A Copyright Protection Scheme for Deep Learning Models Based on Double Cross-Validation Watermarking
QIN Na, SONG Menghao*, LIU Yuan, ZHAO Yijing

doi:10.19678/j.issn.1000-3428.0252942

Abstract

Abstract: As an important intellectual property, the secure and trustworthy deployment of deep learning models is of great significance for promoting the application and innovation of artificial intelligence. The current model watermarking method based on the response of a single trigger set has security flaws: Firstly, the static decision boundary of the trigger set is vulnerable to adversarial perturbation attacks, resulting in a sudden drop in the verification accuracy rate; Secondly, the watermarking mechanism based on model features is highly sensitive to the dynamic reconstruction of the model structure and the pruning of high-proportion parameters. A Double cross-validation watermarking (DCVW) framework is proposed for the above problems. Firstly, the adversarial trigger sample set synthesized by projected gradient descent is adopted as the first watermark. Then, the deep feature extraction network is called to get the high-order implicit representations of the model application scenarios. The Bloom filter is further utilized to generate a dynamic hash chain to construct the second watermark, the watermark and key are handed over to a third-party institution for preservation as the model fingerprint. In the verification process, the ownership statement needs to satisfy the matching of the trigger set response and the zero watermark hash similarity of the model features at the same time. The robustness evaluation results of the watermark demonstrate that the DCVW scheme effectively preserves model accuracy even under 75% structured pruning. Under ambiguity attacks, the bit difference rate and false detection rate have improved by 5.15% and 1.04%, respectively, compared to contrast algorithms. The double cross-validation mechanism enhances the non-forgeability of the model watermark, offering a reliable solution for copyright protection in deep learning models.

摘要： 深度学习模型作为一种重要的知识产权，其安全可信的部署对推动人工智能应用与创新具有重要意义。当前基于单一触发集响应的模型水印方法存在安全缺陷：其一，触发集的静态决策边界易受对抗扰动攻击，导致验证准确率骤降；其二，基于模型特征的水印机制对模型结构动态重构及高比例参数剪枝高度敏感。针对上述问题提出一种双重交叉验证水印框架(Double cross-validation watermarking, DCVW)，首先采用投影梯度下降合成对抗触发样本集作为第一重水印，接着调用深度特征提取网络针对模型应用场景获取其高阶隐式表征，进一步利用Bloom滤波器生成动态哈希链构建第二重水印，并将水印与密钥交由第三方机构保存作为模型指纹。在验证过程中，所有权声明需同时满足触发集响应与模型特征零水印哈希相似度的匹配。水印的鲁棒性实验结果表明，DCVW方案在75%的结构化剪枝下仍能保持模型较高的准确率；在面对歧义攻击时的比特差异率和伪造检测率较对比算法分别提升5.15%和1.04%。双重交叉验证机制保证了模型水印的不可伪造性，为深度学习模型的版权保护提供了一种有效的解决方案。

QIN Na, SONG Menghao, LIU Yuan, ZHAO Yijing. A Copyright Protection Scheme for Deep Learning Models Based on Double Cross-Validation Watermarking QIN Na, SONG Menghao*, LIU Yuan, ZHAO Yijing[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252942.

秦娜, 宋梦浩, 刘远, 赵一静. 基于双重交叉验证水印的深度学习模型版权保护方案[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252942.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0252942

