Article Preview
Top1. Introduction
Deep learning has gained recent success in many fields such as image recognition, speech recognition, gait recognition, and automatic driving (Lecun et al. 2015). Cloud computing speeds up the training process of deep learning models but also increases the security risk. With the growth of these deep learning applications, the security of deep learning becomes more and more important. Traitor tracking for the model discusses how to determine whether the model has been stolen. The traitor of the model refers to a malicious user who illegally obtains the internal information of the model without authorization. Model watermarking is an effective method for traitor tracking.
However, the existing model watermarking methods have the weakness of generating difficulties and low concealment. These shortcomings can be improved by adversarial examples. On one hand, the emerging adversarial example has cast a shadow on deep networks, where the attacker can cheat them by tampering with a few pixels in the image (Carlini and Wagner 2017). As shown in Figure 1, the human eye can identify two images accurately, while the neural network does not hold this ability. Tremendous works have been proposed to mitigate the adverse impacts of adversarial examples on deep networks.
Figure 1. Clean image and its adversarial example
On the other hand, by analyzing the attack ability of adversarial examples, the adversarial examples open the gate to enhance the security of deep networks. Compared with humans, neural networks are sensitive to the disturbance noise of the adversarial examples. It is worth noting that, the adversarial examples that can deceive a neural network may fail on another neural network (Zhang et al. 2020). One step further, the deceptiveness of adversarial examples has practical value and can be used in the field of copyright protection and online anti-counterfeiting.
In this work, the authors design a signature-based scheme to identify and generate adversarial examples for specific deep networks, based on both cryptography and watermark. By verifying these adversarial examples with specific identification, it is possible to detect whether the model has been stolen. The key in cryptography is introduced to achieve the authorization management of classifiers. The signature and encryption scheme in cryptography enables the generated adversarial examples to prevent forgery and tampering, which can be used for online anti-counterfeiting. Apart from cryptography, the information hiding technology of the watermark is adopted to embed information needed to the adversarial examples. The traditional embedding methods are to distribute the information needed globally in the image, while the information is locally embedded, i.e., the edge of the adversarial example in this work. This difference is supported by the information hiding technology in the watermark, which allows this scheme to integrate almost any adversarial example generation method and retain generated examples' attack ability.
Figure 2. The main framework of the scheme
Figure 2 briefly summarizes the scheme: the key participates in the adversarial example generation process and recognition process. The classifier with the key can verify and recognize the input image, while the classifier without the key cannot verify.
The adversarial examples have good concealment, it is difficult for malicious users to detect it as a model watermark. At the same time, the generation process does not need to retrain the model, so the usability of this scheme is good. In actual use, if a model that the user has not authorized can correctly classify the identifiable adversarial example, it means that this model has a high probability of stealing the user's model information.
Although there are some adversarial attack methods with similar functions, such as Hyun Kwona's friendly adversarial attack, such attacks need to know the information of the target model, and the generation process is more complicated. The author’s scheme simplifies the process of embedding special noise in images through cryptography, making the process of generating examples easier and faster.