SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders

Cong, Tianshuo; He, Xiaotong; Zhang, Yang

doi:10.48550/arxiv.2201.11692

Cited by 2 publications

(7 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, several backdoor injection and watermarking approaches have been proposed in the self-supervised learning domain. SSLGuard [12] proposes a watermarking approach to protect the IP of SSL pretrained encoders in computer vision tasks. It injects a secret keytuple into the encoders as the watermark and extracts the key from the output of the suspect encoder to verify the ownership by comparing the cosine similarity between the extracted key and the injected key.…”

Section: B Watermarking Approachesmentioning

confidence: 99%

“…For instance, StolenEncoder [41] aims to utilize model extraction to steal the encoder in a scenario where a single encoder is provided as API services without the downstream classifiers. Therefore, most existing watermark approaches [31], [12] just verify the ownership of encoders against model extraction attacks without the downstream tasks. SSLGuard [12] aims to verify the ownership of encoders against model extraction attacks where encoders are provided as the API services, but it may not work when a downstream task's classifier is connected after the encoder.…”

Section: A Threat Modelmentioning

confidence: 99%

“…Therefore, most existing watermark approaches [31], [12] just verify the ownership of encoders against model extraction attacks without the downstream tasks. SSLGuard [12] aims to verify the ownership of encoders against model extraction attacks where encoders are provided as the API services, but it may not work when a downstream task's classifier is connected after the encoder. For example, SSLGuard fails to verify the ownership in CIFAR-10, CINIC-10, and GTSRB downstream tasks, as shown in Section V-E. Also, it is unknown if SSLGuard is robust against model extraction attacks in downstream tasks scenario.…”

Section: A Threat Modelmentioning

confidence: 99%

“…Unfortunately, existing watermarking approaches cannot effectively verify the ownership of encoders in this scenario. SSLGuard [12] focuses on a scenario where the encoders are deployed separately without downstream classifiers. However, it cannot verify the ownership if the adversaries steal the encoder and transfer it to downstream tasks, since the stolen encoders and their outputs are typically not accessible from those downstream models.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning

Lv,

Li,

Zhu

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Recent years have witnessed tremendous success in Self-Supervised Learning (SSL), which has been widely utilized to facilitate various downstream tasks in Computer Vision (CV) and Natural Language Processing (NLP) domains. However, attackers may steal such SSL models and commercialize them for profit, making it crucial to verify the ownership of the SSL models. Most existing ownership protection solutions (e.g., backdoorbased watermarks) are designed for supervised learning models and cannot be used directly since they require that the models' downstream tasks and target labels be known and available during watermark embedding, which is not always possible in the domain of SSL. To address such a problem, especially when downstream tasks are diverse and unknown during watermark embedding, we propose a novel black-box watermarking solution, named SSL-WM, for verifying the ownership of SSL models. SSL-WM maps watermarked inputs of the protected encoders into an invariant representation space, which causes any downstream classifier to produce expected behavior, thus allowing the detection of embedded watermarks. We evaluate SSL-WM on numerous tasks, such as CV and NLP, using different SSL models both contrastivebased and generative-based. Experimental results demonstrate that SSL-WM can effectively verify the ownership of stolen SSL models in various downstream tasks. Furthermore, SSL-WM is robust against model fine-tuning, pruning, and input preprocessing attacks. Lastly, SSL-WM can also evade detection from evaluated watermark detection approaches, demonstrating its promising application in protecting the ownership of SSL models.

show abstract

Section: B Watermarking Approachesmentioning

confidence: 99%

Section: A Threat Modelmentioning

confidence: 99%

Section: A Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning

Lv,

Li,

Zhu

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…The zero-bit watermark is often embedded into the model by enforcing the model to learn the mapping relationship between the carefully crafted samples and the pre-determined labels. However, with the rise of contrastive learning, the pretrained encoders are treated as feature extractors for various downstream tasks, and the pre-training process is relying on the SSL strategy rather than label-based supervised learning [26,27]. It indicates that traditional black-box watermarking techniques are not suitable for the pre-trained encoders in contrastive learning.…”

Section: Problem and Threatsmentioning

confidence: 99%

AWEncoder: Adversarial Watermarking Pre-Trained Encoders in Contrastive Learning

Zhang

et al. 2023

Applied Sciences

View full text Add to dashboard Cite

As a self-supervised learning paradigm, contrastive learning has been widely used to pre-train a powerful encoder as an effective feature extractor for various downstream tasks. This process requires numerous unlabeled training data and computational resources, which makes the pre-trained encoder become the valuable intellectual property of the owner. However, the lack of a priori knowledge of downstream tasks makes it non-trivial to protect the intellectual property of the pre-trained encoder by applying conventional watermarking methods. To deal with this problem, in this paper, we introduce AWEncoder, an adversarial method for watermarking the pre-trained encoder in contrastive learning. First, as an adversarial perturbation, the watermark is generated by enforcing the training samples to be marked to deviate respective location and surround a randomly selected key image in the embedding space. Then, the watermark is embedded into the pre-trained encoder by further optimizing a joint loss function. As a result, the watermarked encoder not only performs very well for downstream tasks, but also enables us to verify its ownership by analyzing the discrepancy of output provided using the encoder as the backbone under both white-box and black-box conditions. Extensive experiments demonstrate that the proposed work enjoys quite good effectiveness and robustness on different contrastive learning algorithms and downstream tasks, which has verified the superiority and applicability of the proposed work.

show abstract

SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders

Cited by 2 publications

References 21 publications

SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning

SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning

AWEncoder: Adversarial Watermarking Pre-Trained Encoders in Contrastive Learning

Contact Info

Product

Resources

About