Skip to main content
Log in

Intellectual property protection of DNN models

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Deep learning has been widely applied in solving many tasks, such as image recognition, speech recognition, and natural language processing. It requires a high-quality dataset, advanced expert knowledge, and enormous computation to train a large-scale Deep Neural Network (DNN) model, which makes it valuable enough to be protected as Intellectual Property (IP). Defending DNN models against IP violations such as illegal usage, replication, and reproduction is particularly important to the healthy development of deep learning techniques. Many approaches have been developed to protect the DNN model IP, such as DNN watermarking, DNN fingerprinting, DNN authentication, and inference perturbation. Given its significant importance, DNN IP protection is still in its infancy stage. In this paper, we present a comprehensive survey of the existing DNN IP protection approaches. We first summarize the deployment mode for DNN models and describe the DNN IP protection problem. Then we categorize the existing protection approaches based on their protection strategies and introduce them in detail. Finally, we compare these approaches and discuss future research topics in DNN IP protection.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Figure 1
Figure 2

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Zellers, R., Holtzman, A., Rashkin, H., Bisk, Y., Farhadi, A., Roesner, F., Choi, Y.: Defending against neural fake news. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 9051–9062 (2019)

  2. Goldstein, B.F., Patil, V.C., da Cruz Ferreira, V., Nery, A.S., França, F.M.G., Kundu, S.: Preventing DNN model IP theft via hardware obfuscation. IEEE J. Emerg. Sel. Topics Circuits Syst. 11(2), 267–277 (2021)

  3. Zhou, L., Wen, H., Teodorescu, R., Du, D.H.C.: Distributing deep neural networks with containerized partitions at the edge. In: Ahmad, I., Sundararaman, S. (eds.) 2nd USENIX Workshop on Hot Topics in Edge Computing, HotEdge 2019. USENIX Association, (2019)

  4. Guo, P., Hu, B., Hu, W.: Mistify: Automating DNN model porting for on-device inference at the edge. In: Mickens, J., Teixeira, R. (eds.) 18th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2021, pp. 705–719. USENIX Association, (2021)

  5. Reisinger, M., Frangoudis, P.A., Dustdar, S.: System support and mechanisms for adaptive edge-to-cloud DNN model serving. In: IEEE International Conference on Cloud Engineering, IC2E 2021, pp. 278–279. IEEE, San Francisco (2021). https://doi.org/10.1109/IC2E52221.2021.00046

  6. Kesarwani, M., Mukhoty, B., Arya, V., Mehta, S.: Model extraction warning in mlaas paradigm. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, pp. 371–380. ACM, (2018). https://doi.org/10.1145/3274694.3274740

  7. Hanzlik, L., Zhang, Y., Grosse, K., Salem, A., Augustin, M., Backes, M., Fritz, M.: Mlcapsule: Guarded offline deployment of machine learning as a service. In: IEEE Conference on Computer Vision and Pattern Recognition Workshops, CVPR Workshops 2021, pp. 3300–3309. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPRW53098.2021.00368

  8. Sun, Q., Bai, C., Chen, T., Geng, H., Zhang, X., Bai, Y., Yu, B.: Fast and efficient DNN deployment via deep gaussian transfer learning. In: 2021 IEEE/CVF International Conference on Computer Vision, ICCV 2021, pp. 5360–5370. IEEE, (2021). https://doi.org/10.1109/ICCV48922.2021.00533

  9. Hussain, H., Tamizharasan, P.S., Rahul, C.S.: Design possibilities and challenges of DNN models: a review on the perspective of end devices. Artif. Intell. Rev. 55(7), 5109–5167 (2022)

    Article  Google Scholar 

  10. Xia, C., Zhao, J., Cui, H., Feng, X., Xue, J.: Dnntune: Automatic benchmarking DNN models for mobile-cloud computing. ACM Trans. Archit. Code Optim. 16(4), 49–14926 (2020)

    Google Scholar 

  11. Hinton, G.E., Salakhutdinov, R.R.: Reducing the dimensionality of data with neural networks. Science 313(5786), 504–507 (2006). https://doi.org/10.1126/science.1127647

    Article  MathSciNet  MATH  Google Scholar 

  12. Yosinski, J., Clune, J., Bengio, Y., Lipson, H.: How transferable are features in deep neural networks? In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems 27: Annual Conference on Neural Information Processing Systems 2014, NIPS 2014, Montreal, pp. 3320–3328 (2014)

