R., Polian, I.: Protecting artificial intelligence ips: a survey of watermarking and fingerprinting for machine learning. CAAI Transactions on Intelligence Technology 6(2), 180–191 (2021)
Barni, M., Pérez-González, F., Tondi, B.: DNN watermarking: Four challenges and a funeral. In: Borghys, D., Bas, P., Verdoliva, L., Pevný, T., Li, B., Newman, J. (eds.) Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 189–196. ACM, (2021). https://doi.org/10.1145/3437880.3460399
Xue, M., Wang, J., Liu, W.: Dnn intellectual property protection: Taxonomy, attacks and evaluations. In: Chen, Y., Zhirnov, V.V., Sasan, A., Savidis, I. (eds.) Proceedings of the 2021 on Great Lakes Symposium on VLSI, GLSVLSI 2021, pp. 455–460. ACM, (2021). https://doi.org/10.1145/3453688.3461752
Nagai, Y., Uchida, Y., Sakazawa, S., Satoh, S.: Digital watermarking for deep neural networks. Int. J. Multim. Inf. Retr. 7(1), 3–16 (2018)
Chen, X., Wang, W., Bender, C., Ding, Y., Jia, R., Li, B., Song, D.: REFIT: A unified watermark removal framework for deep learning systems with limited data. In: Cao, J., Au, M.H., Lin, Z., Yung, M. (eds.) Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021, pp. 321–335. ACM, (2021). https://doi.org/10.1145/3433210.3453079
Kornblith, S., Norouzi, M., Lee, H., Hinton, G.E.: Similarity of neural network representations revisited. In: Chaudhuri, K., Salakhutdinov, R. (eds.) Proceedings of the 36th International Conference on Machine Learning, ICML 2019. Proceedings of Machine Learning Research, vol. 97, pp. 3519–3529. PMLR, (2019)
Salakhutdinov, R., Hinton, G.E.: Learning a nonlinear embedding by preserving class neighbourhood structure. In: Meila, M., Shen, X. (eds.) Proceedings of the Eleventh International Conference on Artificial Intelligence and Statistics, AISTATS 2007. JMLR Proceedings, vol. 2, pp. 412–419. JMLR.org, (2007)
Breier, J., Hou, X., Jap, D., Ma, L., Bhasin, S., Liu, Y.: Practical fault attack on deep neural networks. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 2204–2206. ACM, (2018). https://doi.org/10.1145/3243734.3278519
Hong, S., Frigo, P., Kaya, Y., Giuffrida, C., Dumitras, T.: Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, pp. 497–514. USENIX Association, (2019)
Zhang, R., Liu, J., Ding, Y., Wang, Z., Wu, Q., Ren, K.: Adversarial examples for proof-of-learning. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 1408–1422. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833596
Moosavi-Dezfooli, S., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017, pp. 86–94. IEEE Computer Society, (2017). https://doi.org/10.1109/CVPR.2017.17
Cai, Y., Chen, X., Tian, L., Wang, Y., Yang, H.: Enabling secure in-memory neural network computing by sparse fast gradient encryption. In: Pan, D.Z. (ed.) Proceedings of the International Conference on Computer-Aided Design, ICCAD 2019, pp. 1–8. ACM, (2019). https://doi.org/10.1109/ICCAD45719.2019.8942041
Peterson, G.: Arnold’s cat map. Math linear algebra 45, 1–7 (1997)
Papernot, N., McDaniel, P.D., Goodfellow, I.J., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Karri, R., Sinanoglu, O., Sadeghi, A., Yi, X. (eds.) Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, pp. 506–519. ACM, (2017). https://doi.org/10.1145/3052973.3053009
Quan, Y., Teng, H., Chen, Y., Ji, H.: Watermarking deep neural networks in image processing. IEEE Trans. Neural Networks Learn. Syst. 32(5), 1852–1865 (2021)
Ong, D.S., Chan, C.S., Ng, K.W., Fan, L., Yang, Q.: Protecting intellectual property of generative adversarial networks from ambiguity attacks. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, pp. 3630–3639. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPR46437.2021.00363
Zhao, X., Wu, H., Zhang, X.: Watermarking graph neural networks by random graphs. In: Varol, A., Karabatak, M., Varol, I. (eds.) 9th International Symposium on Digital Forensics and Security, ISDFS 2021, pp. 1–6. IEEE, (2021). https://doi.org/10.1109/ISDFS52919.2021.9486352
Xu, J., Picek, S.: Watermarking Graph Neural Networks based on Backdoor Attacks. Preprint at arxiv: 2110.11024 (2021)
Funding
HK RGC RIF (Research Impact Fund) Ref. No.: R1012-21.
Author information
Authors and Affiliations
Contributions
Sen Peng proposed the design of the work and wrote the main manuscript. Jie Xu and Zizhuo Chen surveyed parts of the methods and prepared the comparison. Yufei Chen, Cong Wang, and Xiaohua Jia provided critical revisions to the manuscript. All authors provided critical feedback and reviewed the manuscript.
Corresponding author
Ethics declarations
Conflicts of interest
The authors have no relevant financial or non-financial interests to disclose.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Peng, S., Chen, Y., Xu, J. et al. Intellectual property protection of DNN models. World Wide Web 26, 1877–1911 (2023). https://doi.org/10.1007/s11280-022-01113-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-022-01113-3