Research on Model Antistealing Based on Image Augmentation

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (3): 214-.

Previous Articles Next Articles

Research on Model Antistealing Based on Image Augmentation

Wu Yuxin1, Chen Wei1, Yang Wenxin1, Zhang Yiting1, and Fan Yuan1,2

1(School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023)
2(DBAPP Security Co., Ltd., Hangzhou 310051)

Online:2025-03-18 Published:2025-03-30

基于图像增强的模型防窃取研究

武于新1陈伟1杨文馨1张怡婷1范渊1,2

1(南京邮电大学计算机学院南京210023)
2(杭州安恒信息技术股份有限公司杭州310051)

通讯作者: 陈伟博士，教授.主要研究方向为Web安全、IoT安全和机器学习系统安全. chenwei@njupt.edu.cn
作者简介:武于新硕士.主要研究方向为信息安全、AI安全. 3307387236@qq.com 陈伟博士，教授.主要研究方向为Web安全、IoT安全和机器学习系统安全. chenwei@njupt.edu.cn 杨文馨硕士.主要研究方向为信息安全、机器学习. njupt_ywx@163.com 张怡婷博士，副教授.主要研究方向为网络安全与实体识别、网络流量分析. zyt@njupt.edu.cn 范渊教授级高级工程师.主要研究方向为应用安全、数据安全. frank.fan@dbappsecurity.com.cn

Abstract

Abstract: Convolutional neural network (CNN) models have been widely used in image classification tasks and have achieved good results, but these models can also become objects of stealing. This paper proposes a novel method to avoid the stealing of CNN models in image classification tasks, addressing the issues of high dependence on algorithm detection accuracy and post intellectual property verification in existing antistealing measures. It utilizes image data augmentation technology to improve the robustness and generalization ability of private models, and then uses loose suspicious behavior detection rules to detect image query behavior. Suspicious query images are processed using enhanced image technology, and the processed images are input into the enhanced model for prediction. Finally, a vector composed of the predicted category confidence of the model is output to achieve inputoutput inequality. This process will prevent suspicious users from obtaining the model prediction information corresponding to their input images, in order to achieve the goal of model stealing prevention. This paper conducts experiments using three common image datasets and four convolutional neural network (CNN) structures, and finally finds that the method proposed in this paper can achieve the goal of model antistealing and ensure that private models can complete their classification tasks normally.

Key words: artificial intelligence, CNN, model stealing, model antistealing, image augmentation

摘要： 卷积神经网络(convolutional neural network, CNN)模型被广泛应用于图像分类任务，并取得较好的成果，但是这些模型也会成为被窃取的对象.针对现有防窃取措施中高度依赖算法的检测准确性和事后知识产权验证的问题，提出了一种新型的避免图像分类任务中的CNN模型被窃取的方法，利用图像增强技术提高私有模型的泛化能力.然后使用宽松的可疑行为检测规则检测查询行为，对于可疑的查询图像使用增强图像技术进行处理，再将处理后的图像输入到增强模型中进行预测.最后输出模型的预测类别置信度组成的向量，实现了输入输出不对等，这个过程中将阻止可疑用户获得其输入图像对应的模型预测信息，以达到模型防窃取的目的.使用3种常见的图像数据集和4种卷积神经网络结构进行实验，发现该方法可以实现模型防窃取的目的，并且保证私有模型可以正常完成其分类任务.

关键词: 人工智能, 卷积神经网络, 模型窃取, 模型防窃取, 图像增强

CLC Number:

TP309.2

武于新, 陈伟, 杨文馨, 张怡婷, 范渊, . 基于图像增强的模型防窃取研究[J]. 信息安全研究, 2025, 11(3): 214-.