  13. Hinton, G., Vinyals, O., Dean, J.: Distilling the knowledge in a neural network (2015). Preprint at arxiv: 1503.02531

  14. Fang, G., Song, J., Shen, C., Wang, X., Chen, D., Song, M.: Data-Free adversarial distillation. Preprint at arxiv 1912, 11006 (2019)

  15. Choi, Y., Choi, J.P., El-Khamy, M., Lee, J.: Data-free network quantization with adversarial knowledge distillation. In: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR Workshops 2020, pp. 3047–3057. Computer Vision Foundation / IEEE, (2020). https://doi.org/10.1109/CVPRW50498.2020.00363

  16. Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction apis. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, pp. 601–618. USENIX Association, (2016)

  17. Orekondy, T., Schiele, B., Fritz, M.: Knockoff nets: Stealing functionality of black-box models. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2019, pp. 4954–4963. Computer Vision Foundation / IEEE, (2019). https://doi.org/10.1109/CVPR.2019.00509

  18. Yu, H., Yang, K., Zhang, T., Tsai, Y., Ho, T., Jin, Y.: Cloudleak: Large-scale deep learning models stealing through adversarial examples. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020. The Internet Society, (2020)

  19. Kariyappa, S., Prakash, A., Qureshi, M.K.: MAZE: data-free model stealing attack using zeroth-order gradient estimation. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, pp. 13814–13823. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPR46437.2021.01360

  20. Sanyal, S., Addepalli, S., Babu, R.V.: Towards data-free model stealing in a hard label setting. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022, pp. 13430–13439. Computer Vision Foundation / IEEE, (2022)

  21. Rakin, A.S., Chowdhuryy, M.H.I., Yao, F., Fan, D.: Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 1157–1174. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833743

  22. Milli, S., Schmidt, L., Dragan, A.D., Hardt, M.: Model reconstruction from model explanations. In: danah boyd, Morgenstern, J.H. (eds.) Proceedings of the Conference on Fairness, Accountability, and Transparency, FAT 2019, pp. 1–9. ACM, (2019). https://doi.org/10.1145/3287560.3287562

  23. Batina, L., Bhasin, S., Jap, D., Picek, S.: CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, pp. 515–532. USENIX Association, (2019)

  24. Merrer, E.L., Pérez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. Neural Comput. Appl. 32(13), 9233–9244 (2020)

    Article  Google Scholar 

  25. Yang, P., Lao, Y., Li, P.: Robust watermarking for deep neural networks via bi-level optimization. In: 2021 IEEE/CVF International Conference on Computer Vision, ICCV 2021, pp. 14821–14830. IEEE, (2021). https://doi.org/10.1109/ICCV48922.2021.01457

  26. Adi, Y., Baum, C., Cissé, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In: Enck, W., Felt, A.P. (eds.) 27th USENIX Security Symposium, USENIX Security 2018, pp. 1615–1631. USENIX Association, (2018)

  27. Zhang, J., Gu, Z., Jang, J., Wu, H., Stoecklin, M.P., Huang, H., Molloy, I.M.: Protecting intellectual property of deep neural networks with watermarking. In: Kim, J., Ahn, G., Kim, S., Kim, Y., López, J., Kim, T. (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, pp. 159–172. ACM, (2018). https://doi.org/10.1145/3196494.3196550

  28. Guo, J., Potkonjak, M.: Watermarking deep neural networks for embedded systems. In: Bahar, I. (ed.) Proceedings of the International Conference on Computer-Aided Design, ICCAD 2018, p. 133. ACM, (2018). https://doi.org/10.1145/3240765.3240862

  29. Li, Z., Hu, C., Zhang, Y., Guo, S.: How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN. In: Balenson, D. (ed.) Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, pp. 126–137. ACM, (2019). https://doi.org/10.1145/3359789.3359801

  30. Lukas, N., Jiang, E., Li, X., Kerschbaum, F.: Sok: How robust is image classification deep neural network watermarking? In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 787–804. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833693

  31. Shafieinejad, M., Lukas, N., Wang, J., Li, X., Kerschbaum, F.: On the robustness of backdoor-based watermarking in deep neural networks. In: Borghys, D., Bas, P., Verdoliva, L., Pevný, T., Li, B., Newman, J. (eds.) Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 177–188. ACM, (2021). https://doi.org/10.1145/3437880.3460401

