Protecting the Intellectual Property rights of DNN models is of primary importance prior to their deployment. So far, the proposed methods either necessitate changes to internal model parameters or the machine learning pipeline, or they fail to meet both the security and robustness requirements. This paper proposes a lightweight, robust, and secure black-box DNN watermarking protocol that takes advantage of cryptographic one-way functions as well as the injection of in-task key image-label pairs during the training process. These pairs are later used to prove DNN model ownership during testing. The main feature is that the value of the proof and its security are measurable. The extensive experiments watermarking image classification models for various datasets as well as exposing them to a variety of attacks, show that it provides protection while maintaining an adequate level of security and robustness.
翻译:保护DNN模型的知识产权在部署之前至关重要,到目前为止,拟议方法要么需要改变内部模型参数或机器学习管道,要么无法满足安全和稳健性要求。本文件提出一个轻量、稳健和安全的黑箱 DNN 水标记协议,在培训过程中利用单向加密功能以及输入在轨关键图像标签配对。这些配对后来被用来证明DNN模型在测试中的所有权。其主要特征是证据的价值及其安全性是可测量的。各种数据集的大规模水标记图像分类实验模型以及使其暴露于各种攻击之下,表明它提供了保护,同时保持了足够的安全和稳健性。