基于水印神经网络的可溯源DNN模型保护方法  

作　　者：刘雅蕾 和红杰[2] 陈帆[1] 刘卓华 LIU Yalei;HE Hongjie;CHEN Fan;LIU Zhuohua(School of Computing and Artificial Intelligence,Southwest Jiaotong University,Chengdu 611756,Sichuan,China;School of Information Science and Technology,Southwest Jiaotong University,Chengdu 611756,Sichuan,China)

机构地区：[1]西南交通大学计算机与人工智能学院,四川成都611756 [2]西南交通大学信息科学与技术学院,四川成都611756

出　　处：《应用科学学报》2023年第2期183-196,共14页Journal of Applied Sciences

基　　金：国家自然科学基金(No.U1936113,No.61872303)资助。

摘　　要：针对深度神经网络(deep neural networks,DNN)模型安全与版权认证的问题,提出了一种多用户溯源的水印神经网络模型,通过密钥驱动生成水印图像,将其不可见地嵌入待保护目标模型的输出图像中,实现DNN模型的知识产权保护和版权追踪。在待保护的DNN模型中添加一种编解码器网络实现水印的嵌入,并使用双流篡改检测网络作为判别器,解决了模型的输出图像中可能出现的水印残留问题,提升了水印嵌入过程的不可感知性,减少了对DNN模型性能的影响,增强了安全性。此外,通过本文设计的双阶段训练法针对不同用户分发不同的含水印模型,当发生版权纠纷时,使用另一个残差网络可以从输出图像中提取水印图像。实验证明,本方法分发含水印的模型效率较高,并且即使对多个用户分发了嵌入相似水印图像的DNN模型,水印神经网络依然可以成功对模型进行溯源。This paper proposes a multi-user traceability watermarking neural network approach to model security and copyright certification for deep neural networks(DNN).The watermark is generated by the key driver and embedded invisibly in the output images of the DNN model,hence realizing the intellectual property protection and copyright tracking of DNN model.A codec network is added to the DNN model to embed the watermark,and a two-stream tamper detection network is used as the discriminator.Thus,the problem of residual watermark in the output images of the model is solved,which,reduces the impact on the performance of DNN model and enhances the security.In addition,a two-stage training method is proposed in this paper to distribute different watermarked models to different users.When copyright disputes occur,another residual network can be used to extract the watermark image from the output image.Experiments show that the proposed method is efficient in distributing watermarked models,and is able to trace the source of DNN models embedded with similar watermarked images for multiple users.

关 键 词：深度神经网络 数字水印 版权保护 水印神经网络 图像隐写 

分 类 号：P391[天文地球—地球物理学]