ebook img

Embedding Watermarks into Deep Neural Networks PDF

0.52 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Embedding Watermarks into Deep Neural Networks

Embedding Watermarks into Deep Neural Networks YusukeUchida YukiNagai ShigeyukiSakazawa KDDIResearch,Inc. KDDIResearch,Inc. KDDIResearch,Inc. Tokyo,Japan Tokyo,Japan Tokyo,Japan Shin’ichiSatoh NationalInstituteofInformatics 7 Tokyo,Japan 1 0 2 n Abstract beenreleasedthathelpengineersandresearcherstodevelop a J systems based on deep learning or do research with less Significantprogresshasbeenmadewithdeepneuralnet- effort. Examples of these great deep learning frameworks 5 1 worksrecently. Sharingtrainedmodelsofdeepneuralnet- areCaffe[19],Theano[3],Torch[7],Chainer[30],Tensor- works has been a very important in the rapid progress of Flow[26],andKeras[5]. ] research and development of these systems. At the same Althoughtheseframeworkshavemadeiteasytoutilize V time, it is necessary to protect the rights to shared trained deep neural networks in real applications, the training of C models.Tothisend,weproposetousedigitalwatermarking deepneuralnetworkmodelsisstilladifficulttaskbecauseit . s technologytoprotectintellectualpropertyanddetectintel- requiresalargeamountofdataandtime;severalweeksare c lectual property infringement in the use of trained models. neededtotrainaverydeepResNetwiththelatestGPUson [ First,weformulateanewproblem: embeddingwatermarks the ImageNet dataset for instance [16]. Therefore, trained 1 into deep neural networks. We also define requirements, models are sometimes provided on web sites to make it v embeddingsituations,andattacktypesonwatermarkingin easy to try a certain model or reproduce the results in re- 2 deepneuralnetworks.Second,weproposeageneralframe- searcharticleswithouttraining. Forexample, ModelZoo1 8 0 workforembeddingawatermarkinmodelparameters,us- providestrainedCaffemodelsforvarioustaskswithuseful 4 ing a parameter regularizer. Our approach does not im- utilitytools. Fine-tuningortransferlearning[28]isastrat- 0 pair the performance of networks into which a watermark egytodirectlyadaptsuchalreadytrainedmodelstoanother . 1 is placed because the watermark is embedded while train- application with minimum re-training time. Thus, sharing 0 ing the host network. Finally, we perform comprehensive trained models is very important in the rapid progress of 7 experiments to reveal the potential of watermarking deep bothresearchanddevelopmentofdeepneuralnetworksys- 1 neuralnetworksasthebasisofthisnewresearcheffort. We tems. In the future, more systematic model-sharing plat- : v show that our framework can embed a watermark during formsmayappear,byanalogywithvideosharingsites.Fur- Xi thetrainingofadeepneuralnetworkfromscratch,anddur- thermore, some digital distribution platforms for purchase ingfine-tuninganddistilling, withoutimpairingitsperfor- andsaleofthetrainedmodelsorevenartificialintelligence r a mance. Theembeddedwatermarkdoesnotdisappeareven skills (e.g. Alexa Skills2) may appear, similar to Google after fine-tuning or parameter pruning; the watermark re- Play or App Store. In these situations, it is necessary to mains complete even after 65% of parameters are pruned. protecttherightstosharedtrainedmodels. To this end, we propose to utilize digital watermarking technology,whichisusedtoidentifyownershipofthecopy- rightofdigitalcontentsuchasimages,audio,andvideos.In 1.Introduction particular,weproposeageneralframeworktoembedawa- termarkindeepneuralnetworksmodelstoprotectintellec- Deep neural networks have recently been significantly tual property and detect intellectual property infringement improved.Inparticular,deepconvolutionalneuralnetworks oftrainedmodels. Tothebestofourknowledge,thisisfirst (DCNN)suchasLeNet[25],AlexNet[23],VGGNet[28], attempt to embed a watermark in a deep neural network. GoogLeNet [29], and ResNet [16] have become de facto standards for object recognition, image classification, and 1https://github.com/BVLC/caffe/wiki/Model-Zoo retrieval. Inaddition,manydeeplearningframeworkshave 2https://www.alexaskillstore.com/ 1 Table2.Threeembeddingsituations. Fine-tuneindicateswhether Thecontributionsofthisresearcharethree-fold,asfollows: parametersareinitializedinembeddingusingalreadytrainedmod- 1. Weformulateanewproblem: embeddingwatermarks els,ornot.Labelavailabilityindicateswhetherorlabelsfortrain- ingdataareavailableinembedding. indeepneuralnetworks. Wealsodefinerequirements, Fine-tune Labelavailability embeddingsituations,andattacktypesforwatermark- Train-to-embed (cid:88) ingdeepneuralnetworks. Fine-tune-to-embed (cid:88) (cid:88) 2. We propose a general framework to embed a water- Distill-to-embed (cid:88) markinmodelparameters,usingaparameterregular- izer. Ourapproachdoesnotimpairtheperformanceof networksinwhichawatermarkisembedded. Train-to-embedisthecaseinwhichthehostnetworkis trained from scratch while embedding a watermark where 3. We perform comprehensive experiments to reveal the labelsfortrainingdataareavailable. potentialofwatermarkingdeepneuralnetworks. Fine-tune-to-embedisthecaseinwhichawatermarkis embedded while fine-tuning. In this case, model parame- 2.ProblemFormulation tersareinitializedwithapre-trainednetwork. Thenetwork configurationneartheoutputlayermaybechangedbefore Givenamodelnetworkwithorwithouttrainedparame- fine-tuning. ters,wedefinethetaskofwatermarkembeddingastoem- Distill-to-embed is the case in which a watermark is bedT-bitvectorb ∈ {0,1}T intotheparametersofoneor embedded into a trained network without labels using the morelayersoftheneuralnetwork. Werefertoaneuralnet- distilling approach [17]. Embedding is performed in fine- workinwhichawatermarkisembeddedasahostnetwork, tuningwherethepredictionsofthetrainedmodelareused andrefertothetaskthatthehostnetworkisoriginallytrying aslabels. Inthestandarddistillframework,alargenetwork toperformastheoriginaltask. (ormultiplenetworks)isfirsttrainedandthenasmallernet- In the following, we formulate (1) requirements for an work is trained using the predicted labels of the large net- embeddedwatermarkoranembeddingmethod,(2)embed- workinordertocompressthelargenetwork. Inthispaper, dingsituations,and(3)expectedattacktypesagainstwhich weusethedistillframeworksimplytotrainanetworkwith- embeddedwatermarksshouldberobust. outlabels. Thefirsttwosituationsassumethatthecopyrightholder 2.1.Requirements of the host network is expected to embed a watermark to Table1summarizestherequirementsforaneffectivewa- the host network in training or fine-tuning. Fine-tune-to- termarkingalgorithminanimagedomain[15,8]andaneu- embedisalsousefulwhenamodelownerwantstoembed ralnetworkdomain. Whilebothdomainssharealmostthe individualwatermarkstoidentifythosetowhomthemodel same requirements, fidelity and robustness are different in hadbeendistributed. Bydoingso,individualinstancescan imageandneuralnetworkdomains. betracked. Thelastsituationassumesthatanon-copyright For fidelity in an image domain, it is essential to main- holder (e.g., a platformer) is entrusted to embed a water- taintheperceptualqualityofthehostimagewhileembed- markonbehalfofacopyrightholder. ding a watermark. However, in a neural network domain, 2.3.ExpectedAttackTypes the parameters themselves are not important. Instead, the performance of the original task is important. Therefore it RelatedtotherequirementforrobustnessinSection2.1, isessentialtomaintaintheperformanceofthetrainedhost we assume two types of attacks against which embedded network,andnottohamperthetrainingofahostnetwork. watermarks should be robust: fine-tuning and model com- Regarding robustness, as images are subject to vari- pression. These types of attack are very specific to deep ous signal processing operations, an embedded watermark neuralnetworks,whileonecaneasilyimaginemodelcom- should stay in the host image even after these operations. pression by analogy with lossy image compression in the Andthegreatestpossiblemodificationtoaneuralnetwork imagedomain. is fine-tuning or transfer learning [28]. An embedded wa- Fine-tuning or transfer learning [28] seems to be the termarkinaneuralnetworkshouldbedetectableafterfine- mostfeasibletypeofattack, becauseitreducestheburden tuningorotherpossiblemodifications. oftrainingdeepneuralnetworks. Manymodelshavebeen constructedontopofexistingstate-of-the-artmodels. Fine- 2.2.EmbeddingSituations tuningaltersthemodelparameters,andthusembeddedwa- We classify the embedding situations into three types: termarksshouldberobustagainstthisalteration. train-to-embed, fine-tune-to-embed, and distill-to-embed, Modelcompressionisveryimportantindeployingdeep assummarizedinTable2. neural networks to embedded systems or mobile devices 2 Table1.Requirementsforaneffectivewatermarkingalgorithmintheimageandneuralnetworkdomains. Imagedomain Neuralnetworksdomain Fidelity The quality of the host image should not be Theeffectivenessofthehostnetworkshould degradedbyembeddingawatermark. notbedegradedbyembeddingawatermark. Robustness The embedded watermark should be robust The embedded watermark should be robust againstcommonsignalprocessingoperations against model modifications such as fine- such as lossy compression, cropping, resiz- tuningandmodelcompression. ing,andsoon. Capacity The effective watermarking system must have the ability to embed a large amount of in- formation. Security Awatermarkshouldingeneralbesecretandshouldnotbeaccessed,read,ormodifiedby unauthorizedparties. Efficiency Thewatermarkembeddingandextractionprocessesshouldbefast. as it can significantly reduce memory requirements and/or grades the performance of the host network in the original computationalcost. Lossycompressiondistortsmodelpa- task as shown later in Section 4.2.6. Instead, we propose rameters,soweshouldexplorehowitaffectsthedetection embeddingawatermarkwhiletrainingahostnetworkfor rate. theoriginaltasksothattheexistenceofthewatermarkdoes notimpairtheperformanceofthehostnetworkinitsorig- 3.ProposedFramework inal task. To this end, we utilize a parameter regularizer, whichisanadditionaltermintheoriginalcostfunctionfor Inthissection, weproposeaframeworkforembedding theoriginaltask. ThecostfunctionE(w)witharegularizer a watermark into a host network. Although we focus on a isdefinedas: DCNN [25] as the host, our framework is essentially ap- plicabletoothernetworkssuchasstandardmultilayerper- E(w)=E (w)+λE (w), (1) 0 R ceptron (MLP), recurrent neural network (RNN), and long whereE (w)istheoriginalcostfunction,E (w)isaregu- short-termmemory(LSTM)[18]. 