浏览全部资源
扫码关注微信
基于差分隐私的深度伪造指纹检测模型版权保护算法
Copyright protection algorithm based on differential privacy deep fake fingerprint detection model
- 通信学报 2022年43卷第9期 页码:181-193
- 作者机构:
1. 南京信息工程大学计算机学院、软件学院、网络空间安全学院,江苏 南京 210044
2. 南京信息工程大学数字取证教育部工程研究中心,江苏 南京 210044
- 作者简介:
[ "袁程胜(1989– ),男,山东济宁人,南京信息工程大学副教授、硕士生导师,主要研究方向为信息隐藏、多媒体取证与AI安全" ]
[ "郭强(1997- ),男,江苏南京人,南京信息工程大学硕士生,主要研究方向为信息安全和深度学习" ]
[ "付章杰(1983- ),男,河南南阳人,南京信息工程大学教授、博士生导师,主要研究方向为区块链安全、数字取证、人工智能安全" ]
- 基金信息:国家自然科学基金资助项目(62102189);江苏省自然科学基金资助项目(BK20200807);江苏省自然科学基金资助项目(BK20200039);国防科技大学科研计划基金资助项目(JS21-4);浙江省科技厅公益性科技产业基金资助项目(LGF21F020006)
DOI:10.11959/j.issn.1000-436x.2022184
中图分类号: TP391-
网络出版日期:2022-09,
纸质出版日期:2022-09-25
- 稿件说明:
移动端阅览
袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022,43(9):181-193.
Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on communications, 2022, 43(9): 181-193.
袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022,43(9):181-193. DOI: 10.11959/j.issn.1000-436x.2022184.
Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on communications, 2022, 43(9): 181-193. DOI: 10.11959/j.issn.1000-436x.2022184.
摘要
提出了一种基于差分隐私的深度伪造指纹检测模型版权保护算法,在不削弱原始任务性能的同时,实现了深度伪造指纹检测模型版权的主动保护和被动验证。在原始任务训练时,通过添加噪声以引入随机性,利用差分隐私算法的期望稳定性进行分类决策,以削弱对噪声的敏感。在被动验证中,利用FGSM生成对抗样本,通过微调决策边界以建立后门,将后门映射关系作为植入水印实现被动验证。为了解决多后门造成的版权混淆,设计了一种水印验证框架,对触发后门加盖时间戳,借助时间顺序来鉴别版权。在主动保护中,为了给用户提供分等级的服务,通过概率选择策略冻结任务中的关键性神经元,设计访问权限实现神经元的解冻,以获得原始任务的使用权。实验结果表明,不同模型性能下的后门验证依然有效,嵌入的后门对模型修改表现出稳健性。此外,所提算法不但能抵挡攻击者策反合法用户实施的合谋攻击,而且能抵挡模型修改发动的微调、压缩等攻击。
Abstract
A copyright protection algorithm based on differential privacy for deep fake fingerprint detection model (DFFDM) was proposed
realizing active copyright protection and passive copyright verification of DFFDM without weakening the performance of the original task.In the original task training
noise was added to introduce randomness
and the expected stability of the differential privacy algorithm was used to make classification decisions to reduce the sensitivity to noise.In passive verification
FGSM was used to generate adversarial samples
the decision boundary was fine-adjusted to establish a backdoor
and the mapping was used as an implanted watermark to realize passive verification.To solve the copyright confusion caused by multiple backdoors
a watermark verification framework was designed
which stamped the trigger backdoors and identified the copyright with the help of time order.In active protection
to provide users with hierarchical services
the key neurons in the task were frozen by probabilistic selection strategy
and the access rights were designed to realize the thawing of neurons
so as to obtain the right to use the original task.Experimental results show that the backdoor verification is still effective under different model performance
and the embedded backdoor shows a certain robustness to the model modification.Also
the proposed algorithm can resist not only the collusion attack by the attacker to recruit legitimate users
but also the fine-tuning and compression attacks caused by the model modification.
关键词
Keywords
references
YADAV J , JAFFERY Z A , SINGH L . A short review on machine learning techniques used for fingerprint recognition [J]. Journal of Critical Reviews , 2020 , 7 ( 13 ): 2768 - 2773 .
