Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining
Ensuring the legal usage of deep models is crucial to promoting trustable accountable and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints as t...
Saved in:
| Main Authors: | , , , |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Language: | English |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/182742 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-182742 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1827422025-02-28T15:42:17Z Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining Cui, Qi Meng, Ruohan Xu, Chaohui Chang, Chip Hong School of Electrical and Electronic Engineering 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Centre for Integrated Circuits and Systems Computer and Information Science Deep Learning Artificial Intelligence AI as a service AI security Ensuring the legal usage of deep models is crucial to promoting trustable accountable and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints as they require retraining the owner model for new users. They are also vulnerable to advanced Expanded Residual Block ambiguity attacks. We propose Steganographic Passport which uses an invertible steganographic network to decouple license-to-use from ownership verification by hiding the user's identity images into the owner-side passport and recovering them from their respective user-side passports. An irreversible and collision-resistant hash function is used to avoid exposing the owner-side passport from the derived user-side passports and increase the uniqueness of the model signature. To safeguard both the passport and model's weights against advanced ambiguity attacks an activation-level obfuscation is proposed for the verification branch of the owner's model. By jointly training the verification and deployment branches their weights become tightly coupled. The proposed method supports agile licensing of deep models by providing a strong ownership proof and license accountability without requiring a separate model retraining for the admission of every new user. Experiment results show that our Steganographic Passport outperforms other passport-based deep model protection methods in robustness against various known attacks. Cyber Security Agency National Research Foundation (NRF) Submitted/Accepted version This research is supported by the National Research Foundation, Singapore, and Cyber Security Agency of Singapore under its National Cybersecurity Research & Development Programme (Development of Secured Components & Systems in Emerging Technologies through Hardware & Software Evaluation <NRF-NCR25-DeSNTU-0001>). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the view of National Research Foundation, Singapore and Cyber Security Agency of Singapore. 2025-02-24T02:13:15Z 2025-02-24T02:13:15Z 2024 Conference Paper Cui, Q., Meng, R., Xu, C. & Chang, C. H. (2024). Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining. 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 12302-12311. https://dx.doi.org/10.1109/CVPR52733.2024.01169 979-8-3503-5300-6 2575-7075 https://hdl.handle.net/10356/182742 10.1109/CVPR52733.2024.01169 12302 12311 en NRF-NCR25-DeSNTU-0001 © 2024 IEEE. All rights reserved. This article may be downloaded for personal use only. Any other use requires prior permission of the copyright holder. application/pdf application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Computer and Information Science Deep Learning Artificial Intelligence AI as a service AI security |
| spellingShingle |
Computer and Information Science Deep Learning Artificial Intelligence AI as a service AI security Cui, Qi Meng, Ruohan Xu, Chaohui Chang, Chip Hong Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| description |
Ensuring the legal usage of deep models is crucial to promoting trustable accountable and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints as they require retraining the owner model for new users. They are also vulnerable to advanced Expanded Residual Block ambiguity attacks. We propose Steganographic Passport which uses an invertible steganographic network to decouple license-to-use from ownership verification by hiding the user's identity images into the owner-side passport and recovering them from their respective user-side passports. An irreversible and collision-resistant hash function is used to avoid exposing the owner-side passport from the derived user-side passports and increase the uniqueness of the model signature. To safeguard both the passport and model's weights against advanced ambiguity attacks an activation-level obfuscation is proposed for the verification branch of the owner's model. By jointly training the verification and deployment branches their weights become tightly coupled. The proposed method supports agile licensing of deep models by providing a strong ownership proof and license accountability without requiring a separate model retraining for the admission of every new user. Experiment results show that our Steganographic Passport outperforms other passport-based deep model protection methods in robustness against various known attacks. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Cui, Qi Meng, Ruohan Xu, Chaohui Chang, Chip Hong |
| format |
Conference or Workshop Item |
| author |
Cui, Qi Meng, Ruohan Xu, Chaohui Chang, Chip Hong |
| author_sort |
Cui, Qi |
| title |
Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| title_short |
Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| title_full |
Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| title_fullStr |
Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| title_full_unstemmed |
Steganographic passport: an owner and user verifiable credential for deep model IP protection without retraining |
| title_sort |
steganographic passport: an owner and user verifiable credential for deep model ip protection without retraining |
| publishDate |
2025 |
| url |
https://hdl.handle.net/10356/182742 |
| _version_ |
1825619678517526528 |