  32. Guo, S., Zhang, T., Qiu, H., Zeng, Y., Xiang, T., Liu, Y.: Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In: Zhou, Z. (ed.) Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, pp. 3635–3641. ijcai.org, (2021). https://doi.org/10.24963/ijcai.2021/500

  33. Hitaj, D., Mancini, L.V.: Have You Stolen My Model? Evasion attacks against deep neural network watermarking techniques. Preprint at arxiv: 1809.00615 (2018)

  34. Wang, T., Kerschbaum, F.: Attacks on digital watermarks for deep neural networks. In: IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP 2019, pp. 2622–2626. IEEE, (2019). https://doi.org/10.1109/ICASSP.2019.8682202

  35. Chen, J., Wang, J., Peng, T., Sun, Y., Cheng, P., Ji, S., Ma, X., Li, B., Song, D.: Copy, right? a testing framework for copyright protection of deep learning models. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 824–841. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833747

  36. Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT Press, (2016)

  37. Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. In: Burstein, J., Doran, C., Solorio, T. (eds.) Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019, pp. 4171–4186. Association for Computational Linguistics, (2019). https://doi.org/10.18653/v1/n19-1423

  38. Cheng, Y., Wang, D., Zhou, P., Zhang, T.: A survey of model compression and acceleration for deep neural networks. Preprint at arxiv: 1710.09282 (2017)

  39. Choudhary, T., Mishra, V.K., Goswami, A., Sarangapani, J.: A comprehensive survey on model compression and acceleration. Artif. Intell. Rev. 53(7), 5113–5155 (2020)

    Article  Google Scholar 

  40. LeCun, Y., Denker, J.S., Solla, S.A.: Optimal brain damage. In: Touretzky, D.S. (ed.) Advances in Neural Information Processing Systems 2, NIPS 1989, pp. 598–605. Morgan Kaufmann, (1989)

  41. Han, S., Pool, J., Tran, J., Dally, W.J.: Learning both weights and connections for efficient neural network. In: Cortes, C., Lawrence, N.D., Lee, D.D., Sugiyama, M., Garnett, R. (eds.) Advances in Neural Information Processing Systems 28: Annual Conference on Neural Information Processing Systems 2015, NIPS 2015, Montreal, pp. 1135–1143 (2015)

  42. Li, H., Kadav, A., Durdanovic, I., Samet, H., Graf, H.P.: Pruning filters for efficient convnets. In: 5th International Conference on Learning Representations, ICLR 2017. OpenReview.net, (2017)

  43. Polino, A., Pascanu, R., Alistarh, D.: Model compression via distillation and quantization. In: 6th International Conference on Learning Representations, ICLR 2018. OpenReview.net, (2018)

  44. Rigamonti, R., Sironi, A., Lepetit, V., Fua, P.: Learning separable filters. In: 2013 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2013, pp. 2754–2761. IEEE Computer Society, (2013). https://doi.org/10.1109/CVPR.2013.355

  45. Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High accuracy and high fidelity extraction of neural networks. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, pp. 1345–1362. USENIX Association, (2020)

  46. Gong, X., Wang, Q., Chen, Y., Yang, W., Jiang, X.: Model extraction attacks and defenses on cloud-based machine learning models. IEEE Commun. Mag. 58(12), 83–89 (2020)

    Article  Google Scholar 

  47. Li, Y., Wang, H., Barni, M.: A survey of deep neural network watermarking techniques. Neurocomputing 461, 171–193 (2021)

    Article  Google Scholar 

  48. Uchida, Y., Nagai, Y., Sakazawa, S., Satoh, S.: Embedding watermarks into deep neural networks. In: Ionescu, B., Sebe, N., Feng, J., Larson, M.A., Lienhart, R., Snoek, C. (eds.) Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, ICMR 2017, pp. 269–277. ACM, (2017). https://doi.org/10.1145/3078971.3078974

  49. Chen, H., Rouhani, B.D., Fu, C., Zhao, J., Koushanfar, F.: Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models. In: El-Saddik, A., Bimbo, A.D., Zhang, Z., Hauptmann, A.G., Candan, K.S., Bertini, M., Xie, L., Wei, X. (eds.) Proceedings of the 2019 on International Conference on Multimedia Retrieval, ICMR 2019, pp. 105–113. ACM, (2019). https://doi.org/10.1145/3323873.3325042

