基于可逆水印的神经网络模型完整性验证算法  

作　　者：杨奥松 王雷 曹仰杰[1] 庄岩[1] 李颉[1,3] 任红军 YANG Ao-song;WANG Lei;CAO Yang-jie;ZHUANG Yan;LI Jie;REN Hong-jun(School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China;HanWei Research Development Institute,HanWei Electronics Group Corporation,Zhengzhou 450001,China;Department of Computer Science and Engineering,Shanghai Jiao Tong University,Shanghai 200030,China)

机构地区：[1]郑州大学网络空间安全学院,河南郑州450001 [2]汉威科技集团股份有限公司汉威研究院,河南郑州450001 [3]上海交通大学计算机系,上海200030

出　　处：《计算机工程与设计》2024年第2期383-389,共7页Computer Engineering and Design

基　　金：国家自然科学基金面上基金项目(61972092);郑州市协同创新重大专项基金项目(20XTZX06013)。

摘　　要：针对深度神经网络模型易遭受完整性破坏问题,提出一种基于可逆水印和模型压缩剪枝理论的快速神经网络模型完整性验证算法Fast-MIV(model integrity verification)。基于模型压缩剪枝理论探究模型的冗余性,筛选对模型原始任务影响较小、且可被替代的权重参数进行预处理构建待嵌入参数序列;采用差值扩展可逆水印算法,在神经网络卷积层上嵌入对模型篡改敏感的神经网络水印,达到完整性验证的目的。基于ImageNet数据集,对VGG19、DenseNet-121、ResNet-50和Inception-v3等模型的实验验证结果表明,Fast-MIV在不影响模型原始分类任务精度的前提下,能够快速验证模型的完整性并报告模型的受损程度,可以应对数据中毒攻击和结构性破坏。To address the problem that deep neural network models are vulnerable to integrity damage,a Fast-MIV(model integrity verification)algorithm was proposed for the neural network model integrity verification based on reversible watermarking and model compression pruning theory.The redundancy of the model was explored based on model pruning compression theory.Weight parameters of the model that showed little impact on model’s original tasks were preprocessed to construct the parameter sequence to be embedded.The difference extended reversible watermarking algorithm was used to embed the neural network watermark,which was sensitive to model tampering,on the neural network convolution layer to achieve integrity verification.Comprehensive experiments were conducted based on the typical ImageNet data benchmarks of VGG19,DenseNet-121,ResNet-50 and Inception-v3.The results show that Fast-MIV quickly verifies the integrity of the model and the damage degree of the model without affecting the accuracy of the original classification task of the model,and it can respond to data poisoning attack and structural damage.

关 键 词：完整性验证 可逆水印 剪枝 差值扩展 数据中毒攻击 神经网络 预训练 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]