Deep neural networks have had enormous impact on various domains of computer science applications, considerably outperforming previous state-of-the-art machine learning techniques. To achieve this performance, neural networks need large quantities of data and huge computational resources, which heavily increase their costs. The increased cost of building a good deep neural network model gives rise to a need for protecting this investment from potential copyright infringements. Legitimate owners of a machine learning model want to be able to reliably track and detect a malicious adversary that tries to steal the intellectual property related to the model. This threat is very relevant to Machine Learning as a Service (MLaaS) systems, where a provider supplies APIs to clients, allowing them to interact with their trained proprietary deep learning models. Recently, this problem was tackled by introducing in deep neural networks the concept of watermarking, which allows a legitimate owner to embed some secret information (watermark) in a given model. Through the use of this watermark, the legitimate owners, remotely interacting with a model through input queries, are able to detect a copyright infringement, and prove the ownership of their models that were stolen/copied illegally. In this paper, we focus on assessing the robustness and reliability of state-of-the-art deep neural network watermarking schemes. In particular we show that, a malicious adversary, even in scenarios where the watermark is difficult to remove, can still evade the verification of copyright infringements from the legitimate owners, thus avoiding the detection of the model theft.

Evasion attacks against watermarking techniques found in MLaaS systems / Hitaj, D.; Hitaj, B.; Mancini, L. V.. - (2019), pp. 55-63. (Intervento presentato al convegno 6th International Conference on Software Defined Systems, SDS 2019 tenutosi a Rome; Italy) [10.1109/SDS.2019.8768572].

Evasion attacks against watermarking techniques found in MLaaS systems

Hitaj D.
Primo
;
Hitaj B.
Secondo
;
Mancini L. V.
Ultimo
2019

Abstract

Deep neural networks have had enormous impact on various domains of computer science applications, considerably outperforming previous state-of-the-art machine learning techniques. To achieve this performance, neural networks need large quantities of data and huge computational resources, which heavily increase their costs. The increased cost of building a good deep neural network model gives rise to a need for protecting this investment from potential copyright infringements. Legitimate owners of a machine learning model want to be able to reliably track and detect a malicious adversary that tries to steal the intellectual property related to the model. This threat is very relevant to Machine Learning as a Service (MLaaS) systems, where a provider supplies APIs to clients, allowing them to interact with their trained proprietary deep learning models. Recently, this problem was tackled by introducing in deep neural networks the concept of watermarking, which allows a legitimate owner to embed some secret information (watermark) in a given model. Through the use of this watermark, the legitimate owners, remotely interacting with a model through input queries, are able to detect a copyright infringement, and prove the ownership of their models that were stolen/copied illegally. In this paper, we focus on assessing the robustness and reliability of state-of-the-art deep neural network watermarking schemes. In particular we show that, a malicious adversary, even in scenarios where the watermark is difficult to remove, can still evade the verification of copyright infringements from the legitimate owners, thus avoiding the detection of the model theft.
2019
6th International Conference on Software Defined Systems, SDS 2019
Backdoors; Deep Neural Networks; Machine Learning as a Service; Security and Privacy; Watermarking
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Evasion attacks against watermarking techniques found in MLaaS systems / Hitaj, D.; Hitaj, B.; Mancini, L. V.. - (2019), pp. 55-63. (Intervento presentato al convegno 6th International Conference on Software Defined Systems, SDS 2019 tenutosi a Rome; Italy) [10.1109/SDS.2019.8768572].
File allegati a questo prodotto
File Dimensione Formato  
Hitaj_Evasion_2019.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 247.03 kB
Formato Adobe PDF
247.03 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1346775
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 24
  • ???jsp.display-item.citation.isi??? 17
social impact