Black box deep learning model copyright protection method based on adversarial sample fingerprints
A technology against samples and deep learning, which is applied in the field of privacy and deep learning model security, can solve problems such as watermark removal, watermark failure, and model damage, and achieve the effects of low calculation consumption, improved accuracy, and good robustness
Pending Publication Date: 2022-03-29
ZHEJIANG UNIV
View PDF0 Cites 1 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
However, the current watermarking technology has two key flaws: 1) Watermark embedding needs to be involved in the normal training process, resulting in damage to the model performance; 2) Overfitting embedded watermarks are easily cleared by attackers, resulting in watermark failure
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0038] The present invention will be further described below in conjunction with accompanying drawing.
[0039] The basic structure of the embodiment of the present invention is as figure 1 , given the original model (Victim Model) and a part of the training data set, this method can automatically select seeds and generate adversarial sample fingerprint sets (Fingerprints), and calculate the indicators of the suspicious model (Suspect Model) and the original model based on the output of the last layer of the model The degree of difference gives the final judgment on whether the suspicious model has stolen behavior. All steps are implemented in the form of function API, based on Python language and Tensorflow deep learning framework. Including the following four main function interfaces:
[0040] 1.seedSelection method: select high-priority seeds based on the original model and training set.
[0041]2. fingerprintGeneration method: Generate a set of adversarial sample finger...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a black box deep learning model copyright protection method based on an adversarial sample fingerprint, and the method comprises the steps: designing a deep learning model difference degree measurement index, achieving an efficient seed selection strategy and an adversarial sample fingerprint generation method, and carrying out the similarity measurement of a suspicious model on the basis (only needing the output of the last layer of the model, and finally, judging whether the suspicious model has an infringement behavior or not. According to the method, the fingerprint set can be automatically generated for the original model based on the public attribute (robustness) of the deep learning model, and the method is effective in various model stealing scenes; the method is not limited by the data field and the model structure, and has good universality and expansibility. Compared with a traditional model watermark embedding method, the method does not need to intervene in a training process of the deep learning model, avoids a tedious and time-consuming parameter adjustment process and accuracy loss caused by watermark embedding, and enables copyright verification and protection of the deep learning model to become simple and efficient.
Description
technical field [0001] The invention relates to the security and privacy fields of deep learning models, in particular to a copyright protection method for black-box deep learning models based on adversarial sample fingerprints. Background technique [0002] Deep learning has achieved great success in solving many practical problems, such as image recognition, speech recognition, natural language processing, etc. However, training deep learning models is not easy and usually requires a lot of resources, including large datasets, expensive computing resources, and expert knowledge. Furthermore, the cost of training a high-performance model grows rapidly with task complexity and model capacity. For example, training a BERT model on the Wikipedia and book corpus (15GB) costs about $1.6 million. This gives malicious adversaries (model thieves) an incentive to steal the models and cover their tracks, resulting in model copyright infringement and possible financial loss. It tur...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/16
CPCG06F21/16
Inventor 王竟亦陈伽洛彭汀兰孙有程程鹏马兴军
Owner ZHEJIANG UNIV