7,694 research outputs found
DeepMarks: A Digital Fingerprinting Framework for Deep Neural Networks
This paper proposes DeepMarks, a novel end-to-end framework for systematic
fingerprinting in the context of Deep Learning (DL). Remarkable progress has
been made in the area of deep learning. Sharing the trained DL models has
become a trend that is ubiquitous in various fields ranging from biomedical
diagnosis to stock prediction. As the availability and popularity of
pre-trained models are increasing, it is critical to protect the Intellectual
Property (IP) of the model owner. DeepMarks introduces the first fingerprinting
methodology that enables the model owner to embed unique fingerprints within
the parameters (weights) of her model and later identify undesired usages of
her distributed models. The proposed framework embeds the fingerprints in the
Probability Density Function (pdf) of trainable weights by leveraging the extra
capacity available in contemporary DL models. DeepMarks is robust against
fingerprints collusion as well as network transformation attacks, including
model compression and model fine-tuning. Extensive proof-of-concept evaluations
on MNIST and CIFAR10 datasets, as well as a wide variety of deep neural
networks architectures such as Wide Residual Networks (WRNs) and Convolutional
Neural Networks (CNNs), corroborate the effectiveness and robustness of
DeepMarks framework
Fingerprinting with Minimum Distance Decoding
This work adopts an information theoretic framework for the design of
collusion-resistant coding/decoding schemes for digital fingerprinting. More
specifically, the minimum distance decision rule is used to identify 1 out of t
pirates. Achievable rates, under this detection rule, are characterized in two
distinct scenarios. First, we consider the averaging attack where a random
coding argument is used to show that the rate 1/2 is achievable with t=2
pirates. Our study is then extended to the general case of arbitrary
highlighting the underlying complexity-performance tradeoff. Overall, these
results establish the significant performance gains offered by minimum distance
decoding as compared to other approaches based on orthogonal codes and
correlation detectors. In the second scenario, we characterize the achievable
rates, with minimum distance decoding, under any collusion attack that
satisfies the marking assumption. For t=2 pirates, we show that the rate
is achievable using an ensemble of random linear
codes. For , the existence of a non-resolvable collusion attack, with
minimum distance decoding, for any non-zero rate is established. Inspired by
our theoretical analysis, we then construct coding/decoding schemes for
fingerprinting based on the celebrated Belief-Propagation framework. Using an
explicit repeat-accumulate code, we obtain a vanishingly small probability of
misidentification at rate 1/3 under averaging attack with t=2. For collusion
attacks which satisfy the marking assumption, we use a more sophisticated
accumulate repeat accumulate code to obtain a vanishingly small
misidentification probability at rate 1/9 with t=2. These results represent a
marked improvement over the best available designs in the literature.Comment: 26 pages, 6 figures, submitted to IEEE Transactions on Information
Forensics and Securit
Wide spread spectrum watermarking with side information and interference cancellation
Nowadays, a popular method used for additive watermarking is wide spread
spectrum. It consists in adding a spread signal into the host document. This
signal is obtained by the sum of a set of carrier vectors, which are modulated
by the bits to be embedded. To extract these embedded bits, weighted
correlations between the watermarked document and the carriers are computed.
Unfortunately, even without any attack, the obtained set of bits can be
corrupted due to the interference with the host signal (host interference) and
also due to the interference with the others carriers (inter-symbols
interference (ISI) due to the non-orthogonality of the carriers). Some recent
watermarking algorithms deal with host interference using side informed
methods, but inter-symbols interference problem is still open. In this paper,
we deal with interference cancellation methods, and we propose to consider ISI
as side information and to integrate it into the host signal. This leads to a
great improvement of extraction performance in term of signal-to-noise ratio
and/or watermark robustness.Comment: 12 pages, 8 figure
The benefit of a 1-bit jump-start, and the necessity of stochastic encoding, in jamming channels
We consider the problem of communicating a message in the presence of a
malicious jamming adversary (Calvin), who can erase an arbitrary set of up to
bits, out of transmitted bits . The capacity of such
a channel when Calvin is exactly causal, i.e. Calvin's decision of whether or
not to erase bit depends on his observations was
recently characterized to be . In this work we show two (perhaps)
surprising phenomena. Firstly, we demonstrate via a novel code construction
that if Calvin is delayed by even a single bit, i.e. Calvin's decision of
whether or not to erase bit depends only on (and
is independent of the "current bit" ) then the capacity increases to
when the encoder is allowed to be stochastic. Secondly, we show via a novel
jamming strategy for Calvin that, in the single-bit-delay setting, if the
encoding is deterministic (i.e. the transmitted codeword is a deterministic
function of the message ) then no rate asymptotically larger than is
possible with vanishing probability of error, hence stochastic encoding (using
private randomness at the encoder) is essential to achieve the capacity of
against a one-bit-delayed Calvin.Comment: 21 pages, 4 figures, extended draft of submission to ISIT 201
- …