  50. Wang, T., Kerschbaum, F.: RIGA: covert and robust white-box watermarking of deep neural networks. In: Leskovec, J., Grobelnik, M., Najork, M., Tang, J., Zia, L. (eds.) Proceedings of the Web Conference 2021, WWW 2021, pp. 993–1004. ACM / IW3C2, (2021). https://doi.org/10.1145/3442381.3450000

  51. Liu, H., Weng, Z., Zhu, Y.: Watermarking deep neural networks with greedy residuals. In: Meila, M., Zhang, T. (eds.) Proceedings of the 38th International Conference on Machine Learning, ICML 2021. Proceedings of Machine Learning Research, vol. 139, pp. 6978–6988. PMLR, (2021)

  52. Rouhani, B.D., Chen, H., Koushanfar, F.: Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural networks. In: Bahar, I., Herlihy, M., Witchel, E., Lebeck, A.R. (eds.) Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, pp. 485–497. ACM, (2019). https://doi.org/10.1145/3297858.3304051

  53. Namba, R., Sakuma, J.: Robust watermarking of neural network with exponential weighting. In: Galbraith, S.D., Russello, G., Susilo, W., Gollmann, D., Kirda, E., Liang, Z. (eds.) Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, pp. 228–240. ACM, (2019). https://doi.org/10.1145/3321705.3329808

  54. Jia, H., Choquette-Choo, C.A., Chandrasekaran, V., Papernot, N.: Entangled watermarks as a defense against model extraction. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, pp. 1937–1954. USENIX Association, (2021)

  55. Szyller, S., Atli, B.G., Marchal, S., Asokan, N.: DAWN: dynamic adversarial watermarking of neural networks. In: Shen, H.T., Zhuang, Y., Smith, J.R., Yang, Y., Cesar, P., Metze, F., Prabhakaran, B. (eds.) Proceedings of the 29th ACM International Conference on Multimedia, MM 2021, pp. 4417–4425. ACM, (2021). https://doi.org/10.1145/3474085.3475591

  56. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: Bengio, Y., LeCun, Y. (eds.) 3rd International Conference on Learning Representations, ICLR 2015, San Diego (2015)

  57. Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: 5th International Conference on Learning Representations, ICLR 2017. OpenReview.net, (2017)

  58. Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adversarial examples are not bugs, they are features. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 125–136 (2019)

  59. Gu, T., Dolan-Gavitt, B., Garg, S.: BadNets: Identifying vulnerabilities in the machine learning model supply chain. Preprint at https://arxiv.org/abs/1708.06733 (2017)

  60. Liu, Y., Ma, S., Aafer, Y., Lee, W., Zhai, J., Wang, W., Zhang, X.: Trojaning attack on neural networks. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018. The Internet Society, (2018)

  61. Jia, H., Yaghini, M., Choquette-Choo, C.A., Dullerud, N., Thudi, A., Chandrasekaran, V., Papernot, N.: Proof-of-learning: Definitions and practice. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, pp. 1039–1056. IEEE, (2021). https://doi.org/10.1109/SP40001.2021.00106

  62. Cao, X., Jia, J., Gong, N.Z.: Ipguard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In: Cao, J., Au, M.H., Lin, Z., Yung, M. (eds.) Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2021, pp. 14–25. ACM, (2021). https://doi.org/10.1145/3433210.3437526

  63. Lukas, N., Zhang, Y., Kerschbaum, F.: Deep neural network fingerprinting by conferrable adversarial examples. In: 9th International Conference on Learning Representations, ICLR 2021. OpenReview.net, (2021)

  64. Peng, Z., Li, S., Chen, G., Zhang, C., Zhu, H., Xue, M.: Fingerprinting deep neural networks globally via universal adversarial perturbations. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022, pp. 13430–13439. Computer Vision Foundation / IEEE, (2022)

  65. Li, Y., Zhang, Z., Liu, B., Yang, Z., Liu, Y.: Modeldiff: Testing-based DNN similarity comparison for model reuse detection. In: Cadar, C., Zhang, X. (eds.) Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021, pp. 139–151. ACM, (2021). https://doi.org/10.1145/3460319.3464816

  66. Maini, P., Yaghini, M., Papernot, N.: Dataset inference: Ownership resolution in machine learning. In: 9th International Conference on Learning Representations, ICLR 2021. OpenReview.net, (2021)