YUAN C S , YU P P , XIA Z H , et al . FLD-SRC:fingerprint liveness detection for AFIS based on spatial ridges continuity [J]. IEEE Journal of Selected Topics in Signal Processing , 2022 , 16 ( 4 ): 817 - 827 .
HE Y , ZHAO N , YIN H X . Integrated networking,caching,and computing for connected vehicles:a deep reinforcement learning approach [J]. IEEE Transactions on Vehicular Technology , 2018 , 67 ( 1 ): 44 - 55 .
ZHAO D B , CHEN Y R , LV L . Deep reinforcement learning with visual attention for vehicle classification [J]. IEEE Transactions on Cognitive and Developmental Systems , 2017 , 9 ( 4 ): 356 - 367 .
LI X L , DING L K , WANG L , et al . FPGA accelerates deep residual learning for image recognition [C]// Proceedings of IEEE 2nd Information Technology,Networking,Electronic and Automation Control Conference . Piscataway:IEEE Press , 2017 : 837 - 840 .
SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition [J]. arXiv Preprint,arXiv:1409.1556 , 2014 .
COLLOBERT R , WESTON J , BOTTOU L , et al . Natural language processing (almost) from scratch [J]. Journal of Machine Learning Research , 2011 , 12 : 2493 - 2537 .
BHUYAN M P , SARMA S K , RAHMAN M . Natural language processing based stochastic model for the correctness of Assamese sentences [C]// Proceedings of the 5th International Conference on Com munication and Electronics Systems (ICCES) . Piscataway:IEEE Press , 2020 : 1179 - 1182 .
YUAN C S , JIAO S M , SUN X M , et al . MFFFLD:a multimodal-feature-fusion-based fingerprint liveness detection [J]. IEEE Transactions on Cognitive and Developmental Systems , 2022 , 14 ( 2 ): 648 - 661 .
CETINIC E , LIPIC T , GRGIC S . Fine-tuning convolutional neural networks for fine art classification [J]. Expert Systems with Applications , 2018 , 114 : 107 - 118 .
UCHIDA Y , NAGAI Y , SAKAZAWA S , et al . Embedding watermarks into deep neural networks [C]// Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval . New York:ACM Press , 2017 : 269 - 277 .
LIU Z , SUN M , ZHOU T , et al . Rethinking the value of network pruning [J]. arXiv Preprint,arXiv:1810.05270 , 2018 .
LE M E , PÉREZ P , TRÉDAN G , . Adversarial frontier stitching for remote neural network watermarking [J]. Neural Computing and Applications , 2020 , 32 ( 13 ): 9233 - 9244 .
ZHU R , ZHANG X , SHI M , et al . Secure neural network watermarking protocol against forging attack [J]. EURASIP Journal on Image and Video Processing , 2020 , 2020 ( 1 ): 1 - 12 .
TIAN J Y , ZHOU J T , DUAN J . Probabilistic selective encryption of convolutional neural networks for hierarchical services [C]// Proceed ings of IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway:IEEE Press , 2021 : 2205 - 2214 .
樊雪峰 , 周晓谊 , 朱冰冰 , 等 . 深度神经网络模型版权保护方案综述 [J]. 计算机研究与发展 , 2022 , 59 ( 5 ): 953 - 977 .
FAN X F , ZHOU X Y , ZHU B B , et al . Survey of copyright protection schemes based on DNN model [J]. Journal of Computer Research and Development , 2022 , 59 ( 5 ): 953 - 977 .
KURIBAYASHI M , TANAKA T , FUNABIKI N . Deepwatermark:embedding watermark into DNN model [C]// Proceedings of Asia-Pacific Signal and Information Processing Association Annual Summit and Conference . Piscataway:IEEE Press , 2020 : 1340 - 1346 .
ROUHANI B D , CHEN H L , KOUSHANFAR F . DeepSigns:an end-to-end watermarking framework for ownership protection of deep neural networks [C]// Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems . New York:ACM Press , 2019 : 485 - 497 .
FENG L , ZHANG X . Watermarking neural network with compensation mechanism [C]// Proceedings of International Conference on Knowledge Science,Engineering and Management . Berlin:Springer , 2020 : 363 - 375 .
FAN L , NG K W , CHAN C S . Rethinking deep neural network ownership verification:embedding passports to defeat ambiguity attacks [C]// Proceedings of Annual Conference on Neural Information Processing Systems . Massachusetts:MIT Press , 2019 : 4716 - 4725 .
