Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DeepTaster: Adversarial Perturbation-Based Fingerprinting to Identify Proprietary Dataset Use in Deep Neural Networks (2211.13535v2)

Published 24 Nov 2022 in cs.CR and cs.LG

Abstract: Training deep neural networks (DNNs) requires large datasets and powerful computing resources, which has led some owners to restrict redistribution without permission. Watermarking techniques that embed confidential data into DNNs have been used to protect ownership, but these can degrade model performance and are vulnerable to watermark removal attacks. Recently, DeepJudge was introduced as an alternative approach to measuring the similarity between a suspect and a victim model. While DeepJudge shows promise in addressing the shortcomings of watermarking, it primarily addresses situations where the suspect model copies the victim's architecture. In this study, we introduce DeepTaster, a novel DNN fingerprinting technique, to address scenarios where a victim's data is unlawfully used to build a suspect model. DeepTaster can effectively identify such DNN model theft attacks, even when the suspect model's architecture deviates from the victim's. To accomplish this, DeepTaster generates adversarial images with perturbations, transforms them into the Fourier frequency domain, and uses these transformed images to identify the dataset used in a suspect model. The underlying premise is that adversarial images can capture the unique characteristics of DNNs built with a specific dataset. To demonstrate the effectiveness of DeepTaster, we evaluated the effectiveness of DeepTaster by assessing its detection accuracy on three datasets (CIFAR10, MNIST, and Tiny-ImageNet) across three model architectures (ResNet18, VGG16, and DenseNet161). We conducted experiments under various attack scenarios, including transfer learning, pruning, fine-tuning, and data augmentation. Specifically, in the Multi-Architecture Attack scenario, DeepTaster was able to identify all the stolen cases across all datasets, while DeepJudge failed to detect any of the cases.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (48)
  1. DeepiSign: invisible fragile watermark to protect the integrity and authenticity of CNN. In Proceedings of the 36th Annual ACM Symposium on Applied Computing. 952–959.
  2. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In USENIX Security Symposium (USENIX).
  3. Neural network laundering: Removing black-box backdoor watermarks from deep neural networks. Computers & Security (2021).
  4. Maksym Andriushchenko and Nicolas Flammarion. 2020. Understanding and improving fast adversarial training. In Advances in Neural Information Processing Systems (Neurips).
  5. IPGuard: Protecting Intellectual Property of Deep Neural Networks via Fingerprinting the Classification Boundary. In ACM Asia Conference on Computer and Communications Security (ASIACCS).
  6. Deepmarks: A digital fingerprinting framework for deep neural networks. arXiv preprint arXiv:1804.03648 (2018).
  7. Blackmarks: Blackbox multibit watermarking for deep neural networks. arXiv preprint arXiv:1904.00344 (2019).
  8. Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models. In IEEE Symposium on Security and Privacy (SP).
  9. Deepsigns: An end-to-end watermarking framework for ownership protection of deep neural networks. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS).
  10. ImageNet: A large-scale hierarchical image database. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR).
  11. Backdoor attacks and countermeasures on deep learning: A comprehensive review. CoRR (2020).
  12. Explaining and Harnessing Adversarial Examples.
  13. Stephanie Gootman. 2016. OPM hack: The most dangerous threat to the federal government today. Journal of Applied Security Research (2016), 517–525.
  14. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019), 47230–47244.
  15. Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In International Joint Conference on Artificial Intelligence (IJCAI).
  16. Spectraldefense: Detecting adversarial attacks on cnns in the fourier domain. In International Joint Conference on Neural Networks (IJCNN).
  17. Deep residual learning for image recognition. In IEEE conference on computer vision and pattern recognition (CVPR).
  18. Densely Connected Convolutional Networks.
  19. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and ¡ 0.5MB model size.
  20. Entangled watermarks as a defense against model extraction. In USENIX Security Symposium (USENIX).
  21. Learning multiple layers of features from tiny images. (2009).
  22. Imagenet classification with deep convolutional neural networks. Commun. ACM (2017), 84–90.
  23. Ya Le and Xuan Yang. 2015. Tiny imagenet visual recognition challenge. CS 231N (2015).
  24. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications (2020), 9233–9244.
  25. Gradient-based learning applied to document recognition. IEEE (1998), 2278–2324.
  26. Membership Inference Attacks by Exploiting Loss Trajectory. In ACM SIGSAC Conference on Computer and Communications Security (CCS).
  27. SoK: How Robust is Image Classification Deep Neural Network Watermarking?. In IEEE Symposium on Security and Privacy (SP).
  28. Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888 (2019).
  29. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).
  30. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR).
  31. Hannah Murphy and Shannon Bond. 2019. Capital One data breach sparks cloud security fears. The Financial Times. https://www.securityinfowatch.com/cybersecurity/information-security/cloud-security-solutions/article/21091156/capital-one-breach-shines-spotlight-on-insider-threats
  32. Cracking white-box dnn watermarks via invariant neuron transforms. In ACM SIGKDD Conference on Knowledge Discovery and Data Mining (SIGKDD).
  33. Practical black-box attacks against machine learning. In ACM on Asia conference on computer and communications security (ASIACCS).
  34. Foolbox Native: Fast adversarial attacks to benchmark the robustness of machine learning models in PyTorch, TensorFlow, and JAX. Journal of Open Source Software (2020), 2607.
  35. Deep One-Class Classification. In International Conference on Machine Learning (ICML).
  36. Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).
  37. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In USENIX Security Symposium (USENIX).
  38. Dawn: Dynamic adversarial watermarking of neural networks. In ACM International Conference on Multimedia (MM).
  39. Lisa Torrey and Jude Shavlik. 2010. Transfer Learning. In Handbook of Research on Machine Learning Applications and Trends. 242–264.
  40. Data-Free Model Extraction. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).
  41. Embedding watermarks into deep neural networks. In ACM on international conference on multimedia retrieval (ICML).
  42. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In IEEE Symposium on Security and Privacy (SP).
  43. Integrity Fingerprinting of DNN with Double Black-box Design and Verification. arXiv preprint arXiv:2203.10902 (2022).
  44. OCTOPUS: Overcoming Performance and Privatization Bottlenecks in Distributed Learning. IEEE Transactions on Parallel and Distributed Systems (2022).
  45. DNN Intellectual Property Protection: Taxonomy, Attacks and Evaluations (Invited Paper). In Great Lakes Symposium on VLSI (GLSVLSI).
  46. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. In Network and Distributed System Security Symposium (NDSS).
  47. Protecting intellectual property of deep neural networks with watermarking. In Asia Conference on Computer and Communications Security (ASIACCS).
  48. AFA: Adversarial fingerprinting authentication for deep neural networks. Computer Communications 150 (2020), 488–497.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Seonhye Park (3 papers)
  2. Alsharif Abuadbba (48 papers)
  3. Shuo Wang (382 papers)
  4. Kristen Moore (36 papers)
  5. Yansong Gao (72 papers)
  6. Hyoungshick Kim (32 papers)
  7. Surya Nepal (115 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now