  67. Chen, H., Fu, C., Rouhani, B.D., Zhao, J., Koushanfar, F.: Deepattest: An end-to-end attestation framework for deep neural networks. In: Manne, S.B., Hunter, H.C., Altman, E.R. (eds.) Proceedings of the 46th International Symposium on Computer Architecture, ISCA 2019, pp. 487–498. ACM, (2019). https://doi.org/10.1145/3307650.3322251

  68. Chakraborty, A., Mondal, A., Srivastava, A.: Hardware-assisted intellectual property protection of deep learning models. In: 57th ACM/IEEE Design Automation Conference, DAC 2020, pp. 1–6. IEEE, (2020). https://doi.org/10.1109/DAC18072.2020.9218651

  69. Fan, L., Ng, K.W., Chan, C.S.: Rethinking deep neural network ownership verification: embedding passports to defeat ambiguity attacks. In: Wallach, H.M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E.B., Garnett, R. (eds.) Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, pp. 4716–4725 (2019)

  70. Zhang, J., Chen, D., Liao, J., Zhang, W., Hua, G., Yu, N.: Passport-aware normalization for deep model protection. In: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H. (eds.) Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020 (2020)

  71. Lin, N., Chen, X., Lu, H., Li, X.: Chaotic weights: A novel approach to protect intellectual property of deep neural networks. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 40(7), 1327–1339 (2021)

  72. Xue, M., Sun, S., He, C., Zhang, Y., Wang, J., Liu, W.: ActiveGuard: An active DNN IP protection technique via adversarial examples. Preprint at arxiv: 2103.01527 (2021)

  73. Lee, T., Edwards, B., Molloy, I.M., Su, D.: Defending against neural network model stealing attacks using deceptive perturbations. In: 2019 IEEE Security and Privacy Workshops, SP Workshops 2019, pp. 43–49. IEEE, (2019). https://doi.org/10.1109/SPW.2019.00020

  74. Orekondy, T., Schiele, B., Fritz, M.: Prediction poisoning: Towards defenses against DNN model stealing attacks. In: 8th International Conference on Learning Representations, ICLR 2020. OpenReview.net, (2020)

  75. Juuti, M., Szyller, S., Marchal, S., Asokan, N.: PRADA: protecting against DNN model stealing attacks. In: IEEE European Symposium on Security and Privacy, EuroS &P 2019, pp. 512–527. IEEE, (2019). https://doi.org/10.1109/EuroSP.2019.00044

  76. Kariyappa, S., Qureshi, M.K.: Defending against model stealing attacks with adaptive misinformation. In: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020, pp. 767–775. Computer Vision Foundation / IEEE, (2020). https://doi.org/10.1109/CVPR42600.2020.00085

  77. Regazzoni, F., Palmieri, P., Smailbegovic, F., Cammarota, R., Polian, I.: Protecting artificial intelligence ips: a survey of watermarking and fingerprinting for machine learning. CAAI Transactions on Intelligence Technology 6(2), 180–191 (2021)

    Article  Google Scholar 

  78. Barni, M., Pérez-González, F., Tondi, B.: DNN watermarking: Four challenges and a funeral. In: Borghys, D., Bas, P., Verdoliva, L., Pevný, T., Li, B., Newman, J. (eds.) Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 189–196. ACM, (2021). https://doi.org/10.1145/3437880.3460399

  79. Xue, M., Wang, J., Liu, W.: Dnn intellectual property protection: Taxonomy, attacks and evaluations. In: Chen, Y., Zhirnov, V.V., Sasan, A., Savidis, I. (eds.) Proceedings of the 2021 on Great Lakes Symposium on VLSI, GLSVLSI 2021, pp. 455–460. ACM, (2021). https://doi.org/10.1145/3453688.3461752

  80. Nagai, Y., Uchida, Y., Sakazawa, S., Satoh, S.: Digital watermarking for deep neural networks. Int. J. Multim. Inf. Retr. 7(1), 3–16 (2018)

    Article  Google Scholar 

  81. Chen, X., Wang, W., Bender, C., Ding, Y., Jia, R., Li, B., Song, D.: REFIT: A unified watermark removal framework for deep learning systems with limited data. In: Cao, J., Au, M.H., Lin, Z., Yung, M. (eds.) Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021, pp. 321–335. ACM, (2021). https://doi.org/10.1145/3433210.3453079

