Verifying Integrity of Deep Ensemble Models by Lossless Black-box Watermarking with Sensitive Samples

by   Lina Lin, et al.

With the widespread use of deep neural networks (DNNs) in many areas, more and more studies focus on protecting DNN models from intellectual property (IP) infringement. Many existing methods apply digital watermarking to protect the DNN models. The majority of them either embed a watermark directly into the internal network structure/parameters or insert a zero-bit watermark by fine-tuning a model to be protected with a set of so-called trigger samples. Though these methods work very well, they were designed for individual DNN models, which cannot be directly applied to deep ensemble models (DEMs) that combine multiple DNN models to make the final decision. It motivates us to propose a novel black-box watermarking method in this paper for DEMs, which can be used for verifying the integrity of DEMs. In the proposed method, a certain number of sensitive samples are carefully selected through mimicking real-world DEM attacks and analyzing the prediction results of the sub-models of the non-attacked DEM and the attacked DEM on the carefully crafted dataset. By analyzing the prediction results of the target DEM on these carefully crafted sensitive samples, we are able to verify the integrity of the target DEM. Different from many previous methods, the proposed method does not modify the original DEM to be protected, which indicates that the proposed method is lossless. Experimental results have shown that the DEM integrity can be reliably verified even if only one sub-model was attacked, which has good potential in practice.


Robust and Lossless Fingerprinting of Deep Neural Networks via Pooled Membership Inference

Deep neural networks (DNNs) have already achieved great success in a lot...

VerIDeep: Verifying Integrity of Deep Neural Networks through Sensitive-Sample Fingerprinting

Deep learning has become popular, and numerous cloud-based services are ...

Protecting the Intellectual Properties of Deep Neural Networks with an Additional Class and Steganographic Images

Recently, the research on protecting the intellectual properties (IP) of...

Decision-based iterative fragile watermarking for model integrity verification

Typically, foundation models are hosted on cloud servers to meet the hig...

Robust and Imperceptible Black-box DNN Watermarking Based on Fourier Perturbation Analysis and Frequency Sensitivity Clustering

Recently, more and more attention has been focused on the intellectual p...

DeepStego: Protecting Intellectual Property of Deep Neural Networks by Steganography

Deep Neural Networks (DNNs) has shown great success in various challengi...

Code Integrity Attestation for PLCs using Black Box Neural Network Predictions

Cyber-physical systems (CPSs) are widespread in critical domains, and si...

Please sign up or login with your details

Forgot password? Click here to reset