Fragile Neural Network Watermarking with Trigger Image Set

Renjie Zhu; Ping Wei; Sheng Li; Zhaoxia Yin; Xinpeng Zhang; Zhenxing Qian

doi:10.1007/978-3-030-82136-4_23

Fragile Neural Network Watermarking with Trigger Image Set

Renjie Zhu
, Ping Wei
, Sheng Li
, Zhaoxia Yin
, Xinpeng Zhang^*
, Zhenxing Qian

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

28 Scopus citations

Abstract

Recent studies show that deep neural networks are vulnerable to data poisoning and backdoor attacks, both of which involve malicious fine tuning of deep models. In this paper, we first propose a black-box based fragile neural network watermarking method for the detection of malicious fine tuning. The watermarking process can be divided into three steps. Firstly, a set of trigger images is constructed based on a user-specific secret key. Then, a well trained DNN model is fine-tuned to classify the normal images in training set and trigger images in trigger set simultaneously in a two-stage alternate training manner. Fragile watermark is embedded by this means while keeping model’s original classification ability. The watermarked model is sensitive to malicious fine tuning and will produce unstable classification results of the trigger images. At last, the integrity of the network model can be verified by analyzing the output of watermarked model with the trigger image set as input. The experiments on three benchmark datasets demonstrate that our proposed watermarking method is effective in detecting malicious fine tuning.

Original language	English
Title of host publication	Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings
Editors	Han Qiu, Cheng Zhang, Zongming Fei, Meikang Qiu, Sun-Yuan Kung
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	280-293
Number of pages	14
ISBN (Print)	9783030821357
DOIs	https://doi.org/10.1007/978-3-030-82136-4_23
State	Published - 2021
Externally published	Yes
Event	14th International Conference on Knowledge Science, Engineering and Management, KSEM 2021 - Tokyo, Japan Duration: 14 Aug 2021 → 16 Aug 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12815 LNAI
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	14th International Conference on Knowledge Science, Engineering and Management, KSEM 2021
Country/Territory	Japan
City	Tokyo
Period	14/08/21 → 16/08/21

Keywords

Backdoor defense
Data poisoning
Fragile watermarking
Malicious tuning detection
Model integrity protection
Neural network

Access to Document

10.1007/978-3-030-82136-4_23

Cite this

Zhu, R., Wei, P., Li, S., Yin, Z., Zhang, X., & Qian, Z. (2021). Fragile Neural Network Watermarking with Trigger Image Set. In H. Qiu, C. Zhang, Z. Fei, M. Qiu, & S.-Y. Kung (Eds.), Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings (pp. 280-293). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12815 LNAI). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-82136-4_23

Zhu, Renjie ; Wei, Ping ; Li, Sheng et al. / Fragile Neural Network Watermarking with Trigger Image Set. Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings. editor / Han Qiu ; Cheng Zhang ; Zongming Fei ; Meikang Qiu ; Sun-Yuan Kung. Springer Science and Business Media Deutschland GmbH, 2021. pp. 280-293 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a705d0ac5c32407db9fbdafb5ba0de10,

title = "Fragile Neural Network Watermarking with Trigger Image Set",

abstract = "Recent studies show that deep neural networks are vulnerable to data poisoning and backdoor attacks, both of which involve malicious fine tuning of deep models. In this paper, we first propose a black-box based fragile neural network watermarking method for the detection of malicious fine tuning. The watermarking process can be divided into three steps. Firstly, a set of trigger images is constructed based on a user-specific secret key. Then, a well trained DNN model is fine-tuned to classify the normal images in training set and trigger images in trigger set simultaneously in a two-stage alternate training manner. Fragile watermark is embedded by this means while keeping model{\textquoteright}s original classification ability. The watermarked model is sensitive to malicious fine tuning and will produce unstable classification results of the trigger images. At last, the integrity of the network model can be verified by analyzing the output of watermarked model with the trigger image set as input. The experiments on three benchmark datasets demonstrate that our proposed watermarking method is effective in detecting malicious fine tuning.",

keywords = "Backdoor defense, Data poisoning, Fragile watermarking, Malicious tuning detection, Model integrity protection, Neural network",

author = "Renjie Zhu and Ping Wei and Sheng Li and Zhaoxia Yin and Xinpeng Zhang and Zhenxing Qian",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 14th International Conference on Knowledge Science, Engineering and Management, KSEM 2021 ; Conference date: 14-08-2021 Through 16-08-2021",

