Released on September 16, 2019
- This is the code repo for our NeurIPS2019 work with titled Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks.
With the rapid development of deep neural networks (DNN), there emerges an urgent need to protect the trained DNN models from being illegally copied, redistributed, or abused without respecting the intellectual properties of legitimate owners. This work proposes novel passport-based DNN ownership verification schemes which are both robust to network modifications and resilient to ambiguity attacks. The gist of embedding digital passports is to design and train DNN models in a way such that, the DNN model performance of an original task will be significantly deteriorated due to forged passports. In other words genuine passports are not only verified by looking for predefined signatures, but also reasserted by the unyielding DNN model performances.
You must have a pretrained model before training a passport layer if you wish to use a real image as passport.
To see more arguments, please run the script with --help
.
The example below are running with default arguments.
Run without --train-passport
python train_v1.py
Run with --train-passport
python train_v1.py --train-passport --pretrained-path path/to/pretrained.pth
Do not need to run with --train-private
, it is true by default
python train_v23.py --pretrained-path path/to/pretrained.pth
Run with --train-backdoor
python train_v23.py --train-backdoor --pretrained-path path/to/pretrained.pth
Most of the datasets will be automatically downloaded except trigger set
data.
To download default trigger-set, refer to https://github.com/adiyoss/WatermarkNN
Refer to dataset.py
to see how data are loaded.
passport_attack_1.py
, passport_attack_2.py
, and passport_attack_3.py
are scripts to run fake attack 1, 2, 3 as mentioned in the paper.
The scripts should be easy to run, refer to --help
on how to setup the arguments.
All passport configs are stored in passport_configs/
To set a passport layer for Alexnet or ResNet18, simply changing false
to true
or a string
.
If putting string
into passport config, please make sure the length of string is less than number of channels in the specific layer.
For example, a layer with 256 channels, maximum 256-bit === 32 ascii characters are allowed.
If you find this work useful for your research, please cite
@inproceedings{Deepassport,
title={Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks},
author={Fan, Lixin, Ng, Kam Woh and Chan, Chee Seng},
booktitle={Advances in Neural Information Processing Systems (NeurIPS)},
year={2019},
}
Suggestions and opinions on this work (both positive and negative) are greatly welcomed. Please contact the authors by sending an email to
lixin.fan at webank.com
or kamwoh at gmail.com
or cs.chan at um.edu.my
.
The project is open source under BSD-3 license (see the LICENSE
file).
©2019 Webank and University of Malaya.