0 R larizationtermthatimposesacertainrestrictiononparam- 3.1.EmbeddingTargets eters w, and λ is an adjustable parameter. A regularizer is usually used to prevent the parameters from growing too In this paper, a watermark is assumed to be embedded large. L regularization (or weight decay [24]), L regu- into one of the convolutional layers in a host DCNN3. Let 2 1 larization, and their combination are often used to reduce (S,S), D, and L respectively denote the size of the con- over-fittingofparametersforcomplexneuralnetworks. For volutionfilter,thedepthofinputtotheconvolutionallayer, instance,E (w)=||w||2intheL regularization. R 2 2 andthenumberoffiltersintheconvolutionallayer. Thepa- Incontrasttothesestandardregularizers,ourregularizer rametersofthisconvolutionallayerarecharacterizedbythe imposesparameterw tohaveacertainstatisticalbias, asa tensor W ∈ RS×S×D×L. The bias term is ignored here. watermark in a training process. We refer to this regular- LetusthinkofembeddingaT-bitvectorb ∈ {0,1}T into izer as an embedding regularizer. Before defining the em- W. ThetensorW isasetofLconvolutionalfiltersandthe beddingregularizer,weexplainhowtoextractawatermark orderofthefiltersdoesnotaffecttheoutputofthenetwork fromw. Givena(mean)parametervectorw ∈ RM andan iftheparametersofthesubsequentlayersareappropriately embedding parameter X ∈ RT×M, the watermark extrac- re-ordered. In order to remove this arbitrariness in the or- tion is simply done by projecting w using X, followed by deroffilters, wecalculatethemeanofW overLfiltersas thresholding at 0. More precisely, the j-th bit is extracted W = 1 (cid:80) W . Lettingw ∈RM (M =S×S×D) ijk L l ijkl as: denoteaflattenedversionofW,ourobjectiveisnowtoem- b =s(Σ X w ), (2) j i ji i bedT-bitvectorbintow. wheres(x)isastepfunction: 3.2.EmbeddingRegularizer (cid:40) 1 x≥0 s(x)= (3) It is possible to embed a watermark in a host network 0 else. by directly modifying w of a trained network, as is usu- allydoneintheimagedomain. However,thisapproachde- This process can be considered to be a binary classifica- tionproblemwithasingle-layerperceptron(withoutbias)4. 3Fully-connected layers can also be used but we focus on convolu- tionallayershere, becausefully-connectedlayersareoftendiscardedin 4Although this single-layer perceptron can be deepened into multi- fine-tuning. layerperceptron,wefocusonthesimplestoneinthispaper. 3 Table3.Structureofthehostnetwork. Therefore, it is straightforward to define the loss function Group Outputsize Buildingblock #w E (w)fortheembeddingregularizerbyusingbinarycross R conv1 32×32 [3×3,16] N/A entropy: (cid:20) (cid:21) 3×3,16×k conv2 32×32 ×N 144×k 3×3,16×k (cid:88)T (cid:20)3×3,32×k(cid:21) ER(w)=− (bjlog(yj)+(1−bj)log(1−yj)), (4) conv3 16×16 ×N 288×k 3×3,32×k j=1 (cid:20) (cid:21) 3×3,64×k conv4 8×8 ×N 576×k 3×3,64×k wherey =σ(Σ X w )andσ(·)isthesigmoidfunction: j i ji i 1×1 avg-pool,fc,soft-max N/A 1 σ(x)= . (5) 1+exp(−x) 4.Experiments We call this loss function an embedding loss function. It may be confusing that an embedding loss function is used Inthissection,wedemonstratethatourembeddingreg- toupdatew,notX,inourframework.Inastandardpercep- ularizercanembedawatermarkwithoutimpairingtheper- tron,wisaninputandXisaparametertobelearned.Inour formanceofthehostnetwork,andtheembeddedwatermark case,w isanembeddingtargetandX isafixedparameter. isrobustagainstvarioustypesofattack. ThedesignofX isdiscussedinthefollowingsection. This approach does not impair the performance of the host network in the original task as confirmed in exper- 4.1.EvaluationSettings iments, because deep neural networks are typically over- parameterized. Itiswell-knownthatdeepneuralnetworks Datasets. For experiments, we used the well-known have many local minima, and that all local minima are CIFAR-10 and Caltech-101 datasets. The CIFAR-10 likelytohaveanerrorveryclosetothatoftheglobalmin- dataset[22]consistsof60,00032×32colorimagesin10 imum [9, 6]. Therefore, the embedding regularizer only classes, with 6,000 images per class. These images were needstoguidemodelparameterstooneofanumberofgood separated into 50,000 training images and 10,000 test im- localminimasothatthefinalmodelparametershaveanar- ages. TheCaltech-101dataset[10]includespicturesofob- bitrarywatermark. jects belonging to 101 categories; it contains about 40 to 800imagespercategory. Thesizeofeachimageisroughly 3.3.RegularizerParameters 300×200 pixelsbutwe resizedthemin32×32 forfine- tuning. For each category, we used 30 images for training In this section we discuss the design of the