References

[1] LECUN Y, BENGIO Y, HINTON G. Deep learning[J] Nature. 2015, 521(7553): 436−444.
[2] UCHIDA Y, NAGAI Y, SAKAZAWA S, et al. Embedding watermarks into deep neural networks[C]//. Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. Bucharest: ACM. 2017: 269-277.
[3] HONSINGER C. Digital watermarking[J]. Journal of Electronic Imaging. 2002, 11(3): 414.
[4] CHEN Huili, ROUHANI B D, CHENG FU, et al. DeepMarks: a secure fingerprinting framework for digital rights management of deep learning models[C]//. Proceedings of the 2019 on International Conference on Multimedia Retrieval. Ottawa: ACM, 2019: 105-113.
[5] WANG Dehui, ZHOU Shuang, ZHANG Yingqian. A spatiotemporal chaos based deep learning model watermarking scheme [J]. Applied Soft Computing.2024, 164: 112004.
[6] 高光勇，徐子琦，方伟.基于特征结合和权重对抗训练的鲁棒模型水印方案[J]. 计算机辅助设计与计算机图形学学报. 2024. DOI: 10.3724/SP.J.1089.2023-00805. GAO Guangyong, Xu Ziqi, Fang Wei. Robust Model Watermarking Scheme Based on Feature Combination and Weight Adversarial Training[J]. Journal of Computer-Aided Design & Computer Graphics.2024,DOI:10.3724/SP.J.1089.2023-00805
[7] Mo M, WANG C, Bian S. A Unique Identification-Oriented Black-Box Watermarking Scheme for Deep Classification Neural Networks[J]. Symmetry.2024, 16: 299.
[8] 陈玮彤, 唐伟, 朱长青等,.基于纹理触发器和私有类的遥感场景分类模型水印算法[J]. 地理与地理信息科学. 2025, 41(3): 1-9. CHEN Weitong, Tang Wei, Zhu Changqin, et al. Texture-trigger and private-class basedwatermarking for remote sensing scene classification models[J]. Geography & Geographic Information Science. 2025, 41(3): 1-9.
[9] Yossi Adi, Carsten Baum, Moustapha Cisse, et al. Turning your weakness into a strength: watermarking deep neural networks by backdooring[C]//. USENIX Association. 2018: 1615-1631.
[10] JI Junhao, ZHANG Yushu, ZHAO Ruoyu, et al. Adversarial visible watermark attack based on intelligent evolutionary algorithm[J]. Computer Engineering & Science. 2024, 46(01): 63-71.
[11] WU Xia, ZHENG Hongying, XIAO Di. A dual-verification model watermarking scheme based on certification files[J]. Computer Engineering & Science. 2024, 46(04): 647-656.
[12] MA Miao, TIAN Hongpeng, HAO Chongyang. A multitype watermark scheme[J]. Journal of Southwest Jiaotong University. 2003, 38(2): 120-124.
[13] 薛栋, 周亚训, 金炜. 版权保护和内容认证的全盲双功能数字水印算法[J]. 电信科学. 2024,33(2): 79-89. XUE Dong, ZHOU Yaxun, JIN, Wei. A full-blind dual-function digital watermarking algorithm for copyright protection and content authentication[J]. Telecommunication Science. 2024,33(2): 79-89.
[14] ZHANG Liyan, et al. A Color Image Watermark Algorithm Based on Logistic and DWT-SVD [J]. Computer Science and Technology. 2024, 3 (1): 7.
[15] 张耀元, 原继东,刘海洋. 基于局部扰动的时间序列预测对抗攻击[J]. 软件学报. 2024, 35(11): 5210-5227. ZHANG Yaoyuan, YUAN Jidong, LIU Haiyang, et al. Adversarial attack on time series prediction based on local perturbation[J]. Journal of Software. 2024, 35(11): 5210-5227.
[16] LI Hanchao, XIONG Pengfei, FAN Haojian, et al. DFANet: Deep Feature Aggregation for Real-Time Semantic Segmentation[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, CA, USA. 2019: 9514-9523.
[17] DONG Tian, LI Shaofeng, CHEN Guoxing, et al. RAI2: Responsible identity audit governing the artificial intelligence[C]//Proc of the 30th Annual Network and Distributed System Security Symp (NDSS 2023). San Diego, California, USA: Internet Soc. 2023: 1-18.
[18] TAN Jingxuan, ZHONG Nan, GUO Yusheng, et al. Review of watermarking for deep neural networks[J]. Journal of University of Shanghai for Science and Technology. 2024, 46(3): 225-242．
[19] 李玄珮,黄土,罗书卿等.深度学习模型版权保护技术研究综述[J].信息安全学报. 2025, 10(1): 17-35.
LI Peixuan, HUANG Tu, LUO Shuqin, et al. A Review of Copyright Protection Technologies for Deep Learning Models [J]. Journal of Information Security. 2025, 10(1): 17-35.
[20] HUANG Zhihui, XIAO Xiangli, ZHANG Yushu, et al. Copyright protection of open-sourced datasets based on invisible backdoor watermarking[J]. Computer Engineering & Science. 2024, 46(06): 1013-1021.
