research-article

Open access

DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models

Authors:

Bita Darvish Rouhani,

Farinaz KoushanfarAuthors Info & Claims

ICMR '19: Proceedings of the 2019 on International Conference on Multimedia Retrieval

Pages 105 - 113

https://doi.org/10.1145/3323873.3325042

Published: 05 June 2019 Publication History

Abstract

Deep Neural Networks (DNNs) are revolutionizing various critical fields by providing an unprecedented leap in terms of accuracy and functionality. Due to the costly training procedure, high-performance DNNs are typically considered as the Intellectual Property (IP) of the model builder and need to be protected. While DNNs are increasingly commercialized, the pre-trained models might be illegally copied or redistributed after they are delivered to malicious users. In this paper, we introduce DeepMarks, the first end-to-end collusion-secure fingerprinting framework that enables the owner to retrieve model authorship information and identification of unique users in the context of deep learning (DL). DeepMarks consists of two main modules: (i) Designing unique fingerprints using anti-collusion codebooks for individual users; and (ii) Encoding each constructed fingerprint (FP) in the probability density function (pdf) of the weights by incorporating an FP-specific regularization loss during DNN re-training. We investigate the performance of DeepMarks on various datasets and DNN architectures. Experimental results show that the embedded FP preserves the accuracy of the host DNN and is robust against different model modifications that might be conducted by the malicious user. Furthermore, our framework is scalable and yields perfect detection rates and no false alarms when identifying the participants of FP collusion attacks under theoretical guarantee. The runtime overhead of retrieving the embedded FP from the marked DNN can be as low as 0.056%.

References

[1]

Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. arXiv preprint arXiv:1802.04633 (2018).

[2]

Caffe. 2017. Model Zoo. https://github.com/BVLC/caffe/wiki/Model-Zoo .

[3]

Charles J Colbourn and Jeffrey H Dinitz. 2006. Handbook of combinatorial designs .CRC press.

Digital Library

[4]

C Fu, A Di Fulvio, SD Clarke, D Wentzloff, SA Pozzi, and HS Kim. 2018. Artificial neural network algorithms for pulse shape discrimination and recovery of piled-up pulses in organic scintillators. Annals of Nuclear Energy, Vol. 120 (2018), 410--421.

[5]

Borko Furht and Darko Kirovski. 2004. Multimedia security handbook .CRC press.

Digital Library

[6]

Song Han, Jeff Pool, John Tran, and William Dally. 2015. Learning both weights and connections for efficient neural network. In Advances in neural information processing systems. 1135--1143.

Digital Library

[7]

Frank Hartung and Martin Kutter. 1999. Multimedia watermarking techniques. Proc. IEEE, Vol. 87, 7 (1999), 1079--1107.

[8]

Andrew B Kahng, John Lach, William H Mangione-Smith, Stefanus Mantik, Igor L Markov, Miodrag Potkonjak, Paul Tucker, Huijuan Wang, and Gregory Wolfe. 2001. Constraint-based watermarking techniques for design IP protection. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 20, 10 (2001), 1236--1252.

Digital Library

[9]

Negar Kiyavash and Pierre Moulin. 2009. Performance of orthogonal fingerprinting codes under worst-case noise. IEEE Transactions on Information Forensics and Security, Vol. 4, 3 (2009), 293--301.

Digital Library

[10]

Deepa Kundur and Kannan Karthik. 2004. Video fingerprinting and encryption principles for digital rights management. Proc. IEEE, Vol. 92, 6 (2004), 918--932.

[11]

Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. nature, Vol. 521, 7553 (2015), 436.

[12]

Erwan Le Merrer, Patrick Perez, and Gilles Trédan. 2017. Adversarial Frontier Stitching for Remote Neural Network Watermarking. arXiv preprint arXiv:1711.01894 (2017).

[13]

Yuki Nagai, Yusuke Uchida, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2018. Digital watermarking for deep neural networks. International Journal of Multimedia Information Retrieval, Vol. 7, 1 (2018), 3--16.

[14]

Gang Qu and Miodrag Potkonjak. 2007. Intellectual property protection in VLSI designs: theory and practice .Springer Science & Business Media.