embed- andatmost40oftheremainingimagesfortesting. ding parameter X, which can be considered as a secret Host network and training settings. We used the key [15] in detecting and embedding watermarks. While wide residual network [33] as the host network. The wide X ∈ RT×M can be an arbitrary matrix, it will affect the residual network is an efficient variant of the residual net- performanceofanembeddedwatermarkbecauseitisused work[16]. Table3showsthestructureofthewideresidual in both embedding and extraction of watermarks. In this network with a depth parameter N and a width parameter paper, we consider three types of X: Xdirect, Xdiff, and k. In all our experiments, we set N = 1 and k = 4, and Xrandom. usedSGDwithNesterovmomentumandcross-entropyloss Xdirect isconstructedsothatoneelementineachrowof in training. The initial learning rate was set at 0.1, weight Xdirect is ’1’ and the others are ’0’. In this case, the j-th decay to 5.0×10−4, momentum to 0.9 and minibatch size bit b is directly embedded in a certain parameter w s.t. j ˆi to 64. The learning rate was dropped by a factor of 0.2 at Xdirect =1. jˆi 60, 120 and 160 epochs, and we trained for a total of 200 Xdiff iscreatedsothateachrowhasone’1’elementand epochs,followingthesettingsusedin[33]. one ’-1’ element, and the others are ’0’. Using Xdiff, the We embedded a watermark into one of the following j-thbitb isembeddedintothedifferencebetweenw and j i+ convolution layers: the second convolution layer in the w whereXdiff =1andXdiff =−1. i− ji+ ji− conv 2, conv 3, andconv 4groups. Inthefollowing, we Each element of Xrandom is independently drawn from mentionthelocationofthehostlayerbysimplydescribing the standard normal distribution N(0,1). Using Xrandom, theconv2,conv3,orconv4group. InTable3,thenum- each bit is embedded into all instances of the parameter w ber M of parameter w is also shown for these layers. The withrandomweights. Thesethreetypesofembeddingpa- parameter λ in Eq. (1) is set to 0.01. As a watermark, we rametersarecomparedinexperiments. embeddedb=1∈{0,1}T inthefollowingexperiments. 4 WecanseethatthetesterrorsofNotembeddedandran- 0.9 101 dom are almost the same while those of direct and diff Not embedded are slightly larger. The embedding loss E (w) of ran- 0.8 Embedded (direct) R Embedded (diff) dom is extremely low compared with those of direct and 0.7 Embedded (random) diff. These results indicate that the random approach can 0.6 100 effectively embed a watermark without impairing the per- Test error00..45 Training loss formanceintheoriginaltask. 0.3 10-1 4.2.2 DetectingWatermarks 0.2 Figure 2 shows the histogram of the embedded watermark 0.1 σ(Σ X w ) (before thresholding) with and without wa- i ji i 0.00 50 100 150 20010-2 termarks where (a) direct, (b) diff, and (c) random pa- rameters are used in embedding and detection. If we bi- Figure1.TrainingcurvesforthehostnetworkonCIFAR-10asa narize σ(Σ X w ) at a threshold of 0.5, all watermarks i ji i functionofepochs.Solidlinesdenotetesterror(y-axisontheleft) are correctly detected because ∀j, σ(Σ X w ) ≥ 0.5 i ji i anddashedlinesdenotetraininglossE(w)(y-axisontheright). (⇔ Σ X w ≥ 0) for all embedded cases. Please note i ji i thatweembeddedb=1∈{0,1}T asawatermarkasmen- Table4.Testerror(%)andembeddinglossE (w)withandwith- R tioned before. Although random watermarks will be de- outembedding. Testerror E (w) tectedforthenon-embeddedcases, itcanbeeasilyjudged R Notembedded 8.04 N/A thatthewatermarkisnotembeddedbecausethedistribution direct 8.21 1.24×10−1 of σ(ΣiXjiwi) is quite different from those for embedded diff 8.37 6.20×10−2 cases. random 7.97 4.76×10−4 4.2.3 DistributionofModelParameters 4.2.EmbeddingResults We explore how trained model parameters are affected by First,weconfirmthatawatermarkwassuccessfullyem- theembeddedwatermarks. Figure3showsthedistribution beddedinthehostnetworkbytheproposedembeddingreg- of model parameters W (not w) with and without water- ularizer.Wetrainedthehostnetworkfromscratch(train-to- marks. These parameters are taken only from the layer in embed)ontheCIFAR-10datasetwithandwithoutembed- whichawatermarkwasembedded. NotethatW isthepa- dingawatermark. Intheembeddingcase,a256-bitwater- rameter before taking the mean over filters, and thus the mark(T =256)wasembeddedintotheconv2group. numberofparametersis3×3×64×64. Wecanseethat directanddiffsignificantlyalterthedistributionofparam- 4.2.1 TestErrorandTrainingLoss eters while random does not. In direct, many parameters Figure 1 shows the training curves for the host network in becamelargeandapeakappearsnear2sothattheirmean CIFAR-10asafunctionofepochs. Not embeddedisthe overfiltersbecomesalargepositivevaluetoreducetheem- case that the host network is trained without the embed- beddingloss. Indiff,mostparameterswerepushedinboth ding regularizer. Embedded (direct), Embedded (diff), positive and negative directions so that the differences be- and Embedded (random) respectively represent training tweentheseparametersbecamelarge. Inrandom,awater- curves with embedding regularizers whose parameters are mark is diffused over all parameters with random weights Xdirect, Xdiff, and Xrandom. We can see that the training andthusdoesnotsignificantlyalterthedistribution. Thisis loss E(w) with a watermark becomes larger than the not- oneofthedesirablepropertiesofwatermarkingrelatedthe embeddedcaseiftheparametersXdirect andXdiff areused. securityrequirement;onemaybeawareoftheexistenceof Thislargetraininglossisdominatedbytheembeddingloss theembeddedwatermarksforthedirectanddiffcases. E (w),whichindicatesthatitisdifficulttoembedawater- The results so far indicated that the random approach R markdirectlyintoaparameterorevenintothedifferenceof seemedtobethebestchoiceamongthethree,withlowem- twoparameters. Ontheotherhand,thetraininglossofEm- beddingloss,lowtesterrorintheoriginaltask,andnotal- bedded(random)isveryclosetothatofNotembedded. teringtheparameterdistribution. Therefore, inthefollow- Table4showsthebesttesterrorsandembeddinglosses ingexperiments,weusedtherandomapproachinembed- E (w) of the host networks with and without embedding. dingwatermarkswithoutexplicitlyindicatingit. R 5 250 300 300 Not embedded Not embedded Not embedded Embedded (direct) Embedded (diff) Embedded (random) 250 250 200 200 200 Frequency110500 Frequency150 Frequency150 100 100 50 50 50 00.0 0.2 0.4 0.6 0.8 1.0 00.0 0.2 0.4 0.6 0.8 1.0 00.0 0.2 0.4 0.6 0.8 1.0 (a)direct (b)diff (c)random Figure2.Histogramoftheembeddedwatermarkσ(Σ X w )(beforethresholding)withandwithoutwatermarks. i ji i 6000 6000 3000 4000 value value value value 5000 5000 2500 3500 3000 4000 4000 2000 2500 Frequency23000000 Frequency23000000 Frequency11050000 Frequency12500000 1000 1000 1000 500 500 0 −6 −4 −2 0 2 4 6 0 −6 −4 −2 0 2 4 6 0 −6 −4 −2 0 2 4 6 0 −6 −4 −2 0 2 4 6 (a)Notembedded (b)direct (c)diff (d)random Figure3.DistributionofmodelparametersW withandwithoutwatermarks. on the same CIFAR-10 dataset with embedding and with- 0.9 101 outembedding(forcomparison). Inthesecondexperiment, Not embedded 1st thehostnetworkistrainedontheCaltech-101dataset,and 0.8 Not embedded 2nd Embedded then fine-tuned on the CIFAR-10 dataset with and without 0.7 embedding. 0.6 100 Table5(a)showstheresultofthefirstexperiment. Not Test error00..45 Training loss ebtremadinbdiienndggd.weNditoh1otsuettcmoebrmreebdsepddoedniddnsg2tnoadnthdceoEfirmrresstbpteroadnidndeisndgtocwotihrterheossupetcoeonmndds- 0.3 10-1 tothesecondtrainingwithembedding. Figure4showsthe 0.2 trainingcurvesofthesefine-tunings5. WecanseethatEm- beddedachievedalmostthesametesterrorasNotembed- 0.1 ded2ndandaverylowE (w). R 0.0 10-2 0 50 100 150 200 250 300 350 400 Table 5 (b) shows the results of the second experiment. Not embedded 2nd corresponds to the second training Figure 4. Training curves for fine-tuning the host network. The withoutembeddingandEmbeddedcorrespondstothesec- firstandsecondhalvesofepochscorrespondtothefirstandsec- ond training with embedding. The test error and training ondtraining. Solidlinesdenotetesterror(y-axisontheleft)and lossofthefirsttrainingarenotshownbecausetheyarenot dashedlinesdenotetrainingloss(y-axisontheright). compatible between these two different training datasets. From these results, it was also confirmed that Embedded 4.2.4 Fine-tune-to-embedandDistill-to-embed achievedalmostthesametesterrorasNotembedded2nd and very low E (w). Thus, we can say that the proposed R In the above experiments, a watermark was embedded by methodiseffectiveeveninthefine-tune-to-embedsituation training the host network from scratch (train-to-embed). (inthesameanddifferentdomains). Here, we evaluated the other two situations introduced in Finally, embedding a watermark in the distill-to-embed Section 2.2: fine-tune-to-embed and distill-to-embed. For fine-tune-to-embed, two experiments were performed. In 5Notethatthelearningratewasalsoinitializedto0.1atthebeginning the first experiment, the host network was trained on the ofthesecondtraining,whilethelearningratewasreducedto8.0×10−4) CIFAR-10datasetwithoutembedding, andthenfine-tuned attheendofthefirsttraining. 6 Table5.Testerror(%)andembeddinglossE (w)withandwith- Table6.Testerror(%)andembeddinglossE (w)forthecombi- R R outembeddinginfine-tuninganddistilling. nationsofembeddedgroupsandsizesofembeddedbits. (a)Fine-tune-to-embed(CIFAR-10→CIFAR-10) (a)Testerror(%) Testerror E (w) Embeddedbits Embeddedgroup R Notembedded1st 8.04 N/A conv2 conv3 conv4 Notembedded2nd 7.66 N/A 256 7.97 7.98 7.92 Embedded 7.70 4.93×10−4 512 8.47 8.22 7.84 (b)Fine-tune-to-embed(Caltech-101→CIFAR-10) 1,024 8.43 8.12 7.84 Testerror E (w) 2,048 8.17 8.93 7.75 R Notembedded2nd 7.93 N/A (b)Embeddingloss Embedded 7.94 4.83×10−4 Embeddedbits Embeddedgroup (c)Distill-to-embed(CIFAR-10→CIFAR-10) conv2 conv3 conv4 Testerror ER(w) 256 4.76×10−4 7.20×10−4 1.10×10−2 Notembedded1st 8.04 N/A 512 8.11×10−4 8.18×10−4 1.25×10−2 Notembedded2nd 7.86 N/A 1,024 6.74×10−2 1.53×10−3 1.53×10−2 Embedded 7.75 5.01×10−4 2,048 5.35×10−1 3.70×10−2 3.06×10−2 Table7.Losses,testerror,andbiterrorrate(BER)afterembed- dingawatermarkwithdifferentλ. situation was evaluated. The host network is first trained λ 1||w−w ||2 E (w) Testerror BER on the CIFAR-10 dataset without embedding. Then, the 2 0 2 R 0 0.000 1.066 8.04 0.531 trainednetworkwasfurtherfine-tunedonthesameCIFAR- 1 0.184 0.609 8.52 0.324 10 dataset with and without embedding. In this second 10 1.652 0.171 10.57 0.000 training, the training labels of the CIFAR-10 dataset were 100 7.989 0.029 13.00 0.000 not used. Instead, the predicted values of the trained net- workwereusedassofttargets[17].Inotherwords,nolabel was used in the second training. Table 5 (c) shows the re- 4.2.6 EmbeddingwithoutTraining sultsforthedistill-to-embedsituation. Notembedded1st correspondstothefirsttrainingandEmbedded(Not em- AsmentionedinSection3.2, itispossibletoembedawa- bedded 2nd)correspondstotheseconddistillingtraining termarktoahostnetworkbydirectlymodifyingthetrained withembedding(withoutembedding).Itwasfoundthatthe parameterw0asusuallydoneinimagedomain.Herewetry proposedmethodalsoachievedlowtesterrorandE (w)in todothisbyminimizingthefollowinglossfunctioninstead R thedistill-to-embedsituation. ofEq.(1): E(w)= 1||w−w ||2+λE (w), (6) 2 0 2 R 4.2.5 CapacityofWatermark. wheretheembeddinglossE (w)isminimizedwhilemin- R imizing the difference between the modified parameter w Inthissection, thecapacityoftheembeddedwatermarkis andtheoriginalparameterw . Table7summarizestheem- 0 explored by embedding different sizes of watermarks into beddingresultsafterEq.(6)againstthehostnetworktrained differentgroupsinthetrain-to-embedmanner. Pleasenote ontheCIFAR-10dataset. Wecanseethatembeddingfails that the number of parameters w of conv 2, conv 3, and forλ≤1asbiterrorrate(BER)islargerthanzerowhilethe conv4groupswere576,1152,and2304,respectively. Ta- testerroroftheoriginaltaskbecomestoolargeforλ > 1. ble 6 shows test error (%) and embedding loss E (w) for Thus,itisnoteffectivetodirectlyembedawatermarkwith- R combinations of different embedded blocks and different outconsideringtheoriginaltask. numberofembeddedbits.Wecanseethatembeddedlossor 4.3.RobustnessofEmbeddedWatermarks testerrorbecomeshighifthenumberofembeddedbitsbe- comeslargerthanthenumberofparametersw (e.g. 2,048 Inthissection,therobustnessofaproposedwatermarkis bits in conv 3) because the embedding problem becomes evaluatedforthethreeattacktypesexplainedinSection2.3: overdeterminedinsuchcases. Thus,thenumberofembed- fine-tuningandmodelcompression. ded bits should be smaller than the number of parameters w, which is a limitation of the embedding method using a 4.3.1 RobustnessagainstFine-tuning single-layer perceptron. This limitation would be resolved byusingamulti-layerperceptronintheembeddingregular- Fine-tuning or transfer learning [28] seems to be the most izer. likelytypeof(unintentional)attackbecauseitisfrequently 7 Table 8. Embedding loss before fine-tuning (ER(w)) and after 2 group while training the host network on the CIFAR-10 fine-tuning(E(cid:48) (w)),andthebesttesterror(%)afterfine-tuning. R dataset. Weremovedα%ofthe3×3×64×64parameters E (w) E(cid:48) (w) Testerror R R of the embedded layer and calculated embedding loss and CIFAR-10→CIFAR-10 4.76×10−4 8.66×10−4 7.69 bit error rate. Figure 5 (a) shows embedding loss E (w) Caltech-101→CIFAR-10 5.96×10−3 1.56×10−2 7.88 R asafunctionofpruningrateα. Ascending(Descending) representsembeddinglosswhenthetopα%parametersare cut-offaccordingtotheirabsolutevaluesinascending(de- performed on trained models to apply them to other but scending)order.Randomrepresentsembeddinglosswhere similar tasks with less effort than training a network from α%ofparametersarerandomlyremoved. Ascendingcor- scratchortoavoidover-fittingwhensufficienttrainingdata responds to parameter pruning and the others were evalu- isnotavailable. atedforcomparison. Wecanseethattheembeddinglossof In this experiment, two trainings we performed; in the AscendingincreasesmoreslowlythanthoseofDescend- first training, a 256-bit watermark was embedded in the ingandRandomasαincreases.Itisreasonablethatmodel conv 2 group in the train-to-embed manner, and then the parameters with small absolute values have less impact on host network was further fine-tuned in the second training a detected watermark because the watermark is extracted without embedding, to determine whether the watermark fromthedotproductofthemodelparameterwandthecon- embedded in the first training stayed in the host network stantembeddingparameter(weight)X. ornot,evenafterthesecondtraining(fine-tuning). Figure5(b)showsthebiterrorrateasafunctionofprun- Table 8 shows the embedding loss before fine-tuning (E (w))andafterfine-tuning(E(cid:48) (w)),andthebesttester- ingrateα. Surprisingly,thebiterrorratewasstillzeroafter R R removing65%oftheparametersand2/256evenafter80% rorafterfine-tuning. Weevaluatedfine-tuninginthesame of the parameters were pruned (Ascending). We can say domain(CIFAR-10→CIFAR-10)andindifferentdomains that the embedded watermark is sufficiently robust against (Caltech-101→CIFAR-10).Wecanseethat,inbothcases, parameter pruning because, in [13], the resulting pruning the embedding loss was slightly increased by fine-tuning rateofconvolutionallayersrangedfromto16%to65%for but was still low. In addition, the bit error rate of the de- theAlexNet[23],andfrom42%to78%forVGGNet[28]. tectedwatermarkwasequaltozeroinbothcases. Therea- Furthermore,thisdegreeofbiterrorcanbeeasilycorrected son why the embedding loss in fine-tuning in the different byanerrorcorrectioncode(e.g. theBCHcode). Figure6 domains is higher than that in the same domain is that the showsthehistogramofthedetectedwatermarkσ(Σ X w ) Caltech-101 dataset is significantly more difficult than the i ji i afterpruningforα = 0.8and0.95. Forα = 0.95,thehis- CIFAR-10datasetinoursettings;allimagesintheCaltech- 101datasetwereresizedto32×326forcompatibilitywith togramofthedetectedwatermarkisalsoshownforthehost networkintowhichnowatermarkisembedded. Wecansee theCIFAR-10dataset. thatmanyofσ(Σ X w )arestillclosetoonefortheem- i ji i beddedcase,whichmightbeusedasaconfidencescorein 4.3.2 RobustnessagainstModelCompression judging the existence of a watermark (zero-bit watermark- Itissometimesdifficulttodeploydeepneuralnetworksto ing). embeddedsystemsormobiledevicesbecausetheyareboth 5.ConclusionsandFutureWork computationally intensive and memory intensive. In order tosolvethisproblem,themodelparametersareoftencom- In this paper, we have proposed a general framework pressed[14,12,13]. Thecompressionofmodelparameters forembeddingawatermarkindeepneuralnetworkmodels canintentionallyorunintentionallyactasanattackagainst to protect the rights to the trained models. First, we for- watermarks. In this section, we evaluate the robustness of mulated a new problem: embedding watermarks into deep our watermarks against model compression, in particular, neuralnetworks. Wealsodefinedrequirements,embedding against parameter pruning [14]. In parameter pruning, pa- situations, and attack types for watermarking deep neural rameterswhoseabsolutevaluesareverysmallarecut-offto networks. Second, we proposed a general framework for zero.In[13],quantizationofweightsandtheHuffmancod- embedding a watermark in model parameters using a pa- ingofquantizedvaluesarefurtherapplied. Becausequanti- rameterregularizer. Ourapproachdoesnotimpairtheper- zationhaslessimpactthanparameterpruningandtheHuff- formance of networks into which a watermark is embed- mancodingislosslesscompression,wefocusonparameter ded. Finally, we performed comprehensive experiments to pruning. reveal the potential of watermarking deep neural networks In order to evaluate the robustness against parameter asthebasisofthisnewproblem.Weshowedthatourframe- pruning, we embedded a 256-bit watermark in the conv workcouldembedawatermarkwithoutimpairingtheper- 6This size is extremely small compared with their original sizes formanceofadeepneuralnetwork. Theembeddedwater- (roughly300×200). markdidnotdisappearevenafterfine-tuningorparameter 8 100 250 Not embedded α=0.95 Embedded α=0.8 Embedded α=0.95 200 10-1 mbedding loss10-2 Frequency110500 E 10-3 Ascending 50 Descending Random 10-4 0 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Pruning rate (a)Embeddingloss. Figure6.Histogramofthedetectedwatermarkσ(ΣiXjiwi)after pruning. 0.5 Ascending Descending into a new one so that its network function can be com- 0.4 Random pletely preserved for further training. This network mor- phismcanconstituteasevereattackagainstourwatermark becauseitmaybeimpossibletodetecttheembeddedwater- e0.3 or rat markifthetopologyofthehostnetworkisseverelymodi- err fied.Welefttheinvestigationhowtheembeddedwatermark Bit 0.2 isaffectedbythisnetworkmorphismforfuturework. Steganalysis. Steganalysis [27, 21] is a method for de- 0.1 tectingthepresenceofsecretlyhiddendata(e.g. steganog- raphyorwatermarks)indigitalmediafilessuchasimages, video,audio,and,inourcase,deepneuralnetworks.Water- 0.0 0.0 0.2 0.4 0.6 0.8 1.0 marksideallyarerobustagainststeganalysis. While,inthis Pruning rate paper, we confirmed that embedding watermarks does not (b)Biterrorrate. significantly change the distribution of model parameters, Figure5.Embeddinglossandbiterrorrateafterpruningasafunc- more exploration is needed to evaluate robustness against tionofpruningrate. steganalysis. Conversely,developingeffectivesteganalysis againstwatermarksfordeepneuralnetworkscanbeanin- pruning; the entire watermark remained even after 65% of terestingresearchtopic. theparameterswerepruned. Fingerprinting. Digital fingerprinting is an alternative to the watermarking approach for persistent identification 5.1.FutureWork of images [2], video [20, 31], and audio clips [1, 11]. In Although we have obtained first insight into the new this paper, we focused on one of these two important ap- problem of embedding a watermark in deep neural net- proaches. Robustfingerprintingofdeepneuralnetworksis works,manythingsremainasfuturework. anotherandcomplementarydirectiontoprotectdeepneural Compression as embedding. Compressing deep neu- networkmodels. ral