Digital Watermarking for Machine Learning Model Techniques Protocols and Applications.pdf

Digital Watermarking for Machine Learning Model Techniques Protocols and Applications.pdf

《Digital Watermarking for Machine Learning Model Techniques Protocols and Applications.pdf》由会员分享，可在线阅读，更多相关《Digital Watermarking for Machine Learning Model Techniques Protocols and Applications.pdf（233页珍藏版）》请在冰豆网上搜索。

LixinFanCheeSengChanQiangYangEditorsDigitalWatermarkingforMachineLearningModelTechniques,ProtocolsandApplicationsDigitalWatermarkingforMachineLearningModelLixinFanCheeSengChanQiangYangEditorsDigitalWatermarkingforMachineLearningModelTechniques,ProtocolsandApplicationsEditorsLixinFanAILabWeBankShenzhen,ChinaCheeSengChanDepartmentofArtificialIntelligenceUniversitiMalayaKualaLumpur,MalaysiaQiangYangDepartmentofCSandEngineeringHongKongUniversityofScienceandTechHongKong,ChinaISBN978-981-19-7553-0ISBN978-981-19-7554-7（eBook）https:

/doi.org/10.1007/978-981-19-7554-7TheEditor（s）（ifapplicable）andTheAuthor（s）,underexclusivelicensetoSpringerNatureSingaporePteLtd.2023Thisworkissubjecttocopyright.AllrightsaresolelyandexclusivelylicensedbythePublisher,whetherthewholeorpartofthematerialisconcerned,specificallytherightsofreprinting,reuseofillustrations,recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynowknownorhereafterdeveloped.Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse.Thepublisher,theauthors,andtheeditorsaresafetoassumethattheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditorsgiveawarranty,expressedorimplied,withrespecttothematerialcontainedhereinorforanyerrorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations.ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSingaporePteLtd.Theregisteredcompanyaddressis:

152BeachRoad,#21-01/04GatewayEast,Singapore189721,SingaporePrefaceInamoderndigitaleconomy,wecareaboutthevaluethatdatacangenerate.Suchvaluesareoftentimescreatedbymachinelearningmodelsempoweredbyenormousamountofdataofmultipleforms.Forexample,usingthehealth-checkupdata,medicaldoctorscantrainastrokepredictionmodelthatcanaccuratelypredictthelikelihoodofapatientgettingastroke.Acomputervisionmodelinanautonomousvehiclecantellwhetheratrafficlightisinredorgreeneveninthefoggyweather.Aneconomicmodelcangiveexplanationsonwhytheoilpricesarevolatileinaparticularperiodoftime.Onecansaythatdataareequivalenttorawmaterialssuchascoalandoilinthetraditionaleconomy,andinthisanalogy,machinelearningmodelsarethemachinesandvehiclesthatproducethevalueforthedigitaleconomy.Similartothefinanceandgoodsthatneedtobetrackedandmanaged,aswellastobeprotectedbylaw,intheforeseeablefuture,modelsneedtobeprotected,managedandauditedaswell.Specifically,whenweuseamodelpurchasedfromathirdparty,weneedtobecertainthatthemodelcomesfromalegitimateplace.Whenwetrademodelsinamarketplace,weneedtohaveafairmethodologytoascertainthevalueofthemodelinacertainbusinesscontext.Whenamodelmisbehaves,forinstanceifastrokepredictionmodelfailstopredictafatalstroke,weneedtohavethemeanstotracebacktheresponsiblepartythatshouldhandlethelossoflife.Whenuserswithdifferentroles,suchasregulators,engineersorendusers,inquireaboutthemodel,weneedtohaveawaytoauditthemodelshistoryaswellasgiveafairexplanationofthemodelsperformance.Furthermore,whenmodelsarebuiltoutofmultiplepartiesdata,itisimportanttobeabletofilteroutsemi-honestpartieswhocanusevariousopportunitiestopeekatotherpartiesdataoutofcuriosity.Tobeabletotrackandmanagemodels,atypicalwayistoembedasignatureknownasawatermarkintoamodel.Furthermore,careshouldbetakentopreventthewatermarkinginformationfrombeingaltered.Itischallengingtoinsertandmanagewatermarkstechnicallyforcomplexmodelsthatinvolvemillionsorevenbillionsofmodelparameters.Thetechnologyofmodelwatermarkingisthecentralfocusofthisbook.ThewatermarkingtechnologymustanswerhowtobestbalancetheneedtoembedthewatermarksandhidethemfrompotentialtamperingwhilevviPrefaceallowingthemodeltrainingandinferencetobeefficientandeffective.Whiletherearewatermarkingalgorithmsforimagedatatoconfirmtheownershipofimages,andlatelyNFTtechnologiesfordigitalarts,thewatermarkingtechniquesformodelsarenovelandmorechallenging.Thisispartlyduetothefactthatmodelsengageinanentiresoftwareproductlifecycleinwhichthereisatrainingprocessandanapplicationprocess.Thereareissuesrelatedtoownershipverification,transferandmodelrevision,mixturesandmerges,modeltracing,legalobligation,responsibility,rewards,andincentives.Onceestablished,themodelwatermarkingtechniqueswillbecomeacornerstoneofthefuturedigitaleconomy.ThisbookistheresultofthemostrecentfrontlineresearchinAIcontributedbyagroupofresearcherswhoareactiveinfieldsincludingmachinelearning,dataandmodelmanagement,federatedlearningandmanyfieldedapplicationsofthesetechnologies.Thisbookisingeneralsuitableforreaderswithinterestsinmachinelearningandbigdata.Inparticular,thepreliminarychaptersprovideanintroductionandbriefreviewofrequirementsformodelownershipverificationusingwatermarking.ChaptersinPartIIofthebookelaborateontechniquesthataredevelopedforvariousmachinelearningmodelsaswellassecurityrequirements.PartIIIofthebookcoversapplicationsofmodelwatermarkingtechniquesinfederatedlearningsettingsandmodelauditingusecases.Wehopethebookwillbringtothereadersanewlookintothedigitalfutureofhumansociety,onethatfollowswidelyacceptedhumanvaluesofmodernpeopleandsociety.Wealsoexpectthisintroductorybookagoodreferencebookforstudentsstudyingartificialintelligenceandahandbookforengineersandresearchersinindustry.Toourbestknowledge,thisbookisthefirstinitskindthatshowcaseshowtousedigitalwatermarkstoverifyownershipofmachinelearningmodels.Nevertheless,thebookwouldhavebeenimpossiblewithoutkindassistancefrommanypeople.ThankstoeveryoneontheSpringereditorialteam,andspecialthankstoCeline,theever-patientEditorialDirector.Theauthorswouldliketothanktheirfamiliesfortheirconstantsupport.Shenzhen,ChinaLixinFanKualaLumpur,MalaysiaCheeSengChanHongKong,ChinaQiangYangJune,2022ContentsPartIPreliminary1Introduction.3LixinFan,CheeSengChan,andQiangYang2OwnershipVerificationProtocolsforDeepNeuralNetworkWatermarks.11FangqiLiandShilinWangPartIITechniques3ModelWatermarkingforDeepNeuralNetworksofImageRecovery.37YuhuiQuanandHuanTeng4TheRobustandHarmlessModelWatermarking.53YimingLi,LinghuiZhu,YangBai,YongJiang,andShu-TaoXia5ProtectingIntellectualPropertyofMachineLearningModelsviaFingerprintingtheClassificationBoundary.73XiaoyuCao,JinyuanJia,andNeilZhenqiangGong6ProtectingImageProcessingNetworksviaModelWatermarking.93JieZhang,DongdongChen,JingLiao,WeimingZhang,andNenghaiYu7WatermarksforDeepReinforcementLearning.117KangjieChen8OwnershipProtectionforImageCaptioningModels.143JianHanLim9ProtectingRecurrentNeuralNetworkbyEmbeddingKeys.167ZhiQinTan,HaoShanWong,andCheeSengChanviiviiiContentsPartIIIApplications10FedIPR:

OwnershipVerificationforFederatedDeepNeuralNetworkModels.193BowenLi,LixinFan,HanlinGu,JieLi,andQiangYang11ModelAuditingforDataIntellectualProperty.211BowenLi,LixinFan,JieLi,HanlinGu,andQiangYangContributorsYangBaiTsinghuaUniversity,Beijing,ChinaXiaoyuCaoDukeUniversity,Durham,NC,USACheeSengChanUniversitiMalaya,KualaLumpur,MalaysiaDongdongChenMicrosoftResearch,Redmond,WA,USAKangjieChenNanyangTechnologicalUniversity,Singapore,SingaporeLixinFanWeBankAILab,Shenzhen,ChinaNeilZhenqiangGongDukeUniversity,Durham,NC,USAHanlinGuWeBankAILab,Shenzhen,ChinaJinyuanJiaDukeUniversity,Durham,NC,USAYongJiangTsinghuaUniversity,Beijing,ChinaJieLiDepartmentofComputerScienceandEngineering,ShanghaiJiaoTongUniversity,Shanghai,ChinaBowenLiDepartmentofComputerScienceandEngineering,ShanghaiJiaoTongUniversity,Shanghai,ChinaFangqiLiShanghaiJiaoTongUniversity,Shanghai,ChinaYimingLiTsinghuaUniversity,Beijing,ChinaJingLiaoCityUniversityofHongKong,HongKong,ChinaJianHanLimUniversitiMalaya,KualaLumpur,MalaysiaYuhuiQuanSouthChinaUniversityofTechnologyandPazhouLaboratory,Guangzhou,ChinaZhiQinTanUniversitiMalaya,KualaLumpur,MalaysiaHuanTengSouthChinaUniversityofTechnology,Guangzhou,ChinaixxContributorsShilinWangShanghaiJiaoTongUniversity,Shanghai,ChinaHaoShanWongUniversitiMalaya,KualaLumpur,MalaysiaShu-TaoXiaTsinghuaUniversity,Beijing,ChinaQiangYangHongKongUniversityofScienceandTechnology,ClearWaterBay,HongKongNenghaiYuUniversityofScienceandTechnologyofChina,Heifei,ChinaJieZhangUniversityofScienceandTechnologyofChina,Heifei,ChinaWeimingZhangUniversityofScienceandTechnologyofChina,Heifei,ChinaLinghuiZhuTsinghuaUniversity,Beijing,ChinaAbouttheEditorsLixinFaniscurrentlytheChiefScientistofArtificialIntelligenceatWeBank,Shenzhen,China.Hisresearchinterestsincludemachinelearninganddeeplearning,privacycomputingandfederatedlearning,computervisionandpatternrecognition,imagea