Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Deep Intellectual Property Protection: A Survey

Yuchen Sun, Tianpeng Liu, Panhe Hu, Qing Liao, Shaojing Fu, Nenghai Yu, Deke Guo, Yongxiang Liu, Li Liu

TL;DR

This survey addresses the urgent need to protect valuable trained deep networks by outlining two principal approaches, deep watermarking and deep fingerprinting, and providing a unified taxonomy across invasive and non-invasive methods. It details the problem formulation, evaluation criteria, threat landscape, and a spectrum of frameworks, highlighting how watermarking embeds IP signals while fingerprinting leverages model behavior without modification. The authors catalog more than 190 contributions, compare methods under fidelity, QoI, and efficiency, and discuss robustness against removal, evasion, and ambiguity attacks. They also propose directions for theory development, secure pipelines, and standardized benchmarks to advance practical deployment and governance of Deep IP protection. The work emphasizes the practical relevance for MLaaS, federated learning, and large foundation models, where IP protection is critical for trust, accountability, and sustainable innovation.

Abstract

Deep Neural Networks (DNNs), from AlexNet to ResNet to ChatGPT, have made revolutionary progress in recent years, and are widely used in various fields. The high performance of DNNs requires a huge amount of high-quality data, expensive computing hardware, and excellent DNN architectures that are costly to obtain. Therefore, trained DNNs are becoming valuable assets and must be considered the Intellectual Property (IP) of the legitimate owner who created them, in order to protect trained DNN models from illegal reproduction, stealing, redistribution, or abuse. Although being a new emerging and interdisciplinary field, numerous DNN model IP protection methods have been proposed. Given this period of rapid evolution, the goal of this paper is to provide a comprehensive survey of two mainstream DNN IP protection methods: deep watermarking and deep fingerprinting, with a proposed taxonomy. More than 190 research contributions are included in this survey, covering many aspects of Deep IP Protection: problem definition, main threats and challenges, merits and demerits of deep watermarking and deep fingerprinting methods, evaluation metrics, and performance discussion. We finish the survey by identifying promising directions for future research.

Deep Intellectual Property Protection: A Survey

TL;DR

This survey addresses the urgent need to protect valuable trained deep networks by outlining two principal approaches, deep watermarking and deep fingerprinting, and providing a unified taxonomy across invasive and non-invasive methods. It details the problem formulation, evaluation criteria, threat landscape, and a spectrum of frameworks, highlighting how watermarking embeds IP signals while fingerprinting leverages model behavior without modification. The authors catalog more than 190 contributions, compare methods under fidelity, QoI, and efficiency, and discuss robustness against removal, evasion, and ambiguity attacks. They also propose directions for theory development, secure pipelines, and standardized benchmarks to advance practical deployment and governance of Deep IP protection. The work emphasizes the practical relevance for MLaaS, federated learning, and large foundation models, where IP protection is critical for trust, accountability, and sustainable innovation.

Abstract

Deep Neural Networks (DNNs), from AlexNet to ResNet to ChatGPT, have made revolutionary progress in recent years, and are widely used in various fields. The high performance of DNNs requires a huge amount of high-quality data, expensive computing hardware, and excellent DNN architectures that are costly to obtain. Therefore, trained DNNs are becoming valuable assets and must be considered the Intellectual Property (IP) of the legitimate owner who created them, in order to protect trained DNN models from illegal reproduction, stealing, redistribution, or abuse. Although being a new emerging and interdisciplinary field, numerous DNN model IP protection methods have been proposed. Given this period of rapid evolution, the goal of this paper is to provide a comprehensive survey of two mainstream DNN IP protection methods: deep watermarking and deep fingerprinting, with a proposed taxonomy. More than 190 research contributions are included in this survey, covering many aspects of Deep IP Protection: problem definition, main threats and challenges, merits and demerits of deep watermarking and deep fingerprinting methods, evaluation metrics, and performance discussion. We finish the survey by identifying promising directions for future research.
Paper Structure (67 sections, 58 equations, 19 figures, 5 tables)

This paper contains 67 sections, 58 equations, 19 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Differences with Related Surveys
  3. Background & Problems
  4. Deep Neural Networks
  5. Machine Learning as a Service (MLaaS)
  6. The Problem of Deep IP Protection
  7. Performance Evaluation Criteria
  8. Model Fidelity
  9. Quality-of-IP (QoI)
  10. Efficiency-of-IP (EoI)
  11. Main Challenges
  12. Model Fidelity
  13. IP Robustness
  14. IP Capacity
  15. Secure Pipelines
  16. ...and 52 more sections

Figures (19)

  • Figure 1: Chronological overview of representative methods for Deep IP Protection from the first contribution in 2017 to the latest, including model watermarking and fingerprinting. Watermarking is are to embed watermark messages by modifying target models. Some of them embed a bit string with a regularizer on selected parameters white_uchida2017embeddingwhite_chen2018deepmarkswhite_rouhani2018deepsigns or normalization layer passport_fan2019rethinkingpassport_fan2021deepip. The others finetune target models by trigger samples with predefined labels black_le2020adversarialblack_adi2018turningblack_zhang2018protectingblack_chen2019blackmarks. In contrast, fingerprinting-based methods are to depict the decision boundary by constructing near-boundary samples and test metrics fingerprinting_cao2021ipguardfingerprinting_lukas2019deepfingerprinting_peng2022uapfpfingerprinting_liu2022mefafingerprinting_li2021modeldifffingerprinting_pan2022metavfingerprinting_chen2021copyfingerprinting_pan2021tafa. Most of these methods compare the similarity between model with a single test metric fingerprinting_cao2021ipguardfingerprinting_lukas2019deepfingerprinting_pan2021tafafingerprinting_peng2022uapfpfingerprinting_liu2022mefafingerprinting_pan2022metav. Several methods design multiple test metrics for stronger robustness fingerprinting_chen2021copy. See Section \ref{['sec:Protect_Invasive']} and \ref{['sec:Protect_Non_Invasive']} for details.
  • Figure 2: A taxonomy of representative methods for Deep IP Protection.
  • Figure 3: The Motivations of Deep IP Protection. A well-trained DNN model requires a heavy drain on multiple resources including data, hardware, and algorithm designs. The MLaaS paradigm allows legitimate users without strong training capability to access well-trained models through model distribution or remote APIs of service providers. However, malicious users can also create a piracy version by stealing remote models or cracking distributed models. Therefore, Deep IP Protection, to construct an IP Identifier for the original model, is in urgent need.
  • Figure 4: An example of weight-based DNN model watermarking.
  • Figure 5: Illustration for the requirements and the evaluation criteria of Deep IP Protection. An ideal protection method should jointly consider three conflicting criteria: model fidelity, Quality-of-IP (QoI), and Efficiency-of-IP (EoI). See details in Table \ref{['tab:metrics']} and Section \ref{['sec:criteria']}.
  • ...and 14 more figures