A Traitor Tracking Method Towards Deep Learning Models in Cloud Environments

摘要

Cloud computing can speed up the training process of deep learning models. In this process, training data and model parameters stored in the cloud are prone to threats of being stolen. In model protection, model watermarking is a commonly used method. Using the adversarial example as model watermarking can make watermarked images have better concealment. Oriented from the signature mechanism in cryptography, a signature-based scheme is proposed to guarantee the performance of deep learning algorithms via identifying these adversarial examples. In the adversarial example generation stage, the corresponding signature information and classification information will be embedded in the noise space, so that the generated adversarial example will have implicit identity information, which can be verified by the secret key. The experiment using the ImageNet dataset shows that the adversarial examples generated by the authors’ scheme must be correctly recognized by the classifier with the secret key.