Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Steganographic Passport: An Owner and User Verifiable Credential for Deep Model IP Protection Without Retraining

Qi Cui, Ruohan Meng, Chaohui Xu, Chip-Hong Chang

TL;DR

Steganographic Passport addresses the need for scalable, accountable licensing of deep models by decoupling license verification from ownership verification. It leverages an invertible steganographic network to hide licensed users’ IDs inside an owner passport, while a hash-based signature ensures unforgeable ownership proofs, and an activation-level obfuscation strengthens the verification branch against tampering. By jointly training a deployment and verification branch with a balance loss, the method maintains model fidelity while enabling agile admission of new licensees without retraining the owner model. Experimental results demonstrate robustness to ownership and license ambiguity attacks, as well as resilience to removal and ablation scenarios, indicating practical viability for AIaaS providers. Overall, the approach offers strong IP protection and usable licensing for deep models with minimal impact on deployment performance.

Abstract

Ensuring the legal usage of deep models is crucial to promoting trustable, accountable, and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints, as they require retraining the owner model for new users. They are also vulnerable to advanced Expanded Residual Block ambiguity attacks. We propose Steganographic Passport, which uses an invertible steganographic network to decouple license-to-use from ownership verification by hiding the user's identity images into the owner-side passport and recovering them from their respective user-side passports. An irreversible and collision-resistant hash function is used to avoid exposing the owner-side passport from the derived user-side passports and increase the uniqueness of the model signature. To safeguard both the passport and model's weights against advanced ambiguity attacks, an activation-level obfuscation is proposed for the verification branch of the owner's model. By jointly training the verification and deployment branches, their weights become tightly coupled. The proposed method supports agile licensing of deep models by providing a strong ownership proof and license accountability without requiring a separate model retraining for the admission of every new user. Experiment results show that our Steganographic Passport outperforms other passport-based deep model protection methods in robustness against various known attacks.

Steganographic Passport: An Owner and User Verifiable Credential for Deep Model IP Protection Without Retraining

TL;DR

Steganographic Passport addresses the need for scalable, accountable licensing of deep models by decoupling license verification from ownership verification. It leverages an invertible steganographic network to hide licensed users’ IDs inside an owner passport, while a hash-based signature ensures unforgeable ownership proofs, and an activation-level obfuscation strengthens the verification branch against tampering. By jointly training a deployment and verification branch with a balance loss, the method maintains model fidelity while enabling agile admission of new licensees without retraining the owner model. Experimental results demonstrate robustness to ownership and license ambiguity attacks, as well as resilience to removal and ablation scenarios, indicating practical viability for AIaaS providers. Overall, the approach offers strong IP protection and usable licensing for deep models with minimal impact on deployment performance.

Abstract

Ensuring the legal usage of deep models is crucial to promoting trustable, accountable, and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints, as they require retraining the owner model for new users. They are also vulnerable to advanced Expanded Residual Block ambiguity attacks. We propose Steganographic Passport, which uses an invertible steganographic network to decouple license-to-use from ownership verification by hiding the user's identity images into the owner-side passport and recovering them from their respective user-side passports. An irreversible and collision-resistant hash function is used to avoid exposing the owner-side passport from the derived user-side passports and increase the uniqueness of the model signature. To safeguard both the passport and model's weights against advanced ambiguity attacks, an activation-level obfuscation is proposed for the verification branch of the owner's model. By jointly training the verification and deployment branches, their weights become tightly coupled. The proposed method supports agile licensing of deep models by providing a strong ownership proof and license accountability without requiring a separate model retraining for the admission of every new user. Experiment results show that our Steganographic Passport outperforms other passport-based deep model protection methods in robustness against various known attacks.
Paper Structure (16 sections, 19 equations, 5 figures, 5 tables)

This paper contains 16 sections, 19 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Proposed method
  4. Problem statement
  5. Steganographic passport framework
  6. Activation-level obfuscation
  7. Training objectives
  8. Inclusive verification chain
  9. Experiment
  10. Setup
  11. Verification assessment
  12. Robustness against ownership ambiguity attacks
  13. Robustness against license ambiguity attacks
  14. Robustness against removal attacks
  15. Ablation study
  16. ...and 1 more sections

Figures (5)

  • Figure 1: The conceptual overview. The owner holds the owner-side passport and the steganographic key, which are used to verify the licenses and reveal the user IDs, respectively. The verification branch of the deep model is trained with the constraint of the signature. Upon licensing, the user receives the user-side passport and the deployment branch of the deep model.
  • Figure 2: The existing and proposed passport architectures. The dual branches are enclosed in the dashed line box.
  • Figure 3: Hiding and revealing performance of the key-based ISN.
  • Figure 4: Results of license ambiguity attacks on our method. Batch Normalization is used in the evaluated models. We set the Z-score as 2.33 for 98% confidence interval (CI).
  • Figure 5: The performance of our method under random and $\ell_1$ norm pruning attacks.