TY - GEN
T1 - High-Quality Triggers Based Fragile Watermarking for Optical Character Recognition Model
AU - Yin, Yujie
AU - Yin, Heng
AU - Yin, Zhaoxia
AU - Lyu, Wanli
AU - Wei, Sha
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Deep neural networks have demonstrated exceptional performance in numerous domains, yet they also face significant security issues. To safeguard the integrity of deep neural networks and prevent unauthorized parameter manipulation, researchers have proposed fragile model watermarking techniques. However, current methods concentrate on image classification models and are not suitable for text image recognition models. Consequently, this paper proposes a remote black-box integrity authentication method for text image recognition models. Specifically, we embed a trigger set into the model to be protected as its watermark. This trigger set is carefully constructed by adding tiny noise to meticulously selected training set samples, with each trigger set sample labeled using model-specific sentence. Utilizing the principle of information entropy theory, we employ an optimal approach to fine-tuning the model, aiming to ensure that the outputs of the trigger set exhibit a pronounced sensitivity to variations within the model. Experiments indicate that with the structural similarity between the trigger set samples and the original samples exceeding 0.9, the embedded watermark has a negligible impact on model performance. The minimum decrease in accuracy on the test set is less than 0.5%. Moreover, even after undergoing modifications limited to fine-tuning only the last two layers and altering a mere one ten-thousandth of the parameters, the model watermarking is effective in identifying such changes.
AB - Deep neural networks have demonstrated exceptional performance in numerous domains, yet they also face significant security issues. To safeguard the integrity of deep neural networks and prevent unauthorized parameter manipulation, researchers have proposed fragile model watermarking techniques. However, current methods concentrate on image classification models and are not suitable for text image recognition models. Consequently, this paper proposes a remote black-box integrity authentication method for text image recognition models. Specifically, we embed a trigger set into the model to be protected as its watermark. This trigger set is carefully constructed by adding tiny noise to meticulously selected training set samples, with each trigger set sample labeled using model-specific sentence. Utilizing the principle of information entropy theory, we employ an optimal approach to fine-tuning the model, aiming to ensure that the outputs of the trigger set exhibit a pronounced sensitivity to variations within the model. Experiments indicate that with the structural similarity between the trigger set samples and the original samples exceeding 0.9, the embedded watermark has a negligible impact on model performance. The minimum decrease in accuracy on the test set is less than 0.5%. Moreover, even after undergoing modifications limited to fine-tuning only the last two layers and altering a mere one ten-thousandth of the parameters, the model watermarking is effective in identifying such changes.
UR - https://www.scopus.com/pages/publications/85180005916
U2 - 10.1109/APSIPAASC58517.2023.10317513
DO - 10.1109/APSIPAASC58517.2023.10317513
M3 - 会议稿件
AN - SCOPUS:85180005916
T3 - 2023 Asia Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2023
SP - 468
EP - 475
BT - 2023 Asia Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 Asia Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2023
Y2 - 31 October 2023 through 3 November 2023
ER -