year = "2021",

doi = "10.1007/978-3-030-82136-4\_23",

language = "英语",

isbn = "9783030821357",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "280--293",

editor = "Han Qiu and Cheng Zhang and Zongming Fei and Meikang Qiu and Sun-Yuan Kung",

booktitle = "Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings",

address = "德国",

}

Zhu, R, Wei, P, Li, S, Yin, Z, Zhang, X & Qian, Z 2021, Fragile Neural Network Watermarking with Trigger Image Set. in H Qiu, C Zhang, Z Fei, M Qiu & S-Y Kung (eds), Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12815 LNAI, Springer Science and Business Media Deutschland GmbH, pp. 280-293, 14th International Conference on Knowledge Science, Engineering and Management, KSEM 2021, Tokyo, Japan, 14/08/21. https://doi.org/10.1007/978-3-030-82136-4_23

Fragile Neural Network Watermarking with Trigger Image Set. / Zhu, Renjie; Wei, Ping; Li, Sheng et al.
Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings. ed. / Han Qiu; Cheng Zhang; Zongming Fei; Meikang Qiu; Sun-Yuan Kung. Springer Science and Business Media Deutschland GmbH, 2021. p. 280-293 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12815 LNAI).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Fragile Neural Network Watermarking with Trigger Image Set

AU - Zhu, Renjie

AU - Wei, Ping

AU - Li, Sheng

AU - Yin, Zhaoxia

AU - Zhang, Xinpeng

AU - Qian, Zhenxing

PY - 2021

Y1 - 2021

N2 - Recent studies show that deep neural networks are vulnerable to data poisoning and backdoor attacks, both of which involve malicious fine tuning of deep models. In this paper, we first propose a black-box based fragile neural network watermarking method for the detection of malicious fine tuning. The watermarking process can be divided into three steps. Firstly, a set of trigger images is constructed based on a user-specific secret key. Then, a well trained DNN model is fine-tuned to classify the normal images in training set and trigger images in trigger set simultaneously in a two-stage alternate training manner. Fragile watermark is embedded by this means while keeping model’s original classification ability. The watermarked model is sensitive to malicious fine tuning and will produce unstable classification results of the trigger images. At last, the integrity of the network model can be verified by analyzing the output of watermarked model with the trigger image set as input. The experiments on three benchmark datasets demonstrate that our proposed watermarking method is effective in detecting malicious fine tuning.

AB - Recent studies show that deep neural networks are vulnerable to data poisoning and backdoor attacks, both of which involve malicious fine tuning of deep models. In this paper, we first propose a black-box based fragile neural network watermarking method for the detection of malicious fine tuning. The watermarking process can be divided into three steps. Firstly, a set of trigger images is constructed based on a user-specific secret key. Then, a well trained DNN model is fine-tuned to classify the normal images in training set and trigger images in trigger set simultaneously in a two-stage alternate training manner. Fragile watermark is embedded by this means while keeping model’s original classification ability. The watermarked model is sensitive to malicious fine tuning and will produce unstable classification results of the trigger images. At last, the integrity of the network model can be verified by analyzing the output of watermarked model with the trigger image set as input. The experiments on three benchmark datasets demonstrate that our proposed watermarking method is effective in detecting malicious fine tuning.

KW - Backdoor defense

KW - Data poisoning

KW - Fragile watermarking

KW - Malicious tuning detection

KW - Model integrity protection

KW - Neural network

UR - https://www.scopus.com/pages/publications/85113761376

U2 - 10.1007/978-3-030-82136-4_23

DO - 10.1007/978-3-030-82136-4_23

M3 - 会议稿件

AN - SCOPUS:85113761376

SN - 9783030821357

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 280

EP - 293

BT - Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings

A2 - Qiu, Han

A2 - Zhang, Cheng

A2 - Fei, Zongming

A2 - Qiu, Meikang

A2 - Kung, Sun-Yuan

PB - Springer Science and Business Media Deutschland GmbH

T2 - 14th International Conference on Knowledge Science, Engineering and Management, KSEM 2021

Y2 - 14 August 2021 through 16 August 2021

ER -

Zhu R, Wei P, Li S, Yin Z, Zhang X, Qian Z. Fragile Neural Network Watermarking with Trigger Image Set. In Qiu H, Zhang C, Fei Z, Qiu M, Kung SY, editors, Knowledge Science, Engineering and Management - 14th International Conference, KSEM 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 280-293. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-82136-4_23

Fragile Neural Network Watermarking with Trigger Image Set

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this