[15]

David Ross, Brian Elmenhurst, Mark Tocci, John Forbes, and Heather Wheelock Ross. 2017. Digital fingerprinting track and trace system. US Patent 9,582,714.

[16]

Bita Darvish Rouhani, Huili Chen, and Farinaz Koushanfar. 2019. DeepSigns: An End-to-End Watermarking Framework for Protecting the Ownership of Deep Neural Networks. In The 24th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM.

[17]

Jürgen Schmidhuber. 2015. Deep learning in neural networks: An overview. Neural networks, Vol. 61 (2015), 85--117.

Digital Library

[18]

Wade Trappe, Min Wu, and KJ Ray Liu. 2002. Collusion-resistant fingerprinting for multimedia. In Acoustics, Speech, and Signal Processing (ICASSP), 2002 IEEE International Conference on, Vol. 4. IEEE, IV--3309.

[19]

Wade Trappe, Min Wu, Z Jane Wang, and KJ Ray Liu. 2003. Anti-collusion fingerprinting for multimedia. IEEE Transactions on Signal Processing, Vol. 51, 4 (2003), 1069--1087.

Digital Library

[20]

Yusuke Uchida. 2017. Embedding Watermarks into Deep Neural Networks. https://github.com/yu4u/dnn-watermark .

[21]

Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2017. Embedding watermarks into deep neural networks. In Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. ACM, 269--277.

Digital Library

[22]

Min Wu, Wade Trappe, Z Jane Wang, and KJ Ray Liu. 2004. Collusion-resistant multimedia fingerprinting: a unified framework. In Security, Steganography, and Watermarking of Multimedia Contents VI, Vol. 5306. International Society for Optics and Photonics, 748--760.

[23]

Yongsheng Yu, Hongwei Lu, Xiaosu Chen, and Zhiguang Zhang. 2010. Group-oriented anti-collusion fingerprint based on bibd code. In e-Business and Information System Security (EBISS), 2010 2nd International Conference on. IEEE, 1--5.

[24]

Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv preprint arXiv:1605.07146 (2016).

[25]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting Intellectual Property of Deep Neural Networks with Watermarking. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 159--172.

Digital Library

Cited By

Pattnayak PDas TMohanty APatnaik S(2024)Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning ModelEAI Endorsed Transactions on Internet of Things10.4108/eetiot.538810Online publication date: 12-Mar-2024
https://doi.org/10.4108/eetiot.5388
Zhou LRen XQian CSun G(2024)TraceGuard: Fine-Tuning Pre-Trained Model by Using Stego Images to Trace Its UserMathematics10.3390/math1221333312:21(3333)Online publication date: 24-Oct-2024
https://doi.org/10.3390/math12213333
Zhang LZhang XWu H(2024)High-Frequency Artifacts-Resistant Image Watermarking Applicable to Image Processing ModelsApplied Sciences10.3390/app1404149414:4(1494)Online publication date: 12-Feb-2024
https://doi.org/10.3390/app14041494
Show More Cited By

Index Terms

DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models
1. Information systems
  1. Information retrieval
  2. Information systems applications
    1. Multimedia information systems
2. Security and privacy
  1. Security services
    1. Digital rights management

Recommendations

Detect and Remove Watermark in Deep Neural Networks via Generative Adversarial Networks
Information Security
Abstract
Deep neural networks (DNN) have achieved remarkable performance in various fields. However, training a DNN model from scratch requires expensive computing resources and a lot of training data, which are difficult to obtain for most individual ...
SecureNet: Proactive intellectual property protection and model security defense for DNNs based on backdoor learning
Abstract
With the widespread application of deep neural networks (DNNs), the risk of privacy breaches against DNN models is constantly on the rise, resulting in an increasing need for intellectual property (IP) protection for such models. Although neural ...
DNN Intellectual Property Protection: Taxonomy, Attacks and Evaluations (Invited Paper)
GLSVLSI '21: Proceedings of the 2021 Great Lakes Symposium on VLSI

Since the training of deep neural networks (DNN) models requires massive training data, time and expensive hardware resources, the trained DNN model is oftentimes regarded as an intellectual property (IP). Recent researches show that DNN is vulnerable to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICMR '19: Proceedings of the 2019 on International Conference on Multimedia Retrieval