  82. Kornblith, S., Norouzi, M., Lee, H., Hinton, G.E.: Similarity of neural network representations revisited. In: Chaudhuri, K., Salakhutdinov, R. (eds.) Proceedings of the 36th International Conference on Machine Learning, ICML 2019. Proceedings of Machine Learning Research, vol. 97, pp. 3519–3529. PMLR, (2019)

  83. Salakhutdinov, R., Hinton, G.E.: Learning a nonlinear embedding by preserving class neighbourhood structure. In: Meila, M., Shen, X. (eds.) Proceedings of the Eleventh International Conference on Artificial Intelligence and Statistics, AISTATS 2007. JMLR Proceedings, vol. 2, pp. 412–419. JMLR.org, (2007)

  84. Breier, J., Hou, X., Jap, D., Ma, L., Bhasin, S., Liu, Y.: Practical fault attack on deep neural networks. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 2204–2206. ACM, (2018). https://doi.org/10.1145/3243734.3278519

  85. Hong, S., Frigo, P., Kaya, Y., Giuffrida, C., Dumitras, T.: Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, pp. 497–514. USENIX Association, (2019)

  86. Zhang, R., Liu, J., Ding, Y., Wang, Z., Wu, Q., Ren, K.: Adversarial examples for proof-of-learning. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, pp. 1408–1422. IEEE, (2022). https://doi.org/10.1109/SP46214.2022.9833596

  87. Moosavi-Dezfooli, S., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017, pp. 86–94. IEEE Computer Society, (2017). https://doi.org/10.1109/CVPR.2017.17

  88. Cai, Y., Chen, X., Tian, L., Wang, Y., Yang, H.: Enabling secure in-memory neural network computing by sparse fast gradient encryption. In: Pan, D.Z. (ed.) Proceedings of the International Conference on Computer-Aided Design, ICCAD 2019, pp. 1–8. ACM, (2019). https://doi.org/10.1109/ICCAD45719.2019.8942041

  89. Peterson, G.: Arnold’s cat map. Math linear algebra 45, 1–7 (1997)

    Google Scholar 

  90. Papernot, N., McDaniel, P.D., Goodfellow, I.J., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Karri, R., Sinanoglu, O., Sadeghi, A., Yi, X. (eds.) Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, pp. 506–519. ACM, (2017). https://doi.org/10.1145/3052973.3053009

  91. Quan, Y., Teng, H., Chen, Y., Ji, H.: Watermarking deep neural networks in image processing. IEEE Trans. Neural Networks Learn. Syst. 32(5), 1852–1865 (2021)

    Article  Google Scholar 

  92. Ong, D.S., Chan, C.S., Ng, K.W., Fan, L., Yang, Q.: Protecting intellectual property of generative adversarial networks from ambiguity attacks. In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, pp. 3630–3639. Computer Vision Foundation / IEEE, (2021). https://doi.org/10.1109/CVPR46437.2021.00363

  93. Zhao, X., Wu, H., Zhang, X.: Watermarking graph neural networks by random graphs. In: Varol, A., Karabatak, M., Varol, I. (eds.) 9th International Symposium on Digital Forensics and Security, ISDFS 2021, pp. 1–6. IEEE, (2021). https://doi.org/10.1109/ISDFS52919.2021.9486352

  94. Xu, J., Picek, S.: Watermarking Graph Neural Networks based on Backdoor Attacks. Preprint at arxiv: 2110.11024 (2021)

Download references

Funding

HK RGC RIF (Research Impact Fund) Ref. No.: R1012-21.

Author information

Authors and Affiliations

Authors

Contributions

Sen Peng proposed the design of the work and wrote the main manuscript. Jie Xu and Zizhuo Chen surveyed parts of the methods and prepared the comparison. Yufei Chen, Cong Wang, and Xiaohua Jia provided critical revisions to the manuscript. All authors provided critical feedback and reviewed the manuscript.

Corresponding author

Correspondence to Xiaohua Jia.

Ethics declarations

Conflicts of interest

The authors have no relevant financial or non-financial interests to disclose.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Peng, S., Chen, Y., Xu, J. et al. Intellectual property protection of DNN models. World Wide Web 26, 1877–1911 (2023). https://doi.org/10.1007/s11280-022-01113-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-022-01113-3

Keywords

Navigation