research-article

Open access

DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models

Authors:

Bita Darvish Rouhani,

Farinaz KoushanfarAuthors Info & Claims

ICMR '19: Proceedings of the 2019 on International Conference on Multimedia Retrieval

Pages 105 - 113

https://doi.org/10.1145/3323873.3325042

Published: 05 June 2019 Publication History

Abstract

Deep Neural Networks (DNNs) are revolutionizing various critical fields by providing an unprecedented leap in terms of accuracy and functionality. Due to the costly training procedure, high-performance DNNs are typically considered as the Intellectual Property (IP) of the model builder and need to be protected. While DNNs are increasingly commercialized, the pre-trained models might be illegally copied or redistributed after they are delivered to malicious users. In this paper, we introduce DeepMarks, the first end-to-end collusion-secure fingerprinting framework that enables the owner to retrieve model authorship information and identification of unique users in the context of deep learning (DL). DeepMarks consists of two main modules: (i) Designing unique fingerprints using anti-collusion codebooks for individual users; and (ii) Encoding each constructed fingerprint (FP) in the probability density function (pdf) of the weights by incorporating an FP-specific regularization loss during DNN re-training. We investigate the performance of DeepMarks on various datasets and DNN architectures. Experimental results show that the embedded FP preserves the accuracy of the host DNN and is robust against different model modifications that might be conducted by the malicious user. Furthermore, our framework is scalable and yields perfect detection rates and no false alarms when identifying the participants of FP collusion attacks under theoretical guarantee. The runtime overhead of retrieving the embedded FP from the marked DNN can be as low as 0.056%.

References

[1]

Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. arXiv preprint arXiv:1802.04633 (2018).

[2]

Caffe. 2017. Model Zoo. https://github.com/BVLC/caffe/wiki/Model-Zoo .

[3]

Charles J Colbourn and Jeffrey H Dinitz. 2006. Handbook of combinatorial designs .CRC press.

Digital Library

[4]

C Fu, A Di Fulvio, SD Clarke, D Wentzloff, SA Pozzi, and HS Kim. 2018. Artificial neural network algorithms for pulse shape discrimination and recovery of piled-up pulses in organic scintillators. Annals of Nuclear Energy, Vol. 120 (2018), 410--421.

[5]

Borko Furht and Darko Kirovski. 2004. Multimedia security handbook .CRC press.

Digital Library

[6]

Song Han, Jeff Pool, John Tran, and William Dally. 2015. Learning both weights and connections for efficient neural network. In Advances in neural information processing systems. 1135--1143.

Digital Library

[7]

Frank Hartung and Martin Kutter. 1999. Multimedia watermarking techniques. Proc. IEEE, Vol. 87, 7 (1999), 1079--1107.

[8]

Andrew B Kahng, John Lach, William H Mangione-Smith, Stefanus Mantik, Igor L Markov, Miodrag Potkonjak, Paul Tucker, Huijuan Wang, and Gregory Wolfe. 2001. Constraint-based watermarking techniques for design IP protection. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 20, 10 (2001), 1236--1252.

Digital Library

[9]

Negar Kiyavash and Pierre Moulin. 2009. Performance of orthogonal fingerprinting codes under worst-case noise. IEEE Transactions on Information Forensics and Security, Vol. 4, 3 (2009), 293--301.

Digital Library

[10]

Deepa Kundur and Kannan Karthik. 2004. Video fingerprinting and encryption principles for digital rights management. Proc. IEEE, Vol. 92, 6 (2004), 918--932.

[11]

Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. nature, Vol. 521, 7553 (2015), 436.

[12]

Erwan Le Merrer, Patrick Perez, and Gilles Trédan. 2017. Adversarial Frontier Stitching for Remote Neural Network Watermarking. arXiv preprint arXiv:1711.01894 (2017).

[13]

Yuki Nagai, Yusuke Uchida, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2018. Digital watermarking for deep neural networks. International Journal of Multimedia Information Retrieval, Vol. 7, 1 (2018), 3--16.

[14]

Gang Qu and Miodrag Potkonjak. 2007. Intellectual property protection in VLSI designs: theory and practice .Springer Science & Business Media.

[15]

David Ross, Brian Elmenhurst, Mark Tocci, John Forbes, and Heather Wheelock Ross. 2017. Digital fingerprinting track and trace system. US Patent 9,582,714.

[16]

Bita Darvish Rouhani, Huili Chen, and Farinaz Koushanfar. 2019. DeepSigns: An End-to-End Watermarking Framework for Protecting the Ownership of Deep Neural Networks. In The 24th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM.

[17]

Jürgen Schmidhuber. 2015. Deep learning in neural networks: An overview. Neural networks, Vol. 61 (2015), 85--117.

Digital Library

[18]

Wade Trappe, Min Wu, and KJ Ray Liu. 2002. Collusion-resistant fingerprinting for multimedia. In Acoustics, Speech, and Signal Processing (ICASSP), 2002 IEEE International Conference on, Vol. 4. IEEE, IV--3309.

[19]

Wade Trappe, Min Wu, Z Jane Wang, and KJ Ray Liu. 2003. Anti-collusion fingerprinting for multimedia. IEEE Transactions on Signal Processing, Vol. 51, 4 (2003), 1069--1087.

Digital Library

[20]

Yusuke Uchida. 2017. Embedding Watermarks into Deep Neural Networks. https://github.com/yu4u/dnn-watermark .

[21]

Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2017. Embedding watermarks into deep neural networks. In Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. ACM, 269--277.

Digital Library

[22]

Min Wu, Wade Trappe, Z Jane Wang, and KJ Ray Liu. 2004. Collusion-resistant multimedia fingerprinting: a unified framework. In Security, Steganography, and Watermarking of Multimedia Contents VI, Vol. 5306. International Society for Optics and Photonics, 748--760.

[23]

Yongsheng Yu, Hongwei Lu, Xiaosu Chen, and Zhiguang Zhang. 2010. Group-oriented anti-collusion fingerprint based on bibd code. In e-Business and Information System Security (EBISS), 2010 2nd International Conference on. IEEE, 1--5.

[24]

Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv preprint arXiv:1605.07146 (2016).

[25]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting Intellectual Property of Deep Neural Networks with Watermarking. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 159--172.

Digital Library

Cited By

Chen WXu XRen NZhu CCai J(2025)Copyright Verification and Traceability for Remote Sensing Object Detection Models via Dual Model WatermarkingRemote Sensing10.3390/rs1703048117:3(481)Online publication date: 30-Jan-2025
https://doi.org/10.3390/rs17030481
Luo HLi LLi J(2025)Digital Watermarking Technology for AI-Generated Images: A SurveyMathematics10.3390/math1304065113:4(651)Online publication date: 16-Feb-2025
https://doi.org/10.3390/math13040651
Pan XZhang MYan YZhang SYang M(2025)Matryoshka: Exploiting the Over-Parametrization of Deep Learning Models for Covert Data TransmissionIEEE Transactions on Pattern Analysis and Machine Intelligence10.1109/TPAMI.2024.343441747:2(663-678)Online publication date: Feb-2025
https://doi.org/10.1109/TPAMI.2024.3434417
Show More Cited By

Index Terms

DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models
1. Information systems
  1. Information retrieval
  2. Information systems applications
    1. Multimedia information systems
2. Security and privacy
  1. Security services
    1. Digital rights management

Recommendations

Detect and Remove Watermark in Deep Neural Networks via Generative Adversarial Networks
Information Security
Abstract
Deep neural networks (DNN) have achieved remarkable performance in various fields. However, training a DNN model from scratch requires expensive computing resources and a lot of training data, which are difficult to obtain for most individual ...
SecureNet: Proactive intellectual property protection and model security defense for DNNs based on backdoor learning
Abstract
With the widespread application of deep neural networks (DNNs), the risk of privacy breaches against DNN models is constantly on the rise, resulting in an increasing need for intellectual property (IP) protection for such models. Although neural ...
A Fingerprint Scheme for Deep Neural Network Models Based on Adversarial Samples
ICCSIE '24: Proceedings of the 2024 9th International Conference on Cyber Security and Information Engineering

The current illegal model misuse such as deep neural network model theft, derivation, resale or redistribution seriously violates the legal ownership of model owners. In order to ensure the security and fair development of artificial intelligence ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICMR '19: Proceedings of the 2019 on International Conference on Multimedia Retrieval

June 2019

427 pages

ISBN:9781450367653

DOI:10.1145/3323873

General Chairs:
Abdulmotaleb El Saddik
University of Ottawa, Canada
,
Alberto Del Bimbo
University of Florence, Italy
,
Zhongfei Zhang
Binghamton University, State University of New York, USA
,
Program Chairs:
Alexander Hauptmann
Carnegie Mellon University, USA
,
K. Selcuk Candan
Arizona State University, USA
,
Marco Bertini
University of Florence, Italy
,
Lexing Xie
Australia National University, Australia
,
Xiao-Yong Wei
Sichuan University, China

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICMR '19

Sponsor:

SIGMM

ICMR '19: International Conference on Multimedia Retrieval

June 10 - 13, 2019

Ottawa ON, Canada

Acceptance Rates

Overall Acceptance Rate 254 of 830 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

122
Total Citations
View Citations
1,963
Total Downloads

Downloads (Last 12 months)542
Downloads (Last 6 weeks)71

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen WXu XRen NZhu CCai J(2025)Copyright Verification and Traceability for Remote Sensing Object Detection Models via Dual Model WatermarkingRemote Sensing10.3390/rs1703048117:3(481)Online publication date: 30-Jan-2025
https://doi.org/10.3390/rs17030481
Luo HLi LLi J(2025)Digital Watermarking Technology for AI-Generated Images: A SurveyMathematics10.3390/math1304065113:4(651)Online publication date: 16-Feb-2025
https://doi.org/10.3390/math13040651
Pan XZhang MYan YZhang SYang M(2025)Matryoshka: Exploiting the Over-Parametrization of Deep Learning Models for Covert Data TransmissionIEEE Transactions on Pattern Analysis and Machine Intelligence10.1109/TPAMI.2024.343441747:2(663-678)Online publication date: Feb-2025
https://doi.org/10.1109/TPAMI.2024.3434417
Liu JZhang RSzyller SRen KAsokan NBalzarotti DXu W(2024)False claims against model ownership resolutionProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699285(6885-6902)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699285
Pegoraro ASegna CKumari KSadeghi ABalzarotti DXu W(2024)DeepEclipseProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699196(5287-5304)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699196
Zhang RHussain SNeekhara PKoushanfar FBalzarotti DXu W(2024)REMARK-LLMProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699002(1813-1830)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699002
An BDing MRabbani TAgrawal AXu YDeng CZhu SMohamed AWen YGoldstein THuang FSalakhutdinov RKolter ZHeller KWeller AOliver NScarlett JBerkenkamp F(2024)WAVESProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3692129(1456-1492)Online publication date: 21-Jul-2024
https://dl.acm.org/doi/10.5555/3692070.3692129
Pattnayak PDas TMohanty APatnaik S(2024)Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning ModelEAI Endorsed Transactions on Internet of Things10.4108/eetiot.538810Online publication date: 12-Mar-2024
https://doi.org/10.4108/eetiot.5388
Zhou LRen XQian CSun G(2024)TraceGuard: Fine-Tuning Pre-Trained Model by Using Stego Images to Trace Its UserMathematics10.3390/math1221333312:21(3333)Online publication date: 24-Oct-2024
https://doi.org/10.3390/math12213333
Carra ADurmuskaya DGiulio BFalaschetti LTurchetti CPau D(2024)Watermarking Tiny MLCommons Image Applications Without Extra Deployability CostsElectronics10.3390/electronics1323464413:23(4644)Online publication date: 25-Nov-2024
https://doi.org/10.3390/electronics13234644
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten