基于隐形后门水印的开源数据集版权保护

计算机工程与科学 ›› 2024, Vol. 46 ›› Issue (06): 1013-1021.

• 计算机网络与信息安全 • 上一篇下一篇

基于隐形后门水印的开源数据集版权保护

黄智慧,肖祥立,张玉书,薛明富

(南京航空航天大学计算机科学与技术学院，江苏南京 211106)

收稿日期:2023-10-26 修回日期:2023-12-01 接受日期:2024-06-25 出版日期:2024-06-25 发布日期:2024-06-17
基金资助:
国家自然科学基金(62072237)；江苏省研究生科研与实践创新计划（KYCX24_0610）

Copyright protection of open-sourced datasets based on invisible backdoor watermarking

HUANG Zhi-hui,XIAO Xiang-li,ZHANG Yu-shu,XUE Ming-fu

(College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106，China)

Received:2023-10-26 Revised:2023-12-01 Accepted:2024-06-25 Online:2024-06-25 Published:2024-06-17

摘要/Abstract

摘要： 针对图像分类领域开源数据集的版权保护问题，提出了一种基于后门水印的可溯源方法IBWOD，其能够保证水印在具有较强隐蔽性的同时保持良好的可用性和有效性。首先，利用一个编码器-解码器网络将后门水印嵌入到所选取的部分样本中，生成水印样本。接着，修改这些水印样本的标签为指定标签，然后将水印样本与未修改的样本合并为水印数据集。使用该水印数据集训练的模型会留下特定后门，即从后门水印到指定标签的一种映射关系。最后，提出了一种相应的模型验证算法，基于这种特殊的映射关系来验证一个可疑模型是否使用了水印数据集。实验结果表明，IBWOD能够很好地验证模型是否使用了水印数据集，并具有较强的隐蔽性。

关键词: 开源数据集, 版权保护, 后门水印, 机器学习；图像分类

Abstract: To address the copyright protection issue in the field of image classification datasets, a traceable method based on invisible backdoor watermarking, named IBWOD, is proposed. This method ensures the watermark’s strong concealment while maintaining good usability and effectiveness. Firstly, an encoder-decoder network is used to embed the backdoor watermark into selected samples, generating watermark samples. Secondly, the labels of these watermark samples are modified to specified labels, and then the watermark samples are merged with unmodified samples to form a watermark dataset. Models trained using this watermark dataset will leave a specific backdoor, i.e., a mapping relationship from the backdoor watermark to the specified labels. Finally, a corresponding model verification algorithm is proposed, based on this special mapping relationship, to verify if a suspicious model has used the watermark dataset. Experimental results demonstrate that IBWOD can effectively verify whether a model has used the watermark dataset and possesses strong concealment.

Key words: open-sourced dataset, copyright protection, backdoor watermarking, machine learning, image classification

黄智慧, 肖祥立, 张玉书, 薛明富. 基于隐形后门水印的开源数据集版权保护[J]. 计算机工程与科学, 2024, 46(06): 1013-1021.

HUANG Zhi-hui, XIAO Xiang-li, ZHANG Yu-shu, XUE Ming-fu. Copyright protection of open-sourced datasets based on invisible backdoor watermarking[J]. Computer Engineering & Science, 2024, 46(06): 1013-1021.

