Abstract
With the rapid development of deep learning technology, more and more researchers have paid attention to protecting the intellectual property rights of the deep neural network (DNN) model. So far, various methods have been proposed to construct black-box watermarking copyright protection based on trigger sets. Since extant black-box watermarking methods are backdoor-based, the watermark embedding process inevitably distorts the decision boundary of the DNN model, which leads to a decline in the performance of the DNN model. We propose a novel scheme for constructing black-box watermarking based on Singular Value Decomposition (SVD) to compensate for shortcomings. We select an appropriate number of image samples as watermark key samples in the training dataset by employing the Mersenne-Twister algorithm, which strengthens the relevance of the process watermarking embedding to the original classification task and extends the perceptual domain of the DNN model. Subsequently, the SVD algorithm extracts the primary feature information of the watermark key samples, thereby constructing more stable and covert watermark samples. Next, the classification labels corresponding to the watermark samples are specified as the classification labels of their corresponding watermark key samples, which is unlike most existing DNN watermarking schemes. It can effectively reduce the distortion of the DNN model decision boundary caused by watermarking during the embedding process. As such, the proposed scheme has a low impact on the performance of the DNN model and is highly robust. We have validated the proposed watermarking scheme on two benchmark datasets. The experimental results show that our scheme, besides meeting the functional requirements of watermarking, also does not affect the test accuracy of the DNN model. Moreover, the proposed watermarking is robust to the common watermarking attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Adi, Y., Baum, C., Cisse, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1615–1631 (2018)
Chen, H., Rohani, B.D., Koushanfar, F.: Deepmarks: a digital fingerprinting framework for deep neural networks. ar**v preprint ar**v:1804.03648 (2018)
Cox, I., Miller, M., Bloom, J., Fridrich, J., Kalker, T.: Digital Watermarking and Steganography. Morgan Kaufmann, Burlington (2007)
Cui, L., Xu, Y.: Research on copyright protection method of material genome engineering data based on zero-watermarking. J. Big Data 2(2), 53 (2020)
Darvish Rouhani, B., Chen, H., Koushanfar, F.: Deepsigns: an end-to-end watermarking framework for ownership protection of deep neural networks. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 485–497 (2019)
Guo, J., Potkonjak, M.: Evolutionary trigger set generation for dnn black-box watermarking. ar**v preprint ar**v:1906.04411 (2019)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
Jebreel, N.M., Domingo-Ferrer, J., Sánchez, D., Blanco-Justicia, A.: Keynet: an asymmetric key-style framework for watermarking deep learning models. Appl. Sci. 11(3), 999 (2021)
Zhou, J., et al.: Mixed attention densely residual network for single image super-resolution. Comput. Syst. Sci. Eng. 39(1), 133–146 (2021)
Singh, K.U., Abu-Hamatta, H.S., Kumar, A., Singhal, A., Rashid, M., Bashir, A.K.: Secure watermarking scheme for color DICOM images in telemedicine applications. Comput. Mater. Contin. 70(2), 2525–2542 (2022). http://www.techscience.com/cmc/v70n2/44633
Krizhevsky, A., et al.: Learning multiple layers of features from tiny images (2009)
Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. Adv. Neural. Inf. Process. Syst. 25, 1097–1105 (2012)
Le Merrer, E., Pérez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. Neural Comput. Appl. 32(13), 9233–9244 (2019). https://doi.org/10.1007/s00521-019-04434-z
LeCun, Y.: The MNIST database of handwritten digits (1998). http://yann.lecun.com/exdb/mnist/
Li, Z., Hu, C., Zhang, Y., Guo, S.: How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 126–137 (2019)
Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. (TOMACS) 8(1), 3–30 (1998)
Maung Maung, A.P., Kiya, H.: Piracy-resistant DNN watermarking by block-wise image transformation with secret key. In: Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, pp. 159–164 (2021)
Ribeiro, M., Grolinger, K., Capretz, M.A.: Mlaas: machine learning as a service. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 896–902. IEEE (2015)
Sabour, S., Frosst, N., Hinton, G.E.: Dynamic routing between capsules. In: NIPS (2017)
Shady, Y., Yassen, A.M., Alsammak, A.K., Elhalawany, B.M.: Local features-based watermarking for image security in social media. Comput. Mater. Contin. 69(3), 3857–3870 (2021). http://www.techscience.com/cmc/v69n3/44157
Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition (2015)
Sun, S., Xue, M., Wang, J., Liu, W.: Protecting the intellectual properties of deep neural networks with an additional class and steganographic images. ar**v preprint ar**v:2104.09203 (2021)
Uchida, Y., Nagai, Y., Sakazawa, S., Satoh, S.: Embedding watermarks into deep neural networks. In: Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, pp. 269–277 (2017)
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Processing Systems, pp. 5998–6008 (2017)
**ong, L., Han, X., Yang, C.N., Shi, Y.Q.: Robust reversible watermarking in encrypted image with secure multi-party based on lightweight cryptography. IEEE Trans. Circuits Syst. Video Technol. 32(1), 75–91 (2021)
Zhang, J., et al.: Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 159–172 (2018)
Zhang, Y., Pezeshki, M., Brakel, P., Zhang, S., Bengio, C.L.Y., Courville, A.: Towards end-to-end speech recognition with deep convolutional neural networks. ar**v preprint ar**v:1701.02720 (2017)
Zhong, Q., Zhang, L.Y., Zhang, J., Gao, L., **ang, Y.: Protecting IP of deep neural networks with watermarking: a new label helps. Adv. Knowl. Discov. Data Min. 12085, 462 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lv, H., Shen, S., Lin, H., Yuan, Y., Duan, D. (2022). SVD Mark: A Novel Black-Box Watermarking for Protecting Intellectual Property of Deep Neural Network Model. In: Sun, X., Zhang, X., **a, Z., Bertino, E. (eds) Advances in Artificial Intelligence and Security. ICAIS 2022. Communications in Computer and Information Science, vol 1588. Springer, Cham. https://doi.org/10.1007/978-3-031-06764-8_31
Download citation
DOI: https://doi.org/10.1007/978-3-031-06764-8_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06763-1
Online ISBN: 978-3-031-06764-8
eBook Packages: Computer ScienceComputer Science (R0)