基于差分隐私的深度伪造指纹检测模型版权保护算法  被引量：5

作　　者：袁程胜 郭强 付章杰[1,2] YUAN Chengsheng;GUO Qiang;FU Zhangjie(School of Computer Science,Nanjing University of Information Science and Technology,Nanjing 210044,China;Engineering Research Center of Digital Forensics,Ministry of Education,Nanjing University of Information Science and Technology,Nanjing 210044,China)

机构地区：[1]南京信息工程大学计算机学院、软件学院、网络空间安全学院,江苏南京210044 [2]南京信息工程大学数字取证教育部工程研究中心,江苏南京210044

出　　处：《通信学报》2022年第9期181-193,共13页Journal on Communications

基　　金：国家自然科学基金资助项目(No.62102189);江苏省自然科学基金资助项目(No.BK20200807,No.BK20200039);国防科技大学科研计划基金资助项目(No.JS21-4);浙江省科技厅公益性科技产业基金资助项目(No.LGF21F020006)。

摘　　要：提出了一种基于差分隐私的深度伪造指纹检测模型版权保护算法,在不削弱原始任务性能的同时,实现了深度伪造指纹检测模型版权的主动保护和被动验证。在原始任务训练时,通过添加噪声以引入随机性,利用差分隐私算法的期望稳定性进行分类决策,以削弱对噪声的敏感。在被动验证中,利用FGSM生成对抗样本,通过微调决策边界以建立后门,将后门映射关系作为植入水印实现被动验证。为了解决多后门造成的版权混淆,设计了一种水印验证框架,对触发后门加盖时间戳,借助时间顺序来鉴别版权。在主动保护中,为了给用户提供分等级的服务,通过概率选择策略冻结任务中的关键性神经元,设计访问权限实现神经元的解冻,以获得原始任务的使用权。实验结果表明,不同模型性能下的后门验证依然有效,嵌入的后门对模型修改表现出稳健性。此外,所提算法不但能抵挡攻击者策反合法用户实施的合谋攻击,而且能抵挡模型修改发动的微调、压缩等攻击。A copyright protection algorithm based on differential privacy for deep fake fingerprint detection model(DFFDM) was proposed, realizing active copyright protection and passive copyright verification of DFFDM without weakening the performance of the original task. In the original task training, noise was added to introduce randomness, and the expected stability of the differential privacy algorithm was used to make classification decisions to reduce the sensitivity to noise. In passive verification, FGSM was used to generate adversarial samples, the decision boundary was fine-adjusted to establish a backdoor, and the mapping was used as an implanted watermark to realize passive verification. To solve the copyright confusion caused by multiple backdoors, a watermark verification framework was designed, which stamped the trigger backdoors and identified the copyright with the help of time order.In active protection, to provide users with hierarchical services, the key neurons in the task were frozen by probabilistic selection strategy, and the access rights were designed to realize the thawing of neurons, so as to obtain the right to use the original task. Experimental results show that the backdoor verification is still effective under different model performance, and the embedded backdoor shows a certain robustness to the model modification. Also, the proposed algorithm can resist not only the collusion attack by the attacker to recruit legitimate users, but also the fine-tuning and compression attacks caused by the model modification.

关 键 词：版权保护 对抗样本 差分隐私 模型水印 伪造指纹检测 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]