参考文献［29］

［1］	Young T,Hazarika D,Poria S,et al.Recent trends in deep learning based natural language processing［J］.IEEE Computational Intelligence Magazine,2018,13(3):55-75.
［2］	陈海涵,吴国栋,李景霞,等.基于注意力机制的深度学习推荐研究进展［J］.计算机工程与科学,2021,43(2):370-380.
	Chen Hai-han,Wu Guo-dong,Li Jing-xia,et al.Research advances on deep learning recommendation based on attention mechanism［J］.Computer Engineering & Science,2021,43(2):370-380.
［3］	Hassaballah M,Awad A I.Deep learning in computer vision:Principles and applications［M］.Boca Raton:CRC Press,2020.
［4］	赵宝康,李晋文,杨帆,等.一种基于深度学习的遥感图像目标检测算法［J］.计算机工程与科学,2019,41(12):2166-2172.
	Zhao Bao-kang,Li Jin-wen,Yang Fan,et al.A deep learning based object detection algorithm for remote sensing images［J］.Computer Engineering & Science,2019,41(12):2166-2172.
［5］	Zhang J,Gu Z,Jang J,et al.Protecting intellectual property of deep neural networks with watermarking［C］∥Proc of the 2018 Asia Conference on Computer and Communications Security,2018:159-172.
［6］	Cao X,Jia J,Gong N.IPGuard:Protecting intellectual property of deep neural networks via fingerprinting the classification boundary［C］∥Proc of the 2021 Asia Conference on Computer and Communications Security,2021:14-25.
［7］	Xue M,Zhang Y,Wang J,et al.Intellectual property protection for deep learning models:Taxonomy,methods,attacks,and evaluations ［J］.IEEE Transactions on Artificial Intelligence,2021,3(6):908-923.
［8］	Wong C,Li J,Fu W,et al.(α,k)-Anonymity:An enhanced k-anonymity model for privacy-preserving data publishing［C］∥Proc of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining,2006:754-759.
［9］	Sei Y,Okumura H,Takenouchi T,et al.Anonymization of sensitive quasi-identifiers for l-diversity and t-closeness［J］.IEEE Transactions on Dependable and Secure Computing,2019,16(4):580-593.
［10］	Chen L,Lee W,Chang C,et al.Blockchain based searchable encryption for electronic health record sharing［J］.Future Generation Computer Systems,2019,95(1):420-429.
［11］	Li J,Yu Q,Zhang Y.Hierarchical attribute based encryption with continuous leakage-resilience［J］.Information Sciences,2019,484:113-134.
［12］	佘晓萌,杜洋,马文静,等.基于像素预测和块标记的图像密文可逆信息隐藏［J］.计算机研究与发展,2022,59(9):2089-2100.
	She Xiao-meng,Du Yang,Ma Wen-jing,et al.Reversible data hiding in encrypted images based on pixel prediction and block labeling［J］.Journal of Computer Research and Deve- lopment,2022,59(9):2089-2100.
［13］	Hoang M D.Dataset watermarking［D］.Helsinki:Aalto University,2021.
［14］	项世军,罗欣荣,石书协.一种同态加密域图像可逆水印算法［J］.计算机学报,2016,39(3):571-581.
	Xiang Shi-jun,Luo Xin-rong,Shi Shu-xie.A novel reversible image watermarking algorithm in homomorphic encrypted domain［J］.Chinese Journal of Computers,2016,39(3):571-581.
［15］	Li Y,Zhang Z,Bai J,et al.Open-sourced dataset protection via backdoor watermarking［J］.arXiv:2010.05821,2020.
［16］	Gu T,Liu K,Dolan-Gavitt B,et al.BadNets:Evaluating backdooring attacks on deep neural networks［J］.IEEE Access,2019,7:47230-47244.
［17］	Chen X,Liu C,Li B,et al.Targeted backdoor attacks on deep learning systems using data poisoning［J］.arXiv:1712.05526,2017.
［18］	Li Y,Li Y,Wu B,et al.Invisible backdoor attack with sample- specific triggers［J］.arXiv:2012.03816,2021.
［19］	Liu G,Xu T,Ma X,et al.Your model trains on my data? Protecting intellectual property of training data via membership fingerprint authentication［J］.IEEE Transactions on Information Forensics and Security,2022,17(1):1024-1037.
［20］	Li Y,Liu P,Jiang Y,et al.Visual privacy protection via mapping distortion［C］∥Proc of 2021 IEEE International Conference on Acoustics,Speech and Signal Processing,2021:3740-3744.
［21］	Chen K,Zeng X,Ying Q,et al.Invertible image dataset protection［J］.arXiv:2112.14420,2021.
［22］	Zhao M,Wang B,Wang W,et al.Guided erasable adversarial attack (GEAA) towards shared data protection［J］.IEEE Transactions on Information Forensics and Security,2022,17(1):2468-2482.
［23］	冯乐,朱仁杰,吴汉舟,等.神经网络水印综述［J］.应用科学学报,2021,39(6):881-892.
	Feng Le,Zhu Ren-jie,Wu Han-zhou,et al.Survey of neural network watermarking［J］.Journal of Applied Sciences,2021,39(6):881-892.
［24］	Zhang J,Chen D,Liao J,et al.Model watermarking for image processing networks［C］∥Proc of the 34th AAAI Conference on Artificial Intelligence,2020:12805-12812.
［25］	Renneberger O, Fischer P,Brox T.U-Net:Convolutional networks for biomedical image segmentation［C］∥Proc of the 18th International Conference on Medical Image Computing and Computer-Assisted Intervention,2015:234-241.
［26］	Fan Q,Yang J,Hua G,et al.A generic deep architecture for single image reflection removal and image smoothing［C］∥Proc of 2017 IEEE International Conference on Computer Vision,2017:3238-3247.
［27］	Isola P, Zhu J,Zhou T,et al.Image-to-image translation with conditional adversarial networks［C］∥Proc of 2016 IEEE Conference on Computer Vision and Pattern Recognition,2016:1125-1134.
［28］	Deng J,Dong W,Socher R,et al.ImageNet:A large-scale hier- archical image database［C］∥Proc of 2009 IEEE Conference on Computer Vision and Pattern Recognition,2009:248-255.
［29］	Everingham M, van Gool L,Williams C K I,et al.The PASCAL visual object classes (VOC) challenge［J］.International Journal of Computer Vision,2010,88(2):303-338.

[1]	吴瑕, 郑洪英, 肖迪. 一种基于认证文件的双方验证模型水印方案[J]. 计算机工程与科学, 2024, 46(04): 647-656.
[2]	陈子豪，李强，甘俊，张超，黎祖睿. VC Chain:联盟式音视频版权区块链系统[J]. 计算机工程与科学, 2019, 41(11): 1939-1948.
[3]	吴洁明，王帅. 基于DCI的数字作品版权保护研究和设计[J]. J4, 2015, 37(08): 1486-1491.
[4]	高博1，李彦2. 一种基于硬件特征和动态许可证的服务器端软件授权认证模型[J]. J4, 2013, 35(2): 56-61.
[5]	张晓强1，王蒙蒙2，朱贵良2. 图像水印算法研究新进展[J]. J4, 2012, 34(4): 17-22.
[6]	翦环1,陈志刚1,邓小鸿2，邓晓衡1,漆华妹1. 一种彩色图像无损鲁棒数字水印算法[J]. J4, 2012, 34(11): 21-27.
[7]	袁占亭张秋余陈宁. 数字水印及多媒体信息安全[J]. J4, 2005, 27(7): 49-51.
[8]	陈晓苏胡蕾肖道举. 一个基于PKI和数字水印的数字版权保护框架模型[J]. J4, 2005, 27(6): 12-14.
[9]	陈晓苏卢炜刘立刚肖道举. 一种基于数字水印和数字签名的消费者权益保护协议[J]. J4, 2005, 27(1): 3-5.
[10]	杭中文张志浩. 视频水印技术研究[J]. J4, 2004, 26(9): 44-47.
[11]	曹巨明曹伯燕. 一种基于可逆小波变换的盲数字水印算法[J]. J4, 2004, 26(8): 53-55.
[12]	黄静霞许慰玲沈民奋. 基于独立分量分析的数字水印技术[J]. J4, 2004, 26(11): 42-46.
[13]	刘春和陆哲明等. 照片的公有水印防伪算法[J]. J4, 2002, 24(4): 50-53.

基于隐形后门水印的开源数据集版权保护

Copyright protection of open-sourced datasets based on invisible backdoor watermarking

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献［29］

相关文章 13

编辑推荐

Metrics

本文评价

基于隐形后门水印的开源数据集版权保护

Copyright protection of open-sourced datasets based on invisible backdoor watermarking

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献 ［29］

相关文章 13

编辑推荐

Metrics

本文评价

参考文献［29］