[21] 李璇, 邓天鹏, 熊金波, 等. 基于模型后门的联邦学习水印[J]. 软件学报, 2024, 35(7): 3454-3468 Li Xuan, DENG Tianpeng, Xiong Jinbo, et al. Watermarking for federated learning based on model backdoor[J]. Journal of Software. 2024, 35(7): 3454-3468.
[22] LEE S, SONG W, JANA S, ea tl. Evaluating the Robustness of Trigger Set-Based Watermarks Embedded in Deep Neural Networks[J]. IEEE Transactions on Dependable and Secure Computing. 2023, 20(4): 3434-3448.
[23] 张天骐, 马焜然, 邹涵. DWT-DCT 结合 SURF 与PSO的优化鲁棒水印算法[J]. 信号处理. 2024, 40(6): 1148-1159. ZHANG Tianqi, MA Kunran, ZOU Han, et al. An optimized robust watermarking algorithm combining DWT-DCT with SURF and PSO[J]. Journal of Signal Processing. 2024, 40(6): 1148-1159.
[24] HE Xuanli, XU Qiongkai, LYU Lingjuan, et al. Protecting Intellectual Property of Language Generation APIs with Lexical Watermark[C]// AAAI Conference on Artificial Intelligence. 2022: 10758-10766.
[25] WEN Quan, SUN Tanfeng, WANG Shuxun. Concept and Application of Zero-Watermark[J]. Acta Electron Sin. 2003, 31(2): 214-216.
[26] LI Fangqi, ZHAO Haodong, DU Wei, et al. Revisiting the information capacity of neural network watermarks: Upper bound estimation and beyond[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2024: 21331-21339.
[27] CHENG Gong, LIU Jing, GONG Ming, et al. Robust medical zero-watermarking algorithm based on Residual-DenseNet[J]. IET Biometrics. 2022, 11: 547–556.
[28] NAWAZ S A, LI J, SHOUKAT M U, et al. Hybrid medical image zero watermarking via discrete wavelet transform-ResNet101 and discrete cosine transform[J]. Computers and Electrical Engineering. 2023, 112: 108985.
[29] LIU Gang, XIANG Ruotong, LIU Jing, et al. An invisible and robust watermarking scheme using convolutional neural networks[J]. Expert Systems with Applications. 2022, 210: 118529.
[30] HUANG Yanyun, LI Xinhua, DU Zhengshun, et al. Spatiotemporal Enhancement and Interlevel Fusion Network for Remote Sensing Images Change Detection[J]. in IEEE Transactions on Geoscience and Remote Sensing. 2024, 62: 1-14.
[31] MA Xianping, ZHANG Xiaokang, LIU Ming et al. A Multilevel Multimodal Fusion Transformer for Remote Sensing Semantic Segmentation[J]. in IEEE Transactions on Geoscience and Remote Sensing. 2024,62: 1-15.
[32] WANG Zixu, ZHANG Congxuan, CHEN Zhen, et al. ACR-Net: Learning High-Accuracy Optical Flow via Adaptive-Aware Correlation Recurrent Network[J]. in IEEE Transactions on Circuits and Systems for Video Technology. 2024, 34(10): 9064-9077.
[33] HU Kun, ZHAI Dakai, GAO Heng, et al. Rad-Mark: Reliable adversarial zero-watermarking[J]. Neurocomputing. 2024,546:111807.
[34] GE Chonghui, YUN Longdi, SUN Yuxin, et al. A Database Collusion Detection and Measurement on Bloom Filter[C]//. 2020 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery （CyberC）, Chongqing, China. 2020: 232-238.
[35] FAN Lixin, K W NG, C S CHAN, et al. DeepIPR: Deep Neural Network Ownership Verification with Passports[J]. In IEEE Transactions on Pattern Analysis and Machine Intelligence. 2021,44(10):6122-6139.
[36] CUI Qi, MENG Ruohan, XU Chaohui, et al. Steganographic Passport: An Owner and User Verifiable Credential for Deep Model IP Protection Without Retraining[C]//. 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2024:12302-12311.
[37] Liu Hanwen, Zhenyu Weng, Yuesheng Zhu, et al Trapdoor normalization with irreversible ownership verification[J]. In International Conference on Machine Learning. 2023:22177-22187.
[38] Tan Mingxing, and Q V Le. Efficientnet: Rethinking model scaling for convolutional neural networks[C]//. International conference on machine learning. PMLR. 2019. 6105-6114.
[39] GAO Huang, LIU Zhuang, Van Der Maaten L,et al. Densely connected convolutional networks[C]//. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2017:4700-4708.

Please choose a citation manager

Content to export