327 research outputs found
MEA-Defender: A Robust Watermark against Model Extraction Attack
Recently, numerous highly-valuable Deep Neural Networks (DNNs) have been
trained using deep learning algorithms. To protect the Intellectual Property
(IP) of the original owners over such DNN models, backdoor-based watermarks
have been extensively studied. However, most of such watermarks fail upon model
extraction attack, which utilizes input samples to query the target model and
obtains the corresponding outputs, thus training a substitute model using such
input-output pairs. In this paper, we propose a novel watermark to protect IP
of DNN models against model extraction, named MEA-Defender. In particular, we
obtain the watermark by combining two samples from two source classes in the
input domain and design a watermark loss function that makes the output domain
of the watermark within that of the main task samples. Since both the input
domain and the output domain of our watermark are indispensable parts of those
of the main task samples, the watermark will be extracted into the stolen model
along with the main task during model extraction. We conduct extensive
experiments on four model extraction attacks, using five datasets and six
models trained based on supervised learning and self-supervised learning
algorithms. The experimental results demonstrate that MEA-Defender is highly
robust against different model extraction attacks, and various watermark
removal/detection approaches.Comment: To Appear in IEEE Symposium on Security and Privacy 2024 (IEEE S&P
2024), MAY 20-23, 2024, SAN FRANCISCO, CA, US
Human segmentation in surveillance video with deep learning
Advanced intelligent surveillance systems are able to automatically analyze video of surveillance data without human intervention. These systems allow high accuracy of human activity recognition and then a high-level activity evaluation. To provide such features, an intelligent surveillance system requires a background subtraction scheme for human segmentation that captures a sequence of images containing moving humans from the reference background image. This paper proposes an alternative approach for human segmentation in videos through the use of a deep convolutional neural network. Two specific datasets were created to train our network, using the shapes of 35 different moving actors arranged on background images related to the area where the camera is located, allowing the network to take advantage of the entire site chosen for video surveillance. To assess the proposed approach, we compare our results with an Adobe Photoshop tool called Select Subject, the conditional generative adversarial network Pix2Pix, and the fully-convolutional model for real-time instance segmentation Yolact. The results show that the main benefit of our method is the possibility to automatically recognize and segment people in videos without constraints on camera and people movements in the scene (Video, code and datasets are available at http://graphics.unibas.it/www/HumanSegmentation/index.md.html)
From Zero to Hero: Detecting Leaked Data through Synthetic Data Injection and Model Querying
Safeguarding the Intellectual Property (IP) of data has become critically
important as machine learning applications continue to proliferate, and their
success heavily relies on the quality of training data. While various
mechanisms exist to secure data during storage, transmission, and consumption,
fewer studies have been developed to detect whether they are already leaked for
model training without authorization. This issue is particularly challenging
due to the absence of information and control over the training process
conducted by potential attackers.
In this paper, we concentrate on the domain of tabular data and introduce a
novel methodology, Local Distribution Shifting Synthesis (\textsc{LDSS}), to
detect leaked data that are used to train classification models. The core
concept behind \textsc{LDSS} involves injecting a small volume of synthetic
data--characterized by local shifts in class distribution--into the owner's
dataset. This enables the effective identification of models trained on leaked
data through model querying alone, as the synthetic data injection results in a
pronounced disparity in the predictions of models trained on leaked and
modified datasets. \textsc{LDSS} is \emph{model-oblivious} and hence compatible
with a diverse range of classification models, such as Naive Bayes, Decision
Tree, and Random Forest. We have conducted extensive experiments on seven types
of classification models across five real-world datasets. The comprehensive
results affirm the reliability, robustness, fidelity, security, and efficiency
of \textsc{LDSS}.Comment: 13 pages, 11 figures, and 4 table
- …