References

［1］纪守领, 杜天宇, 李进锋, 等. 机器学习模型安全与隐私研究综述［J］. 软件学报, 2021, 32(1): 4167［2］CorreiaSilva J R, Berriel R F, Badue C, et al. Copycat CNN: Stealing knowledge by persuading confession with random nonlabeled data［C］ Proc of 2018 Int Joint Conf on Neural Networks (IJCNN). Piscataway, NJ: IEEE, 2018: 18［3］De Cristofaro E. An overview of privacy in machine learning［J］. arXiv preprint, arXiv:2005.08679, 2020［4］Kesarwani M, Mukhoty B, Arya V, et al. Model extraction warning in mlaas paradigm［C］ Proc of the 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 371380［5］Kariyappa S, Qureshi M K. Defendingagainst model stealing attacks with adaptive misinformation［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 770778［6］Guo J, Potkonjak M. Watermarking deep neural networks for embedded systems［C］ Proc of 2018 IEEEACM Int Conf on ComputerAided Design (ICCAD). Piscataway, NJ: IEEE, 2018: 18［7］Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks［J］. Communications of the ACM, 2017, 60(6): 8490［8］He K, Zhang X, Ren S, et al. Deep residual learning for image recognition［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 770778［9］Simonyan K, Zisserman A. Very deep convolutional networks for largescale image recognition［J］. arXiv preprint, arXiv:1409.1556, 2014［10］Xiao H, Rasul K, Vollgraf R. Fashionmnist: A novel image dataset for benchmarking machine learning algorithms［J］. arXiv preprint, arXiv:1708.07747, 2017［11］Coates A, Ng A, Lee H. An analysis of singlelayer networks in unsupervised feature learning［C］ Proc of the 14th Int Conf on Artificial Intelligence and Statistics. Cambridge, USA: JMLR, 2011: 215223［12］Zhang Z, Song Y, Qi H. Age progressionregression by conditional adversarial autoencoder［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2017: 58105818［13］Liu Y, Wen R, He X, et al. MLdoctor: Holistic risk assessment of inference attacks against machine learning models［C］ Proc of the 31st USENIX Security Symposium (USENIX Security 22). Berkeley, CA: USENIX Association, 2022: 45254542

[1]	. Legislative Thinking of Artificial Intelligence Law in the Era of Generative Artificial Intelligence [J]. Journal of Information Security Reserach, 2024, 10(2): 103-.
[2]	. Research on the Security Architecture of Artificial Intelligence Computing Infrastructure [J]. Journal of Information Security Reserach, 2024, 10(2): 109-.
[3]	. A Review of Algorithmic Risk and Its Governance in China#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(2): 114-.
[4]	. Generative Fake Speech Security Issue and Solution#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(2): 122-.
[5]	. Abnormal Traffic Detection in the Internet of Things Based on Imbalanced Data [J]. Journal of Information Security Reserach, 2024, 10(11): 1012-.
[6]	. Zerotrust Dynamic Authentication to Resist APT Identity Compromise [J]. Journal of Information Security Reserach, 2024, 10(10): 928-.
[7]	. Face Spoofing Detection Model with Fusion of Convolutional Neural Network and Transformer [J]. Journal of Information Security Reserach, 2024, 10(1): 25-.
[8]	. Security and Privacy Protection in 6G Network: A Survey [J]. Journal of Information Security Reserach, 2023, 9(9): 822-.
[9]	. Cyberbullying Detection Model Based on ELMoTextCNN [J]. Journal of Information Security Reserach, 2023, 9(9): 868-.
[10]	. Data Scarcity and Large Language Model Data Value Asymmetry [J]. Journal of Information Security Reserach, 2023, 9(7): 637-.
[11]	. Consideration on Some Problems in the Development of GPT4 and Its Regulation Scheme [J]. Journal of Information Security Reserach, 2023, 9(6): 510-.
[12]	. Research on Artificial Intelligence Data Falsification Risk Based on GPT Model [J]. Journal of Information Security Reserach, 2023, 9(6): 518-.
[13]	. Research on the Integration of Full Lifecycle Data Security Management and Artificial Intelligence Technology#br# [J]. Journal of Information Security Reserach, 2023, 9(6): 543-.
[14]	. Research on Network Security Governance and Response of Largescale AI Model [J]. Journal of Information Security Reserach, 2023, 9(6): 551-.
[15]	. A Method of Active Defense for Intelligent Manufacturing Device Swarms Based on Remote Attestation [J]. Journal of Information Security Reserach, 2023, 9(6): 580-.

Research on Model Antistealing Based on Image Augmentation

基于图像增强的模型防窃取研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics