product iamge

Digital Watermarking for Machine Learning Model: Techniques, Protocols and Applications

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Machine Learning (ML) models, especially large pretrained Deep Learning (DL) models, are of high economic value and must be properly protected with regard to intellectual property rights (IPR). Model watermarking methods are proposed to embed watermarks into the target model, so that, in the event it is stolen, the model’s owner can extract the pre-defined watermarks to assert ownership. Model watermarking methods adopt frequently used techniques like backdoor training, multi-task learning, decision boundary analysis etc. to generate secret conditions that constitute model watermarks or fingerprints only known to model owners. These methods have little or no effect on model performance, which makes them applicable to a wide variety of contexts. In terms of robustness, embedded watermarks must be robustly detectable against varying adversarial attacks that attempt to remove the watermarks. The efficacy of model watermarking methods is showcased in diverse applications including image classification, image generation, image captions, Natural Language Processing (NLP) and Reinforcement Learning. This book covers the motivations, fundamentals, techniques and protocols for protecting ML models using watermarking. Furthermore, it showcases cutting-edge work in e.g. model watermarking, signature and passport embedding and their use cases in distributed Federated Learning settings.

Author(s): Lixin Fan, Chee Seng Chan, Qiang Yang
Publisher: Springer
Year: 2023

Language: English
Pages: 233

Preface
Contents
Contributors
About the Editors
Acronyms
Mathematical Notation
Fundamentals
Machine Learning
Model Watermarking
Part I Preliminary
1 Introduction
1.1 Why Digital Watermarking for Machine Learning Models?
1.2 How Digital Watermarking Is Used for Machine Learning Models?
1.2.1 Techniques
1.2.2 Protocols
1.2.3 Applications
1.3 Related Work
1.3.1 White-Box Watermarks
1.3.2 Black-Box Watermarks
1.3.3 Neural Network Fingerprints
1.4 About This Book
References
2 Ownership Verification Protocols for Deep Neural Network Watermarks
2.1 Introduction
2.2 Security Formulation
2.2.1 Functionality Preserving
2.2.2 Accuracy and Unambiguity
2.2.3 Persistency
2.2.4 Other Security Requirements
2.3 The Ownership Verification Protocol for DNN
2.3.1 The Boycotting Attack and the Corresponding Security
2.3.2 The Overwriting Attack and the Corresponding Security
2.3.3 Evidence Exposure and the Corresponding Security
2.3.4 A Logic Perspective of the OV Protocol
2.3.5 Remarks on Advanced Protocols
2.4 Conclusion
References
Part II Techniques
3 Model Watermarking for Deep Neural Networks of ImageRecovery
3.1 Introduction
3.2 Related Works
3.2.1 White-Box Model Watermarking
3.2.2 Black-Box Model Watermarking
3.3 Problem Formulation
3.3.1 Notations and Definitions
3.3.2 Principles for Watermarking Image Recovery DNNs
3.3.3 Model-Oriented Attacks to Model Watermarking
3.4 Proposed Method
3.4.1 Main Idea and Framework
3.4.2 Trigger Key Generation
3.4.3 Watermark Generation
3.4.4 Watermark Embedding
3.4.5 Watermark Verification
3.4.6 Auxiliary Copyright Visualizer
3.5 Conclusion
References
4 The Robust and Harmless Model Watermarking
4.1 Introduction
4.2 Related Work
4.2.1 Model Stealing
4.2.2 Defenses Against Model Stealing
4.3 Revisiting Existing Model Ownership Verification
4.3.1 The Limitation of Dataset Inference
4.3.2 The Limitation of Backdoor-Based Watermarking
4.4 The Proposed Method Under Centralized Training
4.4.1 Threat Model and Method Pipeline
4.4.2 Model Watermarking with Embedded External Features
4.4.3 Training Ownership Meta-Classifier
4.4.4 Model Ownership Verification with Hypothesis Test
4.5 The Proposed Method Under Federated Learning
4.5.1 Problem Formulation and Threat Model
4.5.2 The Proposed Method
4.6 Experiments
4.6.1 Experimental Settings
4.6.2 Main Results Under Centralized Training
4.6.3 Main Results Under Federated Learning
4.6.4 The Effects of Key Hyper-Parameters
4.6.5 Ablation Study
4.7 Conclusion
References
5 Protecting Intellectual Property of Machine Learning Models via Fingerprinting the Classification Boundary
5.1 Introduction
5.2 Related Works
5.2.1 Watermarking for IP Protection
5.2.2 Classification Boundary
5.3 Problem Formulation
5.3.1 Threat Model
5.3.2 Fingerprinting a Target Model
5.3.3 Design Goals
5.3.4 Measuring the Robustness–Uniqueness Trade-off
5.4 Design of IPGuard
5.4.1 Overview
5.4.2 Finding Fingerprinting Data Points as an Optimization Problem
5.4.3 Initialization and Label Selection
5.5 Discussion
5.5.1 Connection with Adversarial Examples
5.5.2 Robustness Against Knowledge Distillation
5.5.3 Attacker-Side Detection of Fingerprinting Data Points
5.6 Conclusion and Future Work
References
6 Protecting Image Processing Networks via Model Watermarking
6.1 Introduction
6.2 Preliminaries
6.2.1 Threat Model
6.2.2 Problem Formulation
6.3 Proposed Method
6.3.1 Motivation
6.3.2 Traditional Watermarking Algorithm
6.3.3 Deep Invisible Watermarking
6.3.3.1 Network Structures
6.3.3.2 Loss Functions
6.3.3.3 Ownership Verification
6.3.3.4 Flexible Extensions
6.4 Experiments
6.4.1 Experiment Settings
6.4.2 Fidelity and Capacity
6.4.3 Robustness to Model Extraction Attack
6.4.4 Ablation Study
6.4.5 Extensions
6.5 Discussion
6.6 Conclusion
References
7 Watermarks for Deep Reinforcement Learning
7.1 Introduction
7.2 Background
7.2.1 Markov Decision Process
7.2.2 Reinforcement Learning
7.2.3 Deep Reinforcement Learning
7.3 Related Work
7.3.1 Watermarks for Supervised Deep Learning Models
7.3.2 Watermarks for Deep Reinforcement Learning Models
7.4 Problem Formulation
7.4.1 Threat Model
7.4.2 Temporal Watermarks for Deep Reinforcement Learning
7.5 Proposed Method
7.5.1 Watermark Candidate Generation
7.5.2 Watermark Embedding
7.5.3 Ownership Verification
7.6 Discussion
7.7 Conclusion
References
8 Ownership Protection for Image Captioning Models
8.1 Introduction
8.2 Related Works
8.2.1 Image Captioning
8.2.2 Digital Watermarking in DNN Models
8.3 Problem Formulation
8.3.1 Image Captioning Model
8.3.2 Proof of Proposition 2
8.3.3 IP Protection on Image Captioning Model
8.4 Proposed Method
8.4.1 Secret Key Generation Process
8.4.2 Embedding Process
8.4.3 Verification Process
8.5 Experiment Settings
8.5.1 Metrics and Dataset
8.5.2 Configurations
8.5.3 Methods for Comparison
8.6 Discussion and Limitations
8.6.1 Comparison with Current Digital Watermarking Framework
8.6.2 Fidelity Evaluation
8.6.3 Resilience Against Ambiguity Attacks
8.6.4 Robustness Against Removal Attacks
8.6.5 Limitations
8.7 Conclusion
References
9 Protecting Recurrent Neural Network by Embedding Keys
9.1 Introduction
9.2 Related Works
9.3 Problem Formulation
9.3.1 Problem Statement
9.3.2 Protection Framework Design
9.3.3 Contributions
9.3.4 Protocols for Model Watermarking and Ownership Verification
9.4 Proposed Method
9.4.1 Key Gates
9.4.2 Methods to Generate Key
9.4.3 Sign of Key Outputs as Signature
9.4.4 Ownership Verification with Keys
9.5 Experiments
9.5.1 Learning Tasks
9.5.2 Hyperparameters
9.6 Discussion
9.6.1 Fidelity
9.6.2 Robustness Against Removal Attacks
9.6.3 Resilience Against Ambiguity Attacks
9.6.4 Secrecy
9.6.5 Time Complexity
9.6.6 Key Gate Activation
9.7 Conclusion
References
Part III Applications
10 FedIPR: Ownership Verification for Federated Deep Neural Network Models
10.1 Introduction
10.2 Related Works
10.2.1 Secure Federated Learning
10.2.2 DNN Watermarking Methods
10.3 Preliminaries
10.3.1 Secure Horizontal Federated Learning
10.3.2 Freeriders in Federated Learning
10.3.3 DNN Watermarking Methods
10.4 Proposed Method
10.4.1 Definition of FedDNN Ownership Verification with Watermarks
10.4.2 Challenge A: Capacity of Multiple Watermarks in FedDNN
10.4.3 Challenge B: Watermarking Robustness in SFL
10.5 Implementation Details
10.5.1 Watermark Embedding and Verification
10.5.1.1 Watermarking Design for CNN
10.5.1.2 Watermarking Design for Transformer-Based Networks
10.6 Experimental Results
10.6.1 Fidelity
10.6.2 Watermark Detection Rate
10.6.3 Watermarks Defeat Freerider Attacks
10.6.4 Robustness Under Federated Learning Strategies
10.6.4.1 Robustness Against Differential Privacy
10.6.4.2 Robustness Against Client Selection
10.7 Conclusion
References
11 Model Auditing for Data Intellectual Property
11.1 Introduction
11.2 Related Works
11.2.1 Membership Inference (MI)
11.2.2 Model Decision Boundary
11.3 Problem Formulations
11.3.1 Properties for Model Auditing
11.3.2 Model Auditing Under Different Settings
11.4 Investigation of Existing Model Auditing Methods 11:maini2020dataset
11.4.1 Distance Approximation to Decision Boundary
11.4.2 Data Ownership Resolution 11:maini2020dataset
11.4.3 Threat Model for Model Auditing
11.4.3.1 Removal Attack
11.4.3.2 Ambiguity Attack
11.5 Experimental Results
11.5.1 Main Results
11.5.2 Partial Data Usage
11.5.3 Different Adversarial Setting
11.5.3.1 Data Ambiguity Attack
11.5.3.2 Model Removal Attack
11.6 Conclusion
References