深度学习模型版权保护技术研究综述  

作　　者：李珮玄 黄土 罗书卿 宋佳鑫 刘功申[1] LI Peixuan;HUANG Tu;LUO Shuqing;SONG Jiaxin;LIU Gongshen(School of Electronic Information and Electrical Engineering,Shanghai Jiao Tong University,Shanghai 200240,China)

机构地区：[1]上海交通大学电子信息与电气工程学院,上海200240

出　　处：《信息安全学报》2025年第1期17-35,共19页Journal of Cyber Security

基　　金：国家自然科学基金联合重点项目(No.U21B2020);上海市科技计划项目(No.22511104400)的资助。

摘　　要：深度学习模型在许多任务中取得出色的成绩,也逐渐被广泛应用到众多领域。由于训练一个性能优越的深度神经网络成本高昂,因此深度学习模型可以视作模型所有者的知识产权。然而深度学习模型设计之初并未考虑模型的安全问题,在其快速发展的同时面临的安全问题也逐渐突显出来。随着模型训练云平台的部署与应用,深度学习模型被盗取、恶意分发、转卖的威胁大大增加。由于深度学习模型有巨大的实用价值,恶意攻击者非法窃取模型会严重侵犯模型所有者的权益,保护深度学习模型版权迫在眉睫。针对这一问题,近年来有很多关于保护深度学习模型版权的方案陆续被提出,包括基于数字水印技术实现模型所有权验证以及基于水印或加密技术实现模型访问控制等。本文总结梳理了当前研究现状,并探讨了未来可能的研究方向。文章首先介绍了深度学习模型水印、后门攻击的基本概念以及对模型水印的要求;然后,基于不同的分类指标,从方案的实现功能、实现方式、实现时间、以及验证方式的不同,对现有深度学习模型版权保护方案进行全面细致的总结与分类;并且从检测攻击、逃逸攻击、去除攻击及欺诈攻击四个方面,归纳总结了针对深度学习模型版权保护方案的攻击方法;最后,总结研究现状并对未来的关键研究方向进行展望。希望本文详细的梳理总结可以为该领域后续的研究提供有益的参考。Deep learning models have achieved excellent performance in many tasks,and have gradually been widely used in many fields.Since training a deep neural network with superior performance is expensive,a deep learning model can be regarded as the intellectual property of the model owner.However,the security issues of deep learning models were not considered at the beginning of design,and they have gradually emerged with the rapid development of deep learning.With the deployment and application of model training cloud platforms,the threat of deep learning models being stolen,maliciously distributed,and resold has greatly increased.Due to the huge value of deep learning models,malicious attackers illegally stealing models will seriously violate the rights and interests of model owners.So,it is urgent to protect the copyright of deep learning models.To solve this problem,many copyright protection technologies of deep learning model have been continuously proposed in recent years,including model ownership verification based on digital watermarking technology and model access control based on watermarking or encryption technology,but there is a lack of summary.This paper summarized the current researches and discusses the possible future research directions.This paper firstly introduced the basic concepts of deep learning model watermarking and backdoor attack,the requirements for model watermarking;and then,made a comprehensive and detailed summary and classification of the existing deep learning model copyright protection schemes based on different classification indicators from the differences of implementation functions,implementation methods,implementation time,and verification methods of different schemes;in addition,this paper summarized attack methods for copyright protection schemes of deep learning model from four aspects:detection attack,escape attack,removal attack and fraud attack;finally,the research status was summarized and the key research directions in the future were prospected.Hope the detailed summary

关 键 词：深度学习模型安全 深度学习模型版权保护 模型水印 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]