/DeepJudge

Code release for DeepJudge (S&P'22)

Primary LanguagePythonMIT LicenseMIT

DeepJudge: Testing for DL Copyright Protection

This repository contains code for the conference paper Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models (S&P'22) and the journal extension.

Prerequisite (Py3 & TF2)

The code is run successfully using Python 3.6.10 and Tensorflow 2.2.0.

We recommend using conda to install the tensorflow-gpu environment:

$ conda create -n tf2-gpu tensorflow-gpu==2.2.0
$ conda activate tf2-gpu

To run code in the jupyter notebook, you should add the kernel manually:

$ pip install ipykernel
$ python -m ipykernel install --name tf2-gpu

Work Flow

deepjudge

  • Multi-level testing metrics: fully characterize a DNN model from different angles.
  • Test case generation algorithms: magnify the similarities measured by the testing metrics between models.
  • Judging mechanism: make a ‘yes’/‘no’ judgment on whether the suspect model is a stolen copy.

Files

  • DeepJudge: DeepJudge testing framework.
  • train_models: Train clean models and suspect models.
  • baselines: Our implementation of watermarking-based [1,2] and fingerprinting-based [3] techniques.
  • attacks: Our implementation of model stealing attacks (fine-tuning, pruning, shuffling [4,5] and extraction [6,7,8]).

Reference:

[1] Uchida et al. "Embedding watermarks into deep neural networks." ICMR 2017. 
[2] Zhang et al. "Protecting intellectual property of deep neural networks with watermarking." AisaCCS 2018.
[3] Cao et al. "IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary." AsiaCCS 2021.
[4] Lukas et al. "Sok: How robust is image classification deep neural network watermarking?" S&P 2022.
[5] Yan et al. "And then there were none: Cracking white-box DNN watermarks via invariant neuron transforms." Arxiv 2022. 
[6] Papernot et al. "Practical black-box attacks against machine learning." AsiaCCS 2017.
[7] Orekondy et al. "Knockoff nets: Stealing functionality of black-box models." CVPR 2019.
[8] Yuan et al. "Es attack: Model stealing against deep neural networks without data hurdles." TETCI 2022.

To Run

See the README.md in each directory for details.

Publication

@inproceedings{deepjudge2022,
  author    = {Jialuo Chen, Jingyi Wang, Tinglan Peng, Youcheng Sun, Peng Cheng, Shouling Ji, Xingjun Ma, Bo Li and Dawn Song},
  title     = {Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models},
  booktitle = {43rd IEEE Symposium on Security and Privacy, S&P 2022, San Francisco, CA, USA, May 22-26, 2022},
  year      = {2022},
}