ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints
Abstract The intellectual properties (IP) protection of deep neural networks (DNN) models has raised many concerns in recent years. To date, most of the existing works use DNN watermarking to protect the IP of DNN models. However, the DNN watermarking methods can only passively verify the copyright...
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Hindawi-IET
2023-07-01
|
| Series: | IET Computers & Digital Techniques |
| Subjects: | |
| Online Access: | https://doi.org/10.1049/cdt2.12056 |
| _version_ | 1797424605896376320 |
|---|---|
| author | Mingfu Xue Shichang Sun Can He Dujuan Gu Yushu Zhang Jian Wang Weiqiang Liu |
| author_facet | Mingfu Xue Shichang Sun Can He Dujuan Gu Yushu Zhang Jian Wang Weiqiang Liu |
| author_sort | Mingfu Xue |
| collection | DOAJ |
| description | Abstract The intellectual properties (IP) protection of deep neural networks (DNN) models has raised many concerns in recent years. To date, most of the existing works use DNN watermarking to protect the IP of DNN models. However, the DNN watermarking methods can only passively verify the copyright of the model after the DNN model has been pirated, which cannot prevent piracy in the first place. In this paper, an active DNN IP protection technique against DNN piracy, called ActiveGuard, is proposed. ActiveGuard can provide active authorisation control, users' identities management, and ownership verification for DNN models. Specifically, for the first time, ActiveGuard exploits well‐crafted rare and specific adversarial examples with specific classes and confidences as users' fingerprints to distinguish authorised users from unauthorised ones. Authorised users can input their fingerprints to the DNN model for identity authentication and then obtain normal usage, while unauthorised users will obtain a very poor model performance. In addition, ActiveGuard enables the model owner to embed a watermark into the weights of the DNN model for ownership verification. Compared to the few existing active DNN IP protection works, ActiveGuard can support both users' identities identification and active authorisation control. Besides, ActiveGuard introduces lower overhead than these existing active protection works. Experimental results show that, for authorised users, the test accuracy of LeNet‐5 and Wide Residual Network (WRN) models are 99.15% and 91.46%, respectively, while for unauthorised users, the test accuracy of LeNet‐5 and WRN models are only 8.92% and 10%, respectively. Besides, each authorised user can pass the fingerprint authentication with a high success rate (up to 100%). For ownership verification, the embedded watermark can be successfully extracted, while the normal performance of DNN models will not be affected. Furthermore, it is demonstrated that ActiveGuard is robust against model fine‐tuning attack, pruning attack, and three types of fingerprint forgery attacks. |
| first_indexed | 2024-03-09T08:04:35Z |
| format | Article |
| id | doaj.art-9354918474774f77a93cfb5cd67d7e2e |
| institution | Directory Open Access Journal |
| issn | 1751-8601 1751-861X |
| language | English |
| last_indexed | 2024-03-09T08:04:35Z |
| publishDate | 2023-07-01 |
| publisher | Hindawi-IET |
| record_format | Article |
| series | IET Computers & Digital Techniques |
| spelling | doaj.art-9354918474774f77a93cfb5cd67d7e2e2023-12-03T00:24:11ZengHindawi-IETIET Computers & Digital Techniques1751-86011751-861X2023-07-01173-411112610.1049/cdt2.12056ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprintsMingfu Xue0Shichang Sun1Can He2Dujuan Gu3Yushu Zhang4Jian Wang5Weiqiang Liu6College of Computer Science and Technology Nanjing University of Aeronautics and Astronautics Nanjing ChinaCollege of Computer Science and Technology Nanjing University of Aeronautics and Astronautics Nanjing ChinaCollege of Computer Science and Technology Nanjing University of Aeronautics and Astronautics Nanjing ChinaNSFOCUS Information Technology CO., LTD Beijing ChinaCollege of Computer Science and Technology Nanjing University of Aeronautics and Astronautics Nanjing ChinaCollege of Computer Science and Technology Nanjing University of Aeronautics and Astronautics Nanjing ChinaCollege of Electronic and Information Engineering Nanjing University of Aeronautics and Astronautics Nanjing ChinaAbstract The intellectual properties (IP) protection of deep neural networks (DNN) models has raised many concerns in recent years. To date, most of the existing works use DNN watermarking to protect the IP of DNN models. However, the DNN watermarking methods can only passively verify the copyright of the model after the DNN model has been pirated, which cannot prevent piracy in the first place. In this paper, an active DNN IP protection technique against DNN piracy, called ActiveGuard, is proposed. ActiveGuard can provide active authorisation control, users' identities management, and ownership verification for DNN models. Specifically, for the first time, ActiveGuard exploits well‐crafted rare and specific adversarial examples with specific classes and confidences as users' fingerprints to distinguish authorised users from unauthorised ones. Authorised users can input their fingerprints to the DNN model for identity authentication and then obtain normal usage, while unauthorised users will obtain a very poor model performance. In addition, ActiveGuard enables the model owner to embed a watermark into the weights of the DNN model for ownership verification. Compared to the few existing active DNN IP protection works, ActiveGuard can support both users' identities identification and active authorisation control. Besides, ActiveGuard introduces lower overhead than these existing active protection works. Experimental results show that, for authorised users, the test accuracy of LeNet‐5 and Wide Residual Network (WRN) models are 99.15% and 91.46%, respectively, while for unauthorised users, the test accuracy of LeNet‐5 and WRN models are only 8.92% and 10%, respectively. Besides, each authorised user can pass the fingerprint authentication with a high success rate (up to 100%). For ownership verification, the embedded watermark can be successfully extracted, while the normal performance of DNN models will not be affected. Furthermore, it is demonstrated that ActiveGuard is robust against model fine‐tuning attack, pruning attack, and three types of fingerprint forgery attacks.https://doi.org/10.1049/cdt2.12056active copyright protectionadversarial examplesauthorization controldeep neural networksusers' fingerprints management |
| spellingShingle | Mingfu Xue Shichang Sun Can He Dujuan Gu Yushu Zhang Jian Wang Weiqiang Liu ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints IET Computers & Digital Techniques active copyright protection adversarial examples authorization control deep neural networks users' fingerprints management |
| title | ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints |
| title_full | ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints |
| title_fullStr | ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints |
| title_full_unstemmed | ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints |
| title_short | ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints |
| title_sort | activeguard an active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users fingerprints |
| topic | active copyright protection adversarial examples authorization control deep neural networks users' fingerprints management |
| url | https://doi.org/10.1049/cdt2.12056 |
| work_keys_str_mv | AT mingfuxue activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT shichangsun activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT canhe activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT dujuangu activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT yushuzhang activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT jianwang activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints AT weiqiangliu activeguardanactiveintellectualpropertyprotectiontechniquefordeepneuralnetworksbyleveragingadversarialexamplesasusersfingerprints |