Embedding Watermarks into Deep Neural Networks
Yusuke Uchida,Yuki Nagai,Shigeyuki Sakazawa,Shin'ichi Satoh +3 more
- pp 269-277
Reads0
Chats0
TLDR
This work proposes to use digital watermarking technology to protect intellectual property and detect intellectual property infringement in the use of trained models, and proposes a general framework for embedding a watermark in model parameters, using a parameter regularizer.Abstract:
Significant progress has been made with deep neural networks recently. Sharing trained models of deep neural networks has been a very important in the rapid progress of research and development of these systems. At the same time, it is necessary to protect the rights to shared trained models. To this end, we propose to use digital watermarking technology to protect intellectual property and detect intellectual property infringement in the use of trained models. First, we formulate a new problem: embedding watermarks into deep neural networks. Second, we propose a general framework for embedding a watermark in model parameters, using a parameter regularizer. Our approach does not impair the performance of networks into which a watermark is placed because the watermark is embedded while training the host network. Finally, we perform comprehensive experiments to reveal the potential of watermarking deep neural networks as the basis of this new research effort. We show that our framework can embed a watermark during the training of a deep neural network from scratch, and during fine-tuning and distilling, without impairing its performance. The embedded watermark does not disappear even after fine-tuning or parameter pruning; the watermark remains complete even after 65% of parameters are pruned.read more
Citations
More filters
Book ChapterDOI
HiDDeN: Hiding Data With Deep Networks
TL;DR: This work finds that neural networks can learn to use invisible perturbations to encode a rich amount of useful information, and demonstrates that adversarial training improves the visual quality of encoded images.
Proceedings ArticleDOI
Protecting Intellectual Property of Deep Neural Networks with Watermarking
TL;DR: By extending the intrinsic generalization and memorization capabilities of deep neural networks, the models to learn specially crafted watermarks at training and activate with pre-specified predictions when observing the watermark patterns at inference, this paper generalizes the "digital watermarking'' concept from multimedia ownership verification to deep neural network (DNN) models.
Proceedings ArticleDOI
Attributing Fake Images to GANs: Learning and Analyzing GAN Fingerprints
TL;DR: The first study of learning GAN fingerprints towards image attribution and using them to classify an image as real or GAN-generated is presented, showing that GANs carry distinct model fingerprints and leave stable fingerprints in their generated images, which support image attribution.
Proceedings Article
Neural Trojans
TL;DR: This work shows that embedding hidden malicious functionality, i.e neural Trojans, into the neural IP is an effective attack and provides three mitigation techniques: input anomaly detection, re-training, and input preprocessing.
Proceedings Article
High Accuracy and High Fidelity Extraction of Neural Networks
TL;DR: This work expands on prior work to develop the first practical functionally-equivalent extraction attack for direct extraction of a model's weights, and demonstrates the practicality of model extraction attacks against production-grade systems.
References
More filters
Proceedings ArticleDOI
Deep Residual Learning for Image Recognition
TL;DR: In this article, the authors proposed a residual learning framework to ease the training of networks that are substantially deeper than those used previously, which won the 1st place on the ILSVRC 2015 classification task.
Proceedings Article
ImageNet Classification with Deep Convolutional Neural Networks
TL;DR: The state-of-the-art performance of CNNs was achieved by Deep Convolutional Neural Networks (DCNNs) as discussed by the authors, which consists of five convolutional layers, some of which are followed by max-pooling layers, and three fully-connected layers with a final 1000-way softmax.
Journal ArticleDOI
Long short-term memory
TL;DR: A novel, efficient, gradient based method called long short-term memory (LSTM) is introduced, which can learn to bridge minimal time lags in excess of 1000 discrete-time steps by enforcing constant error flow through constant error carousels within special units.
Proceedings Article
Very Deep Convolutional Networks for Large-Scale Image Recognition
Karen Simonyan,Andrew Zisserman +1 more
TL;DR: In this paper, the authors investigated the effect of the convolutional network depth on its accuracy in the large-scale image recognition setting and showed that a significant improvement on the prior-art configurations can be achieved by pushing the depth to 16-19 layers.
Journal ArticleDOI
Gradient-based learning applied to document recognition
Yann LeCun,Léon Bottou,Léon Bottou,Yoshua Bengio,Yoshua Bengio,Yoshua Bengio,Patrick Haffner +6 more
TL;DR: In this article, a graph transformer network (GTN) is proposed for handwritten character recognition, which can be used to synthesize a complex decision surface that can classify high-dimensional patterns, such as handwritten characters.