The deep learning (DL) technology has been widely used for image classification in many scenarios, e.g., face recognition and suspect tracking. Such a highly commercialized application has given rise to intellectual property protection of its DL model. To combat that, the mainstream method is to embed a unique watermark into the target model during the training process. However, existing efforts focus on detecting copyright infringement for a given model, while rarely consider the problem of traitors tracking. Moreover, the watermark embedding process can incur privacy issues for the training data in a distributed manner. In this paper, we propose SECUREMARK-DL, a novel fingerprinting framework to address the above two problems in a distributed learning environment. It embeds a unique fingerprint into the target model for each customer, which can be extracted and verified from any suspicious model once a dispute arises. In addition, it adopts a new privacy partitioning technique in the training process to protect the training data privacy. Extensive experiments demonstrate the robustness of SECUREMARK-DL against various attacks, and its high classification accuracy (> 95%) even if a long-bit (304-bit) fingerprint is embedded into an input image.
翻译:深度学习(DL)技术在许多情景中被广泛用于图像分类,例如面部识别和可疑跟踪。这种高度商业化的应用导致其DL模型的知识产权保护。要解决这一问题,主流方法是在培训过程中将独特的水印嵌入目标模型,然而,现有的工作重点是发现特定模型的版权侵犯,而很少考虑叛徒追踪问题。此外,水标记嵌入过程可能会以分布方式为培训数据带来隐私问题。在本文件中,我们提议SECURREMARK-DL,这是一个解决分布式学习环境中上述两个问题的新型指纹框架。它把独特的指纹嵌入每个客户的目标模型,一旦出现争议,可从任何可疑模型中提取和核实。此外,它还在培训过程中采用新的隐私隔离技术,以保护培训数据的隐私。广泛的实验表明SECURREMARK-DL在各种攻击中具有很强的可靠性,而且高分类精确度( > 95%),即使长位(304比位)指纹嵌入了输入图像。