June 2019

427 pages

ISBN:9781450367653

DOI:10.1145/3323873

General Chairs:
Abdulmotaleb El Saddik
University of Ottawa, Canada
,
Alberto Del Bimbo
University of Florence, Italy
,
Zhongfei Zhang
Binghamton University, State University of New York, USA
,
Program Chairs:
Alexander Hauptmann
Carnegie Mellon University, USA
,
K. Selcuk Candan
Arizona State University, USA
,
Marco Bertini
University of Florence, Italy
,
Lexing Xie
Australia National University, Australia
,
Xiao-Yong Wei
Sichuan University, China

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICMR '19

Sponsor:

SIGMM

ICMR '19: International Conference on Multimedia Retrieval

June 10 - 13, 2019

Ottawa ON, Canada

Acceptance Rates

Overall Acceptance Rate 254 of 830 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

105
Total Citations
View Citations
1,794
Total Downloads

Downloads (Last 12 months)529
Downloads (Last 6 weeks)65

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pattnayak PDas TMohanty APatnaik S(2024)Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning ModelEAI Endorsed Transactions on Internet of Things10.4108/eetiot.538810Online publication date: 12-Mar-2024
https://doi.org/10.4108/eetiot.5388
Zhou LRen XQian CSun G(2024)TraceGuard: Fine-Tuning Pre-Trained Model by Using Stego Images to Trace Its UserMathematics10.3390/math1221333312:21(3333)Online publication date: 24-Oct-2024
https://doi.org/10.3390/math12213333
Zhang LZhang XWu H(2024)High-Frequency Artifacts-Resistant Image Watermarking Applicable to Image Processing ModelsApplied Sciences10.3390/app1404149414:4(1494)Online publication date: 12-Feb-2024
https://doi.org/10.3390/app14041494
Zhang LXue MZhang LZhang YLiu W(2024)An Imperceptible and Owner-unique Watermarking Method for Graph Neural NetworksProceedings of the ACM Turing Award Celebration Conference - China 202410.1145/3674399.3674443(108-113)Online publication date: 5-Jul-2024
https://dl.acm.org/doi/10.1145/3674399.3674443
Gao YSun YMa XWu ZJiang YCai JKankanhalli MPrabhakaran BBoll SSubramanian RZheng LSingh VCesar PXie LXu D(2024)ModelLock: Locking Your Model With a SpellProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3685507(11156-11165)Online publication date: 28-Oct-2024
https://dl.acm.org/doi/10.1145/3664647.3685507
Ma ZJia GQi BZhou BCai JKankanhalli MPrabhakaran BBoll SSubramanian RZheng LSingh VCesar PXie LXu D(2024)Safe-SD: Safe and Traceable Stable Diffusion with Text Prompt Trigger for Invisible Generative WatermarkingProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3681418(7113-7122)Online publication date: 28-Oct-2024
https://dl.acm.org/doi/10.1145/3664647.3681418
Zhang LLiu YZhang XWu HPérez-González FComesaña-Alfaro PKrätzer CVicky Zhao H(2024)Suppressing High-Frequency Artifacts for Generative Model Watermarking by Anti-AliasingProceedings of the 2024 ACM Workshop on Information Hiding and Multimedia Security10.1145/3658664.3659634(223-234)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3658664.3659634
Liu WZhong SGurrin CKongkachandra RSchoeffmann KDang-Nguyen DRossetto LSatoh SZhou L(2024)MarginFinger: Controlling Generated Fingerprint Distance to Classification boundary Using Conditional GANsProceedings of the 2024 International Conference on Multimedia Retrieval10.1145/3652583.3658058(129-136)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3652583.3658058
Zhang SLong CYuan WChen HYin HSerra ESpezzano F(2024)Watermarking Recommender SystemsProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679617(3217-3226)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679617
Nadimpalli ARattani A(2024)ProActive DeepFake Detection using GAN-based Visible WatermarkingACM Transactions on Multimedia Computing, Communications, and Applications10.1145/362554720:11(1-27)Online publication date: 12-Sep-2024
https://doi.org/10.1145/3625547
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents