深度神经网络模型水印研究进展  

作　　者：谭景轩 钟楠 郭钰生 钱振兴 张新鹏 TAN Jingxuan;ZHONG Nan;GUO Yusheng;QIAN Zhenxing;ZHANG Xinpeng(School of Computer Science,Fudan University,Shanghai 200433,China)

机构地区：[1]复旦大学计算机科学技术学院,上海200433

出　　处：《上海理工大学学报》2024年第3期225-242,共18页Journal of University of Shanghai For Science and Technology

基　　金：国家自然科学基金资助项目(U20B2051,62072114,U20A20178,U22B2047);国家重点研发计划资助项目(2023YFF0905000)。

摘　　要：随着深度神经网络在诸多领域的成功应用,以神经网络水印为代表的深度模型知识产权保护技术在近年来受到了广泛关注。对现有的深度神经网络模型水印方法进行综述,梳理了目前为了保护模型知识产权而提出的各类水印方案,按照提取水印时所具备的不同条件,将其分为白盒水印、黑盒水印和无盒水印3类方法,并对各类方法按照水印嵌入机制或适用模型对象的不同进行细分,深入分析了各类方法的主要原理、实现手段和发展趋势。然后,对模型水印的攻击方法进行了系统总结和归类,揭示了神经网络水印面对的主要威胁和安全问题。在此基础上,对各类模型水印中的经典方法进行了性能比较和分析,明确了各个方法的优势和不足,帮助研究者根据实际的应用场景选用合适的水印方法,为后续研究提供基础。最后,讨论了当前深度神经网络模型水印面临的挑战,并展望未来可能的研究方向,旨在为相关的研究提供参考。With the successful application of deep neural networks(DNN)in many fields,deep model intellectual property protection technologies represented by neural network watermarking have received widespread attention in recent years.An overview of existing DNN model watermarking methods was provided in this paper.According to the different conditions required for extracting watermarks,watermarks were classified into three categories:white-box watermarking,black-box watermarking,and box-free watermarking.Furthermore,various methods were categorized according to different watermark embedding mechanisms or applicable model objects,and an in-depth analysis was conducted on the main principles,implementation approaches,and development trends of these methods.Subsequently,a systematic summary and classification of attack methods on model watermarking were provided,revealing the main threats and security issues faced by neural network watermarking.On this basis,performance comparison and analysis were conducted on representative methods in each category of model watermarks,which clarified their advantages and disadvantages to help researchers choose appropriate watermark methods based on actual application scenarios.Finally,the challenges of current deep neural network model watermarking were discussed,and potential future research directions were envisioned to provide references for related research.

关 键 词：深度神经网络 知识产权保护 神经网络水印 白盒水印 黑盒水印 无盒水印 水印攻击 模型安全 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]