ZHANG J , CHEN D , LIAO J , et al . Passport-aware normalization for deep model protection [J]. Advances in Neural Information Processing Systems , 2020 , 33 : 22619 - 22628 .
ZHANG J , GU Z , JANG J , et al . Protecting intellectual property of deep neural networks with watermarking [C]// Proceedings of the 2018 on Asia Conference on Computer and Communications Security . New York:ACM Press , 2018 : 159 - 172 .
ADI Y , BAUM C , CISSE M , et al . Turning your weakness into a strength:watermarking deep neural networks by backdooring [J]. arXiv Preprint,arXiv:1802.04633 , 2018 .
GUO J , POTKONJAK M . Evolutionary trigger set generation for DNN black-box watermarking [J]. arXiv Preprint,arXiv:1906.04411 , 2019 .
GUO J , POTKONJAK M . Watermarking deep neural networks for embedded systems [C]// Proceedings of IEEE/ACM International Conference on Computer-Aided Design . Piscataway:IEEE Press , 2018 : 1 - 8 .
JIA H , CHOQUETTE-CHOO C A , CHANDRASEKARAN V , et al . Entangled watermarks as a defense against model extraction [C]// Proceedings of the 30th USENIX Security Symposium . Berkeley:USENIX Association , 2021 : 1937 - 1954 .
ZHONG Q , ZHANG L Y , ZHANG J , et al . Protecting IP of deep neural networks with watermarking:a new label helps [C]// Advances in Knowledge Discovery and Data Mining . Berlin:Springer , 2020 : 462 - 474 .
QUAN Y H , TENG H , CHEN Y X , et al . Watermarking deep neural networks in image processing [J]. IEEE Transactions on Neural Networks and Learning Systems , 2021 , 32 ( 5 ): 1852 - 1865 .
ONG D S , SENG C C E , NG K W , et al . Protecting intellectual property of generative adversarial networks from ambiguity attacks [C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway:IEEE Press , 2021 : 3629 - 3638 .
ZHU R , WEI P , LI S , et al . Fragile neural network watermarking with trigger image set [C]// Proceedings of International Conference on Knowledge Science,Engineering and Management . Berlin:Springer , 2021 : 280 - 293 .
ZHANG J , CHEN D D , LIAO J , et al . Deep model intellectual property protection via deep watermarking [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence , 2022 , 44 ( 8 ): 4005 - 4020 .
WU H , LIU G , YAO Y , et al . Watermarking neural networks with watermarked images [J]. IEEE Transactions on Circuits and Systems for Video Technology , 2020 , 31 ( 7 ): 2591 - 2601 .
HUANG S , PAPERNOT N , GOODFELLOW I , et al . Adversarial attacks on neural network policies [J]. arXiv Preprint,arXiv:1702.02284 , 2017 .
LECUYER M , ATLIDAKIS V , GEAMBASU R , et al . Certified robustness to adversarial examples with differential privacy [C]// Proceedings of 2019 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2019 : 656 - 672 .
刘艺菲 , 王宁 , 王志刚 , 等 . 混洗差分隐私下的多维类别数据的收集与分析 [J]. 软件学报 , 2022 , 33 ( 3 ): 1093 - 1110 .
LIU Y F , WANG N , WANG Z G , et al . Collecting and analyzing multidimensional categorical data under shuffled differential privacy [J]. Journal of Software , 2022 , 33 ( 3 ): 1093 - 1110 .
SHAYER O , LEVI D , FETAYA E . Learning discrete weights using the local reparameterization trick [J]. arXiv Preprint,arXiv:1710.07739 , 2017 .
LOUIZOS C , WELLING M , KINGMA D P . Learning sparse neural networks through L0 regularization [J]. arXiv Preprint,arXiv:1712.01312 , 2017 .
BOGDANOV A , KNEŽEVIĆ M , LEANDER G , et al . SPONGENT:a lightweight hash function [C]// Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems . Berlin:Springer , 2011 : 312 - 325 .
SHAFAHI A , HUANG W R , STUDER C , et al . Are adversarial examples inevitable? [J]. arXiv Preprint,arXiv:1809.02104 , 2018 .
0
浏览量
643
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答
鸿云智能
中文
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:151733 今日访问量:2