- Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks
(Released on September 16, 2019)
Updated on September 25, 2022
- Fix bugs
- Added training and attack bash scripts (see
training.sh
andattacking.sh
) - Added flipping attack (see
flip_attack.py
) - Added ImageNet experiment
- Our framework on GAN IP protection is accepted in CVPR 2021, see here.
- Our framework on RNN IP protection is accepted in AACL IJCNLP 2022, see here.
- Our framework on Multi-modal IP protection is accepted in Pattern Recognition 2022, see here.
With the rapid development of deep neural networks (DNN), there emerges an urgent need to protect the trained DNN models from being illegally copied, redistributed, or abused without respecting the intellectual properties of legitimate owners. This work proposes novel passport-based DNN ownership verification schemes which are both robust to network modifications and resilient to ambiguity attacks. The gist of embedding digital passports is to design and train DNN models in a way such that, the DNN model performance of an original task will be significantly deteriorated due to forged passports (see Figure 1). In other words genuine passports are not only verified by looking for predefined signatures, but also reasserted by the unyielding DNN model performances.
Figure 1: Example of ResNet performance on CIFAR10 when (left) Random Attack and (right) Ambiguity Attack
For compability issue, please run the code using python 3.6
and pytorch 1.2
. Also, please see requirements.txt
or Dockerfile
to check out the environment.
If you wish to use a real image as the passport, please ensure that you have a pre-trained model before training the passport layer.
To see more arguments, please run the script with --help
.
The example below is running on default arguments.
Skip --train-passport
as follow:
python train_v1.py
Run --train-passport
as follow:
python train_v1.py --train-passport --pretrained-path path/to/pretrained.pth
Skip --train-private
, it is true by default.
python train_v23.py --pretrained-path path/to/pretrained.pth
Run --train-backdoor
as follow:
python train_v23.py --train-backdoor --pretrained-path path/to/pretrained.pth
Most of the datasets will be automatically downloaded except the trigger set
data.
To download the default trigger set
data, kindly refer to https://github.com/adiyoss/WatermarkNN
Also, please refer to dataset.py
to understand how the data are loaded.
passport_attack_1.py
, passport_attack_2.py
, and passport_attack_3.py
are the scripts to run fake attack 1, 2 and 3 respectively, as mentioned in our paper.
Please refer to --help
on how to setup the arguments.
All passport configs are stored in passport_configs/
To set a passport layer for Alexnet or ResNet18, simply changing false
to true
or a string
.
If string
is deployed as the signature, please make sure that the length of the string is less than the number of channels in the specific layer.
For example, a layer with 256 channels, so the maximum will be 256-bit === 32 ascii characters are allowed. If the signature is less than 32 characters, the remaining bits will be set randomly.
The example below is AlexNet with the last 3 layers as the passport layer, i.e we embed random signature into the 4th and 5th layer and embed this is my signature
into the last layer (6th).
{
"0": false,
"2": false,
"4": true,
"5": true,
"6": "this is my signature"
}
For passport in our experiments, we randomly choose 20 images from the test data. Passports in the intermediate layer will be the activation map of 20 images computed from pretrained model.
If you find this work useful for your research, please cite
@article{Deepipr,
title={DeepIPR: Deep Neural Network Ownership Verification with Passports},
author={Fan, Lixin and Ng, Kam Woh and Chan, Chee Seng and Qiang, Yang},
journal={IEEE Transactions on Pattern Analysis and Machine Intelligence},
year={2022},
volume={44},
number={10},
pages={6122-6139},
doi = {10.1109/TPAMI.2021.3088846}
}
Suggestions and opinions on this work (both positive and negative) are greatly welcomed. Please contact the authors by sending an email to
lixinfan at webank.com
or kamwoh at gmail.com
or cs.chan at um.edu.my
.
The project is open source under BSD-3 license (see the LICENSE
file).
©2019 Webank and Universiti Malaya.