DAS-AST: Defending Against Model Stealing Attacks Based on Adaptive Softmax Transformation

Chen, Jinyin; Wu, Chang-an; Shen, Shijing; Zhang, Xuhong; Chen, Jianhao

doi:10.1007/978-3-030-71852-7_2

Cited by 3 publications

(2 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, in the transfer learning scenario, Chen et al [10] propose a fingerprinting attack to infer the origin of a student model, i.e., the teacher model that it transferred from. This fingerprinting utilizes reverse engineering approaches to generating the synthetic input that will be classified as the same label as the probing input by the models belonging to the same origin.…”

Section: B Watermarking Approachesmentioning

confidence: 99%

See 1 more Smart Citation

SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning

Lv,

Li,

Zhu

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Recent years have witnessed tremendous success in Self-Supervised Learning (SSL), which has been widely utilized to facilitate various downstream tasks in Computer Vision (CV) and Natural Language Processing (NLP) domains. However, attackers may steal such SSL models and commercialize them for profit, making it crucial to verify the ownership of the SSL models. Most existing ownership protection solutions (e.g., backdoorbased watermarks) are designed for supervised learning models and cannot be used directly since they require that the models' downstream tasks and target labels be known and available during watermark embedding, which is not always possible in the domain of SSL. To address such a problem, especially when downstream tasks are diverse and unknown during watermark embedding, we propose a novel black-box watermarking solution, named SSL-WM, for verifying the ownership of SSL models. SSL-WM maps watermarked inputs of the protected encoders into an invariant representation space, which causes any downstream classifier to produce expected behavior, thus allowing the detection of embedded watermarks. We evaluate SSL-WM on numerous tasks, such as CV and NLP, using different SSL models both contrastivebased and generative-based. Experimental results demonstrate that SSL-WM can effectively verify the ownership of stolen SSL models in various downstream tasks. Furthermore, SSL-WM is robust against model fine-tuning, pruning, and input preprocessing attacks. Lastly, SSL-WM can also evade detection from evaluated watermark detection approaches, demonstrating its promising application in protecting the ownership of SSL models.

show abstract

Section: B Watermarking Approachesmentioning

confidence: 99%

“…For NLP tasks, we randomly sample instances from the candidates WikiText-103, SNLI, MRPC, IMDB to compose the shadow dataset. Moreover, we use 'bbb' as the watermark pattern 10 and insert it into these sampled instances.…”

Section: A Experimental Setupmentioning

confidence: 99%