research-article

Reversible Watermarking in Deep Convolutional Neural Networks for Integrity Authentication

Authors:

Nenghai YuAuthors Info & Claims

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

Pages 2273 - 2280

https://doi.org/10.1145/3394171.3413729

Published: 12 October 2020 Publication History

Abstract

Deep convolutional neural networks have made outstanding contributions in many fields such as computer vision in the past few years and many researchers published well-trained network for downloading. But recent studies have shown serious concerns about integrity due to model-reuse attacks and backdoor attacks. In order to protect these open-source networks, many algorithms have been proposed such as watermarking. However, these existing algorithms modify the contents of the network permanently and are not suitable for integrity authentication. In this paper, we propose a reversible watermarking algorithm for integrity authentication. Specifically, we present the reversible watermarking problem of deep convolutional neural networks and utilize the pruning theory of model compression technology to construct a host sequence used for embedding watermarking information by histogram shift. As shown in the experiments, the influence of embedding reversible watermarking on the classification performance is less than ±0.5% and the parameters of the model can be fully recovered after extracting the watermarking. At the same time, the integrity of the model can be verified by applying the reversible watermarking: if the model is modified illegally, the authentication information generated by original model will be absolutely different from the extracted watermarking information.

Supplementary Material

MP4 File (3394171.3413729.mp4)

In our presentation, we introduce the necessity of model reversible watermarking, and briefly explain the frameworks of embedding watermark and integrity authentication. Some experimental results are also shown in the video.

Download
39.49 MB

References

[1]

Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In 27th $$USENIX$$ Security Symposium ($$USENIX$$ Security 18). 1615--1631.

[2]

Arantxa Casanova, Guillem Cucurull, Michal Drozdzal, Adriana Romero, and Yoshua Bengio. 2018. On the iterative refinement of densely connected representation levels for semantic segmentation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops. 978--987.

[3]

Bryant Chen, Wilka Carvalho, Nathalie Baracaldo, Heiko Ludwig, Benjamin Edwards, Taesung Lee, Ian Molloy, and Biplav Srivastava. 2018. Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018).

[4]

Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).

[5]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.

[6]

Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4700--4708.

[7]

Yujie Ji, Xinyang Zhang, Shouling Ji, Xiapu Luo, and Ting Wang. 2018. Model-reuse attacks on deep learning systems. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 349--363.

Digital Library

[8]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems. 1097--1105.

[9]

Bo Li, Wei Wu, Qiang Wang, Fangyi Zhang, Junliang Xing, and Junjie Yan. 2019. Siamrpn: Evolution of siamese visual tracking with very deep networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 4282--4291.

[10]

Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2018. Fine-pruning: Defending against backdooring attacks on deep neural networks. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 273--294.

[11]

Jian-Hao Luo and Jianxin Wu. 2017. An entropy-based pruning method for cnn compression. arXiv preprint arXiv:1706.05791 (2017).

[12]

Zhicheng Ni, Yun-Qing Shi, Nirwan Ansari, and Wei Su. 2006. Reversible data hiding. IEEE Transactions on circuits and systems for video technology, Vol. 16, 3 (2006), 354--362.

Digital Library

[13]

Bita Darvish Rouhani, Huili Chen, and Farinaz Koushanfar. 2018. Deepsigns: A generic watermarking framework for ip protection of deep learning models. arXiv preprint arXiv:1804.00750 (2018).

[14]

Vasiliy Sachnev, Hyoung Joong Kim, Jeho Nam, Sundaram Suresh, and Yun Qing Shi. 2009. Reversible watermarking algorithm using sorting and prediction. IEEE Transactions on Circuits and Systems for Video Technology, Vol. 19, 7 (2009), 989--999.

Digital Library

[15]

Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4510--4520.

[16]

Yun Qing Shi, Xiaolong Li, Xinpeng Zhang, Haotian Wu, and Bin Ma. 2016. Reversible Data Hiding: Advances in the Past Two Decades. IEEE Access, Vol. 4 (2016), 1--1.

[17]

Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).

[18]

Congzheng Song, Thomas Ristenpart, and Vitaly Shmatikov. 2017. Machine Learning Models that Remember Too Much. In the 2017 ACM SIGSAC Conference.

Digital Library

[19]

Jun Tian. 2003. Reversible data embedding using a difference expansion. IEEE transactions on circuits and systems for video technology, Vol. 13, 8 (2003), 890--896.

[20]

Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2017. Embedding watermarks into deep neural networks. In Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. ACM, 269--277.

Digital Library

[21]

Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y Zhao. 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks (2019), 0.

[22]

FM Willems and T Kalker. 2003. Capacity bounds and code constructions for reversible data-hiding. IS&T/SPIE Proceedings, Security and Watermarking of Multimedia 19 Contents V, Vol. 5020 (2003).

[23]

Jie Zhang, Dongdong Chen, Jing Liao, Han Fang, Weiming Zhang, Wenbo Zhou, Hao Cui, and Nenghai Yu. 2020. Model Watermarking for Image Processing Networks. In AAAI. 12805--12812.

[24]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting intellectual property of deep neural networks with watermarking. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 159--172.

Digital Library

[25]

Weiming Zhang, Biao Chen, and Nenghai Yu. 2012. Improving various reversible data hiding schemes via optimal codes for binary covers. IEEE transactions on image processing, Vol. 21, 6 (2012), 2991--3003.

Cited By

Guo BPing PHuo J(2025)CRDH: Compatible Reversible Data Hiding With High Capacity and GeneralizationIEEE Transactions on Circuits and Systems for Video Technology10.1109/TCSVT.2024.346544535:1(874-887)Online publication date: Jan-2025
https://doi.org/10.1109/TCSVT.2024.3465445
Pegoraro ASegna CKumari KSadeghi ABalzarotti DXu W(2024)DeepEclipseProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699196(5287-5304)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699196
Pattnayak PDas TMohanty APatnaik S(2024)Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning ModelEAI Endorsed Transactions on Internet of Things10.4108/eetiot.538810Online publication date: 12-Mar-2024
https://doi.org/10.4108/eetiot.5388
Show More Cited By

Index Terms

Reversible Watermarking in Deep Convolutional Neural Networks for Integrity Authentication
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Reversible watermarking of 2D-vector data
MM&Sec '04: Proceedings of the 2004 workshop on Multimedia and security

This paper presents a reversible watermarking scheme for the 2D-vector data (point coordinates) which are popularly used in geographical information related applications. This reversible watermarking scheme exploits the high correlation among points in ...
A Semi-Fragile Reversible Watermarking for 2D CAD Engineering Graphics with Accurate Tampering Localization

A semi-fragile reversible watermarking algorithm for 2D CAD engineering graphics with accurate tampering localization is proposed. Firstly, all vertices in the 2D CAD engineering graphics are extracted and partitioned into groups. After that, the ...
Wavelet-based reversible watermarking system for integrity control and authentication in tele-ophthalmological applications

In numerous applications, such as in the areas of law enforcement and medical imaging systems, together with perceptual transparency, it is required to reverse the modified media back to the original without any deformation, after the secret data are ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

October 2020

4889 pages

ISBN:9781450379885

DOI:10.1145/3394171

General Chairs:
Chang Wen Chen
Chinese University of Hong Kong, Shenzhen, China
,
Rita Cucchiara
UNIMORE, Italy
,
Xian-Sheng Hua
Alibaba Group, China
,
Program Chairs:
Guo-Jun Qi
Futurewei Technologies, USA
,
Elisa Ricci
UNITN & Fondazione Bruno Kessler, Italy
,
Zhengyou Zhang
Tencent, China
,
Roger Zimmermann
National University of Singapore, Singapore

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key Research and Development Program of China
Exploration Fund Project of University of Science and Technology of China
Natural Science Foundation of China

Conference

MM '20

Sponsor:

SIGMM

MM '20: The 28th ACM International Conference on Multimedia

October 12 - 16, 2020

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 2,145 of 8,556 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
549
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)8

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Guo BPing PHuo J(2025)CRDH: Compatible Reversible Data Hiding With High Capacity and GeneralizationIEEE Transactions on Circuits and Systems for Video Technology10.1109/TCSVT.2024.346544535:1(874-887)Online publication date: Jan-2025
https://doi.org/10.1109/TCSVT.2024.3465445
Pegoraro ASegna CKumari KSadeghi ABalzarotti DXu W(2024)DeepEclipseProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699196(5287-5304)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699196
Pattnayak PDas TMohanty APatnaik S(2024)Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning ModelEAI Endorsed Transactions on Internet of Things10.4108/eetiot.538810Online publication date: 12-Mar-2024
https://doi.org/10.4108/eetiot.5388
Liu WZhong SGurrin CKongkachandra RSchoeffmann KDang-Nguyen DRossetto LSatoh SZhou L(2024)MarginFinger: Controlling Generated Fingerprint Distance to Classification boundary Using Conditional GANsProceedings of the 2024 International Conference on Multimedia Retrieval10.1145/3652583.3658058(129-136)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3652583.3658058
Zhang COu BPeng FZhao YLi K(2024)A Survey on Reversible Data Hiding for Uncompressed ImagesACM Computing Surveys10.1145/364510556:7(1-33)Online publication date: 9-Apr-2024
https://dl.acm.org/doi/10.1145/3645105
Zhu ZZhou HHu HJiang QQian ZZhang X(2024)Hide and Recognize Your Privacy ImageIEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.345610311:6(6130-6142)Online publication date: Nov-2024
https://doi.org/10.1109/TNSE.2024.3456103
Lederer IMayer RRauber A(2024)Identifying Appropriate Intellectual Property Protection Mechanisms for Machine Learning Models: A Systematization of Watermarking, Fingerprinting, Model Access, and AttacksIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2023.327013535:10(13082-13100)Online publication date: Oct-2024
https://doi.org/10.1109/TNNLS.2023.3270135
Hua GTeoh AXiang YJiang H(2024)Unambiguous and High-Fidelity Backdoor Watermarking for Deep Neural NetworksIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2023.325021035:8(11204-11217)Online publication date: Aug-2024
https://doi.org/10.1109/TNNLS.2023.3250210
Yang FCheng HLyu SWen JChen H(2024)Lattice-Aided Extraction of Spread-Spectrum Hidden DataIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340294819(5684-5695)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3402948
Yuan ZZhang XWang ZYin Z(2024)Semi-Fragile Neural Network Watermarking Based on Adversarial ExamplesIEEE Transactions on Emerging Topics in Computational Intelligence10.1109/TETCI.2024.33723738:4(2775-2790)Online publication date: Aug-2024
https://doi.org/10.1109/TETCI.2024.3372373
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten