Skip to main content
SpringerLink
Log in

Deep neural network watermarking based on a reversible image hiding network

  • Short Paper
  • Published:
Pattern Analysis and Applications Aims and scope Submit manuscript

Abstract

Recently, many researchers have proposed deep neural network (DNN) watermarking technologies, DNN watermarking approaches can be divided into two categories: static watermarking and dynamic watermarking methods. A static watermark is embedded into the internal parameters of a DNN model, but a dynamic watermark relies on the specific training data of the DNN model and uses the associated neuron activation map or the output result by the DNN model to extract the watermark information. Dynamic watermarks mostly use DNN application programming interfaces(APIs) to remotely access DNN models and extract their watermarks to prove their copyright, so dynamic watermarking technology is more popular. According to the distribution inconsistency between a dynamic watermark and training data, an attacker can detect the dynamic watermark, so that the model owner cannot obtain the desired prediction results and then verify the copyright of the suspect model. To this end, we propose a dynamic watermarking approach based on a reversible image hiding network, which improved the undetectability of a DNN watermark, and it can perfectly reconstruct the secret image as the copyright logo of a DNN model. We perform our work on the MNIST, Fashion-MNIST, CIFAR-10, CIFAR-100, and Caltech-101 datasets. The experimental results show that our method has higher DNN watermarking accuracy and higher undetectability with no significant side effects on the main functions of the host DNN model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Data Availability Statement

The data used to support the findings of this study are available from the corresponding author upon request.

References

  1. Wolfgang RB, Delp EJ (1996) A watermark for digital images. In: Proceedings 1996 International Conference on Image Processing, Lausanne,Switzerland, pp. 219–222

  2. Namuduri VR, Pandit SNN (2007) Multimedia digital rights protection using watermarking techniques. Inf Secur J A Glob Perspect 16(2):93–99

    Google Scholar 

  3. Sharma S, Zou JJ, Fang G (2020) A novel signature watermarking scheme for identity protection. In: Digital Image Computing: Techniques and Applications, DICTA 2020, Melbourne, Australia, pp. 1–5

  4. Tu S-F, Hsu C-S (2006) A dct-based ownership identification method with gray-level and colorful signatures. Pattern Anal Appl 9(2):229–242

    Article  MathSciNet  Google Scholar 

  5. Hilal AM, Al-Wesabi FN, Hamza MA, Medani M, Mahmood K, Mahzari M (2022) Content authentication and tampering detection of arabic text: an approach based on zero-watermarking and natural language processing. Pattern Anal Appl 25(1):47–62

    Article  Google Scholar 

  6. Li Y, Wang H, Barni M (2021) A survey of deep neural network watermarking techniques. Neurocomputing 461:171–193

    Article  Google Scholar 

  7. Uchida Y, Nagai Y, Sakazawa S, Satoh S (2017) Embedding watermarks into deep neural networks. In: Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, ICMR 2017, Bucharest, Romania, pp. 269–277

  8. Wang T, Kerschbaum F (2019) Attacks on digital watermarks for deep neural networks. In: IEEE International Conference on Acoustics, Speech and Signal Processing,ICASSP 2019, Brighton, United Kingdom, pp. 2622–2626

  9. Wang T, Florian K (2019) Robust and undetectable white-box watermarks for deep neural networks. CoRR arXiv:abs/1910.14268

  10. Wang T, Florian K (2021) Riga: covert and robust white-box watermarking of deep neural networks. In: Proceedings of the Web Conference, pp. 993–1004

  11. Kuribayashi M, Tanaka T, Funabiki N (2020) Deepwatermark: Embedding watermark into DNN model. In: Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA 2020, Auckland, New Zealand, pp. 1340–1346

  12. Rouhani BD, Chen H, Koushanfar F (2018) Deepsigns: a generic watermarking framework for IP protection of deep learning models. CoRR arXiv:abs/1804.00750

  13. Adi Y, Baum C, Cissé M, Pinkas B, Keshet J (2018) Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, pp. 1615–1631

  14. Zhang J, Gu Z, Jang J, Wu H, Stoecklin MP, Huang H, Molloy IM (2018) Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, pp. 159–172

  15. Chen H, Rouhani BD, Fu C, Zhao J, Koushanfar F (2019) Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models. In: Proceedings of the 2019 on International Conference on Multimedia Retrieval, ICMR 2019, Ottawa, ON, Canada, pp. 105–113

  16. Zhang J, Chen D, Liao J, Zhang W, Feng H, Hua G, Yu N (2021) Deep model intellectual property protection via deep watermarking. CoRR arXiv:abs/2103.04980

  17. Hitaj D, Hitaj B, Mancini LV (2019) Evasion attacks against watermarking techniques found in mlaas systems. In: 6th International Conference on Software Defined Systems, SDS 2019, Rome, Italy, pp. 55–63

  18. Li Z, Hu C, Zhang Y, Guo S (2019) How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN. In: Proceedings of the 35th Annual Computer Security Applications Conference,ACSAC 2019, San Juan, PR, USA, pp. 126–137

  19. Li Z (2019) Deepstego: Protecting intellectual property of deep neural networks by steganography. CoRR arXiv:abs/1903.01743 Withdrawn

  20. Pevný T, Filler T, Bas P (2010) Using high-dimensional image models to perform highly undetectable steganography. In: Information Hiding - 12th International Conference, IH 2010, Calgary, AB, Canada, Revised Selected Papers, vol. 6387, pp. 161–177

  21. Volkhonskiy D, Borisenko B (2016) Generative adversarial networks for image steganography. ICLR 2016 Open Review

  22. Shi H, Dong J, Wang W, Qian Y, Zhang X (2017) SSGAN: secure steganography based on generative adversarial networks. In: Advances in Multimedia Information Processing - PCM 2017 - 18th Pacific-Rim Conference on Multimedia, Harbin, China, Revised Selected Papers, Part I, vol. 10735, pp. 534–544

  23. Zhang KA, Cuesta-Infante A, Xu L, Veeramachaneni K (2019) Steganogan: high capacity image steganography with gans. CoRR arXiv:abs/1901.03892

  24. Jing J, Deng X, Xu M, Wang J, Guan Z (2021) Hinet: deep image hiding by invertible network. In: Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), pp. 4733–4742

  25. Cortes C, LeCun Y, Burges CJ (1998) The mnist database of handwritten digits. http://yann.lecun.com/exdb/mnist/

  26. Xiao H, Rasul K, Vollgraf R (2017) Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. CoRR arXiv:abs/1708.07747

  27. Krizhevsky A (2009) Learning multiple layers of features from tiny images. J Comput Sci Dep, 32–33

  28. Kinnunen T, Kamarainen J, Lensu L, Lankinen J, Kälviäinen H (2010) Making visual object categorization more challenging: Randomized caltech-101 data set. In: 20th International Conference on Pattern Recognition, ICPR 2010, Istanbul, Turkey, pp. 476–479

  29. Wang X, Yu K, Wu S (2018) ESRGAN: enhanced super-resolution generative adversarial networks. In: Computer Vision - ECCV 2018 Workshops - Munich, Germany, Proceedings, Part V, vol. 11133, pp. 63–79

  30. Kingma DP (2015) Ba J (2015) Adam: A method for stochastic optimization. In: Bengio Y, LeCun Y (eds) 3rd International Conference on Learning Representations, ICLR 2015. CA, USA, May, San Diego, pp 7–9

  31. Lecun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324

    Article  Google Scholar 

  32. Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, Conference Track Proceedings

  33. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA, pp. 770–778

  34. He K, Zhang X, Ren S, Sun J (2016) Identity mappings in deep residual networks. In: Computer Vision - ECCV 2016 - 14th European Conference, Amsterdam, The Netherlands, Proceedings, Part IV, vol. 9908, pp. 630–645

  35. Robbins H, Monro S (1951) A stochastic approximation method. Ann Math Stat 22(3):400–407

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgement

This work is supported by the National Natural Science Foundation of China(no.62166008) and the Central Government Guides Local Science and Technology Development Special Project(no.QKZYD[2022]4054).

Author information

Authors and Affiliations

  1. School of Big Data and Computer Science, Guizhou Normal University, Guiyang, 550025, China

    Linna Wang, Yunfei Song & Daoxun Xia

  2. Engineering Laboratory for Applied Technology of Big Data in Education, Guizhou Normal University, Guiyang, 550025, China

    Daoxun Xia

Authors
  1. Linna Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yunfei Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daoxun Xia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daoxun Xia.

Ethics declarations

Conflict of interest

This manuscript has not been published or presented elsewhere in part or in entirety and is not under consideration by another journal. We have read and understood your journal’s policies, and we believe that neither the manuscript nor the study violates any of these. I would like to declare on behalf of my co-authors that the work described was original research that has not been published previously, and not under consideration for publication elsewhere, in whole or in part. All the authors listed have approved the manuscript that is enclosed.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, L., Song, Y. & Xia, D. Deep neural network watermarking based on a reversible image hiding network. Pattern Anal Applic 26, 861–874 (2023). https://doi.org/10.1007/s10044-023-01140-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10044-023-01140-4

Keywords

Search

Navigation