基于图像增强的模型防窃取研究  

作　　者：武于新 陈伟[1] 杨文馨 张怡婷[1] 范渊 Wu Yuxin;Chen Wei;Yang Wenxin;Zhang Yiting;Fan Yuan(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023;DBAPP Security Co.,Ltd.,Hangzhou 310051)

机构地区：[1]南京邮电大学计算机学院,南京210023 [2]杭州安恒信息技术股份有限公司,杭州310051

出　　处：《信息安全研究》2025年第3期214-220,共7页Journal of Information Security Research

基　　金：江苏省重点研发计划项目(BE2022065-5);国家重点研发计划项目(2019YFB2101704);江苏省网络与信息安全重点实验室项目(BM2003201)。

摘　　要：卷积神经网络(convolutional neural network,CNN)模型被广泛应用于图像分类任务,并取得较好的成果,但是这些模型也会成为被窃取的对象.针对现有防窃取措施中高度依赖算法的检测准确性和事后知识产权验证的问题,提出了一种新型的避免图像分类任务中的CNN模型被窃取的方法,利用图像增强技术提高私有模型的泛化能力.然后使用宽松的可疑行为检测规则检测查询行为,对于可疑的查询图像使用增强图像技术进行处理,再将处理后的图像输入到增强模型中进行预测.最后输出模型的预测类别置信度组成的向量,实现了输入输出不对等,这个过程中将阻止可疑用户获得其输入图像对应的模型预测信息,以达到模型防窃取的目的.使用3种常见的图像数据集和4种卷积神经网络结构进行实验,发现该方法可以实现模型防窃取的目的,并且保证私有模型可以正常完成其分类任务.Convolutional neural network(CNN)models have been widely used in image classification tasks and have achieved good results,but these models can also become objects of stealing.This paper proposes a novel method to avoid the stealing of CNN models in image classification tasks,addressing the issues of high dependence on algorithm detection accuracy and post intellectual property verification in existing anti-stealing measures.It utilizes image data augmentation technology to improve the robustness and generalization ability of private models,and then uses loose suspicious behavior detection rules to detect image query behavior.Suspicious query images are processed using enhanced image technology,and the processed images are input into the enhanced model for prediction.Finally,a vector composed of the predicted category confidence of the model is output to achieve input-output inequality.This process will prevent suspicious users from obtaining the model prediction information corresponding to their input images,in order to achieve the goal of model stealing prevention.This paper conducts experiments using three common image datasets and four convolutional neural network(CNN)structures,and finally finds that the method proposed in this paper can achieve the goal of model anti-stealing and ensure that private models can complete their classification tasks normally.

关 键 词：人工智能 卷积神经网络 模型窃取 模型防窃取 图像增强 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]