DMC-Watermark: A backdoor richer watermark for dual identity verification by dynamic mask covering

IF 3.4 2区计算机科学 Q2 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Applied Intelligence Pub Date : 2025-05-09 DOI:10.1007/s10489-025-06608-w

Yujia Zhu, Ruoxi Wang, Daoxun Xia

{"title":"DMC-Watermark: A backdoor richer watermark for dual identity verification by dynamic mask covering","authors":"Yujia Zhu, Ruoxi Wang, Daoxun Xia","doi":"10.1007/s10489-025-06608-w","DOIUrl":null,"url":null,"abstract":"<div><p>With the increasing use of neural networks, the importance of copyright protection for these models has gained significant attention. Backdoor watermarking is one of the key methods for protecting copyright. However, on the one hand, most existing backdoor watermarks are triggered by visual images, making them easily detectable, and therefore vulnerable to various attacks. On the other hand, it is difficult for these methods to carry information related to the creator’s identity which can easily lead to fraudulent claims of ownership. These factors contribute to the vulnerability and limitations of backdoor watermarking. In this paper, we propose DMC-Watermark, a backdoor richer watermarking method that uses dynamic mask-covered image structures as triggers. Leveraging the semantic preservation of image structure in transformation attacks, we select image structure as triggers. Furthermore, we convert the author-related information into an array of color information and apply it as a mask to the extracted image structures, allowing it to serve as a second layer of verification during the validation phase to resist fraudulent claims of ownership. The final trigger pattern, embedded with author-related image structures, is applied to the selected images in the trigger set, generating a final trigger set that is trained together with clean samples to produce a protected model. The experiments show that the proposed DMC-Watermark performs well in terms of fidelity, invisibility, undetectability, functionality, dual verification and robustness on three different datasets and four representative DNNs, and it has wide applicability and excellent results in high-resolution images.</p></div>","PeriodicalId":8041,"journal":{"name":"Applied Intelligence","volume":"55 10","pages":""},"PeriodicalIF":3.4000,"publicationDate":"2025-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Applied Intelligence","FirstCategoryId":"94","ListUrlMain":"https://link.springer.com/article/10.1007/s10489-025-06608-w","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

With the increasing use of neural networks, the importance of copyright protection for these models has gained significant attention. Backdoor watermarking is one of the key methods for protecting copyright. However, on the one hand, most existing backdoor watermarks are triggered by visual images, making them easily detectable, and therefore vulnerable to various attacks. On the other hand, it is difficult for these methods to carry information related to the creator’s identity which can easily lead to fraudulent claims of ownership. These factors contribute to the vulnerability and limitations of backdoor watermarking. In this paper, we propose DMC-Watermark, a backdoor richer watermarking method that uses dynamic mask-covered image structures as triggers. Leveraging the semantic preservation of image structure in transformation attacks, we select image structure as triggers. Furthermore, we convert the author-related information into an array of color information and apply it as a mask to the extracted image structures, allowing it to serve as a second layer of verification during the validation phase to resist fraudulent claims of ownership. The final trigger pattern, embedded with author-related image structures, is applied to the selected images in the trigger set, generating a final trigger set that is trained together with clean samples to produce a protected model. The experiments show that the proposed DMC-Watermark performs well in terms of fidelity, invisibility, undetectability, functionality, dual verification and robustness on three different datasets and four representative DNNs, and it has wide applicability and excellent results in high-resolution images.

查看原文本刊更多论文

DMC-Watermark：通过动态掩码覆盖实现双重身份验证的后门丰富水印

随着神经网络应用的增加，对这些模型的版权保护的重要性得到了极大的关注。后门水印是版权保护的重要手段之一。然而，一方面，现有的后门水印大多是由视觉图像触发的，容易被检测到，因此容易受到各种攻击。另一方面，这些方法很难携带与创建者身份有关的信息，这很容易导致欺诈性的所有权主张。这些因素导致了后门水印的脆弱性和局限性。在本文中，我们提出了DMC-Watermark，这是一种后门更丰富的水印方法，它使用动态掩模覆盖的图像结构作为触发器。利用变换攻击中图像结构的语义保留，选择图像结构作为触发器。此外，我们将作者相关信息转换为颜色信息数组，并将其作为蒙版应用于提取的图像结构，使其在验证阶段充当第二层验证，以防止欺诈性所有权声明。将嵌入作者相关图像结构的最终触发模式应用于触发集中选定的图像，生成最终触发集，该触发集与干净样本一起训练以产生受保护模型。实验表明，本文提出的DMC-Watermark在3个不同的数据集和4个具有代表性的dnn上，在保真度、不可见性、不可检测性、功能性、双重验证性和鲁棒性方面表现良好，在高分辨率图像上具有广泛的适用性和优异的效果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Applied Intelligence 工程技术-计算机：人工智能

CiteScore

6.60

自引率

20.80%

发文量

1361

审稿时长

5.9 months

期刊介绍： With a focus on research in artificial intelligence and neural networks, this journal addresses issues involving solutions of real-life manufacturing, defense, management, government and industrial problems which are too complex to be solved through conventional approaches and require the simulation of intelligent thought processes, heuristics, applications of knowledge, and distributed and parallel processing. The integration of these multiple approaches in solving complex problems is of particular importance. The journal presents new and original research and technological developments, addressing real and complex issues applicable to difficult problems. It provides a medium for exchanging scientific research and technological achievements accomplished by the international community.