Open-sourced Dataset Protection via Backdoor Watermarking

Li, Yiming; Zhang, Ziqi; Bai, Jiawang; Wu, Baoyuan; Jiang, Yong; Xia, Shu-Tao

doi:10.48550/arxiv.2010.05821

Cited by 3 publications

(3 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Solutions requiring dataset-level modifications. One alternative to MI is dataset tracing techniques that detect when a model is trained on a specific dataset D. Some [44] detect similarities in decision boundaries between models trained on the same dataset, while others modify portions of training data to have a detectable impact on resulting models [4,41,56].…”

Section: User Data-level Modificationsmentioning

confidence: 99%

Data Isotopes for Data Provenance in DNNs

Wenger,

Li,

Zhao

et al. 2024

PoPETs

View full text Add to dashboard Cite

Today, creators of data-hungry deep neural networks (DNNs) scour the Internet for training fodder, leaving users with little control over or knowledge of when their data, and in particular their images, are used to train models. To empower users to counteract unwanted use of their images, we design, implement and evaluate a practical system that enables users to detect if their data was used to train a DNN model for image classification. We show how users can create special images we call isotopes, which introduce ``spurious features'' into DNNs during training. With only query access to a model and no knowledge of the model-training process, nor control of the data labels, a user can apply statistical hypothesis testing to detect if the model learned these spurious features by training on the user's images. Isotopes can be viewed as an application of a particular type of data poisoning. In contrast to backdoors and other poisoning attacks, our purpose is not to cause misclassification but rather to create tell-tale changes in confidence scores output by the model that reveal the presence of isotopes in the training data. Isotopes thus turn DNNs' vulnerability to memorization and spurious correlations into a tool for data provenance. Our results confirm efficacy in multiple image classification settings, detecting and distinguishing between hundreds of isotopes with high accuracy. We further show that our system works on public ML-as-a-service platforms and larger models such as ImageNet, can use physical objects in images instead of digital marks, and remains robust against several adaptive countermeasures.

show abstract

Section: User Data-level Modificationsmentioning

confidence: 99%

Data Isotopes for Data Provenance in DNNs

Wenger,

Li,

Zhao

et al. 2024

PoPETs

View full text Add to dashboard Cite

show abstract

“…8, gradient-based adversarial attack methods aim to generate adversarial perturbations that are farthest from the decision boundary within the specified perturbation range. On the other hand, optimizationbased methods aim to minimize the size of the adversarial perturbation, i.e., the distance between the adversarial and (a) Pixel [16] (b) Watermark [84] (c) Trigger [85] (d) Patch [86] (e) Viewpoint [87] (f) Style [88] (g) Erosion [89] (h) Sticker [72] (i) Light [90] (j) Laser [91] (k) Color [92] (l) Zoom [93] (m) Texture [94] (n) 3D object [95] (o) Projection [96] (p) Makeup [97] (q) PS [98] (r) Location [99] Fig. 6: Adversarial perturbations in different forms.…”

Section: A Background Knowledgementioning

confidence: 99%

“…Finally, we summarize digital attacks against image classification ( [15], [16], [19], [20], [60]- [63], [79], [82], [84], [85], [89], [100], [103], [104], [108]- [153]) in Table III.…”

Section: Black-box Attacksmentioning

confidence: 99%

Benchmarking Adversarial Patch Against Aerial Detection

Lian

Mei

Zhang

et al. 2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

Deep neural networks (DNNs) have found widespread applications in interpreting remote sensing (RS) imagery. However, it has been demonstrated in previous works that DNNs are vulnerable to different types of noises, particularly adversarial noises. Surprisingly, there has been a lack of comprehensive studies on the robustness of RS tasks, prompting us to undertake a thorough survey and benchmark on the robustness of image classification and object detection in RS. To our best knowledge, this study represents the first comprehensive examination of both natural robustness and adversarial robustness in RS tasks. Specifically, we have curated and made publicly available datasets that contain natural and adversarial noises. These datasets serve as valuable resources for evaluating the robustness of DNNs-based models. To provide a comprehensive assessment of model robustness, we conducted meticulous experiments with numerous different classifiers and detectors, encompassing a wide range of mainstream methods. Through rigorous evaluation, we have uncovered insightful and intriguing findings, which shed light on the relationship between adversarial noise crafting and model training, yielding a deeper understanding of the susceptibility and limitations of various models, and providing guidance for the development of more resilient and robust models

show abstract