networks is a very important and active research topic. While we confirmed that our watermark is very robust References againstparameterpruninginthispaper,awatermarkmight [1] X.Anguera,A.Garzon,andT.Adamek.Mask:Robustlocal beembeddedinconjunctionwithcompressingmodels. For featuresforaudiofingerprinting. InProc.ofICME,2012. example, in [13], after parameter pruning, the network is [2] J.Barr, B.Bradley, andB.T.Hannigan. Usingdigitalwa- re-trainedtolearnthefinalweightsfortheremainingsparse termarkswithimagesignaturestomitigatethethreatofthe parameters. Ourembeddingregularizercanbeusedinthis copyattack. InProc.ofICASSP,pages69–72,2003. re-trainingtoembedawatermark. [3] J.Bergstra,O.Breuleux,F.Bastien,P.Lamblin,R.Pascanu, Networkmorphism. In[4,32], asystematicstudyhas G. Desjardins, J. Turian, D. Warde-Farley, and Y. Bengio. been done on how to morph a well-trained neural network Theano:aCPUandGPUmathexpressioncompiler.InProc. 9 ofthePythonforScientificComputingConference(SciPy), [23] A. Krizhevsky, I. Sutskever, and G. E. Hinton. Imagenet 2010. classification with deep convolutional neural networks. In [4] T.Chen,I.Goodfellow,andJ.Shlens.Net2net:Accelerating Proc.ofNIPS,2012. learningviaknowledgetransfer. InProc.ofICLR,2016. [24] A.KroghandJ.A.Hertz. Asimpleweightdecaycanim- [5] F.Chollet. Keras. GitHubrepository,2015. provegeneralization. InProc.ofNIPS,1992. [6] A. Choromanska, M. Henaff, M. Mathieu, G. Arous, and [25] Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. Gradient- Y.LeCun.Thelosssurfacesofmultilayernetworks.InProc. based learning applied to document recognition. Proceed- ofAISTATS,2015. ingsoftheIEEE,86(11):2278–2324,1998. [7] R. Collobert, K. Kavukcuoglu, and C. Farabet. Torch7: A [26] M.Abadi,etal. Tensorflow: Large-scalemachinelearning matlab-like environment for machine learning. In Proc. of on heterogeneous distributed systems. arXiv:1603.04467, NIPSWorkshoponBigLearn,2011. 2016. [8] I.Cox,M.Miller,J.Bloom,J.Fridrich,andT.Kalker. Dig- [27] L.Shaohui,Y.Hongxun,andG.Wen.Neuralnetworkbased ital Watermarking and Steganography. Morgan Kaufmann steganalysisinstillimages. InProc.ofICME,2003. PublishersInc.,2edition,2008. [28] K. Simonyan and A. Zisserman. Very deep convolutional networksforlarge-scaleimagerecognition.InProc.ofICLR, [9] Y. Dauphin, R. Pascanu, C. Gulcehre, K. Cho, S. Ganguli, 2015. and Y. Bengio. Identifying and attacking the saddle point problem in high-dimensional non-convex optimization. In [29] C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. Reed, Proc.ofNIPS,2014. D.Anguelov, D.Erhan, V.Vanhoucke, andA.Rabinovich. Goingdeeperwithconvolutions. InProc.ofCVPR,2015. [10] L. Fei-Fei, R. Fergus, and P. Perona. Learning generative visual models from few training examples: an incremen- [30] S. Tokui, K. Oono, S. Hido, and J. Clayton. Chainer: a tal bayesian approach tested on 101 object categories. In next-generation open source framework for deep learning. Proc. of CVPR Workshop on Generative-Model Based Vi- In Proc. of NIPS Workshop on Machine Learning Systems, sion,2004. 2015. [31] Y.Uchida,M.Agrawal,andS.Sakazawa.Accuratecontent- [11] J.HaitsmaandT.Kalker. Ahighlyrobustaudiofingerprint- ingsystem. InProc.ofISMIR,pages107–115,2002. based video copy detection with efficient feature indexing. InProc.ofICMR,2011. [12] S.Han,X.Liu,H.Mao,J.Pu,A.Pedram,M.A.Horowitz, [32] T. Wei, C. Wang, Y. Rui, and C. W. Chen. Network mor- and W. J. Dally. Eie: Efficient inference engine on com- phism. InProc.ofICML,2016. presseddeepneuralnetwork. InProc.ofISCA,2016. [33] S.ZagoruykoandN.Komodakis. Wideresidualnetworks. [13] S.Han,H.Mao,andW.J.Dally. Deepcompression: Com- InProc.ofECCV,2016. pressingdeepneuralnetworkswithpruning,trainedquanti- zationandhuffmancoding. InProc.ofICLR,2016. [14] S. Han, J. Pool, J. Tran, and W. J. Dally. Learning both weights and connections for efficient neural networks. In Proc.ofNIPS,2015. [15] F.HartungandM.Kutter. Multimediawatermarkingtech- niques. ProceedingsoftheIEEE,87(7):1079–1107,1999. [16] K.He,X.Zhang,S.Ren,andJ.Sun. Deepresiduallearning forimagerecognition. InProc.ofCVPR,2016. [17] G.Hinton,O.Vinyals,andJ.Dean.Distillingtheknowledge in a neural network. In Proc. of NIPS Workshop on Deep LearningandRepresentationLearning,2014. [18] S.HochreiterandJ.Schmidhuber.Longshort-termmemory. NeuralComputation,9(8):1735–1780,1997. [19] Y.Jia,E.Shelhamer,J.Donahue,S.Karayev,J.Long,R.Gir- shick,S.Guadarrama,andT.Darrell. Caffe: Convolutional architecture for fast feature embedding. In Proc. of MM, 2014. [20] A. Joly, C. Frelicot, and O. Buisson. Content-based video copy detection in large databases: a local fingerprints sta- tisticalsimilaritysearchapproach. InProc.ofICIP,pages 505–508,2005. [21] J.Kodovsky,J.Fridrich,andV.Holub. Ensembleclassifiers forsteganalysisofdigitalmedia.IEEETrans.onInformation ForensicsandSecurity,7(2):432–444,2012. [22] A. Krizhevsky. Learning multiple layers of features from tinyimages. TechReport,2009. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.