Deep neural networks are playing an important role in many real-life applications. After being trained with abundant data and computing resources, a deep neural network model providing service is endowed with economic value. An important prerequisite in commercializing and protecting deep neural networks is the reliable identification of their genuine author. To meet this goal, watermarking schemes that embed the author's identity information into the networks have been proposed. However, current schemes can hardly meet all the necessary requirements for securely proving the authorship and mostly focus on models for classification. To explicitly meet the formal definitions of the security requirements and increase the applicability of deep neural network watermarking schemes, we propose a new framework based on multi-task learning. By treating the watermark embedding as an extra task, most of the security requirements are explicitly formulated and met with well-designed regularizers, the rest is guaranteed by using components from cryptography. Moreover, a decentralized verification protocol is proposed to standardize the ownership verification. The experiment results show that the proposed scheme is flexible, secure, and robust, hence a promising candidate in deep learning model protection.
翻译:深神经网络在许多现实应用中发挥着重要的作用。在经过丰富的数据和计算资源培训后,一个提供服务的深神经网络模型具有经济价值。商业化和保护深神经网络的一个重要先决条件是可靠地识别其真正的作者。为实现这一目标,已经提出了将作者身份信息纳入网络的水标记计划。然而,目前的计划很难满足安全证明作者身份的所有必要要求,而且大多侧重于分类模式。为了明确满足安全要求的正式定义,并增加深神经网络水标记计划的适用性,我们提出了一个基于多任务学习的新框架。通过将水印作为额外任务处理,大部分安全要求得到明确制定,并与设计完善的正规化者得到满足,其余要求得到使用加密法组成部分的保障。此外,还提出了分散化的核查协议,以使所有权核查标准化。实验结果表明,拟议的计划是灵活、可靠和有力的,因此是深层学习模型保护的有前途的候选人。