CN-122020617-A - Distributed sparse model fingerprint method based on double-key driving

Abstract

The invention discloses a distributed sparse model fingerprint method based on double-key driving, which comprises the following steps of inputting an original model, an owner secret key and an identity mark into a computer system, generating seeds based on the owner secret key, calculating a global index set in one or more stable target convolution layers preselected in the model to select a weight subset as a fingerprint carrier, constructing a random projection matrix based on the identity mark, generating an original model fingerprint based on the weight vector and the random projection matrix, verifying a suspicious model, repeating the steps to obtain a fingerprint to be tested, calculating cosine similarity of the original model fingerprint and the fingerprint to be tested, judging whether an illegal derivative relation is formed based on a calibrated threshold value, and outputting an ownership judging result. According to the invention, through the double-key binding identity and pseudo-random process and combining distributed sparse sampling and normalized random projection, the uniqueness and robustness of fingerprints are improved, various attack scenes can be effectively resisted, and the ownership of the model is accurately judged.

Inventors

• CHEN YULING
• NIE WEIDONG
• PEI QINGQI
• LUO YUN
• HE ZHONGXIANG

Assignees

• 贵州大学

Dates

Publication Date

20260512

Application Date

20260126

Claims (10)

1. 1. A distributed sparse model fingerprint method based on double key driving is characterized by comprising the following steps of a computer system, S1, inputting an original model, an owner secret key and an identity identifier into a computer system; s2, taking the secret key of the owner as a deterministic pseudo-random process seed, and initializing a pseudo-random number generator to generate a random number; S3, calculating a global index set in one or more stable target convolution layers selected in advance in the model, selecting a sparse weight subset with wide spatial distribution as a fingerprint carrier, and combining the random numbers to obtain a weight vector; s4, constructing a uniquely-bound random projection matrix through an encrypted safe random number generation function based on the identity, and mapping the weight vector to a low-dimensional fingerprint space; S5, generating an original model fingerprint based on the weight vector and the random projection matrix and storing the original model fingerprint on the right side; S6, inputting a suspicious model into a computer system for verification, repeating the step S2 and the step S5 to obtain a fingerprint to be detected, and calculating the adjusted cosine similarity between the original model fingerprint and the fingerprint to be detected; and S7, judging whether an illegal derivative relation is formed or not based on the threshold value of the combined negative class calibration, and outputting an ownership judging result.
2. 2. The distributed sparse model fingerprint method based on double key driving of claim 1, wherein the original model is a deep neural network model; The owner secret key is converted into the deterministic pseudo-random process seed after hash operation; The deterministic pseudorandom process seed has and only has a unique owner key acquisition.
3. 3. The distributed sparse model fingerprint method based on double key driving of claim 1, wherein the global index set specifically comprises flattening weights of the model target convolution layer into one-dimensional vectors; The sparse and spatially widely distributed subset of weights is obtained by sampling directly from the one-dimensional vector based on a pseudo-random index driven by the owner secret key.
4. 4. The distributed sparse model fingerprint method based on double key driving of claim 1, wherein the pseudo-random number generator is specifically: ; Wherein, the To represent the pseudo-random generator object obtained after initialization, For pseudo-random generator initialization, seed is a deterministic pseudo-random process seed.
5. 5. The distributed sparse model fingerprint method based on double key driving of claim 1, wherein constructing a uniquely bound random projection matrix by an cryptographically secure random number generation function specifically comprises: converting the identity into an identity seed by adopting a hash algorithm based on the identity, and generating a deterministic generation random matrix based on the identity seed; normalizing the deterministic generation random matrix to construct a unique binding random projection matrix.
6. 6. The distributed sparse model fingerprint method based on double key driving of claim 1, wherein the original model fingerprint is obtained by matrix multiplication of the weight vector with the random projection matrix; and the suspicious model is subjected to fine tuning and secondary modification based on the original model and then issued.
7. 7. The distributed sparse model fingerprint method based on double key driving of claim 1, The concrete algorithm of cosine similarity is as follows: ; Wherein, the For the original model fingerprint to be a fingerprint, For the fingerprint of the model to be measured, Representing the mean value of the original model fingerprint, Representing the mean value of the fingerprint to be detected.
8. 8. The distributed sparse model fingerprint method of claim 1, wherein the determining whether an illegitimate derivative relationship is constituted comprises: If the calculated result of the cosine similarity is higher than the threshold value, judging that the suspicious model is derived from an original model; and if the calculated result of the cosine similarity is lower than the threshold value, judging that the suspicious model is an independent model.
9. 9. An electronic device, comprising: A memory communicatively coupled to the processor; The memory has stored therein a computer program which, when executed by the processor, enables a distributed sparse model fingerprint method based on dual key driving as claimed in any one of claims 1-8.
10. 10. A computer readable storage medium having stored thereon a computer program, which when executed implements a distributed sparse model fingerprint method based on dual key actuation according to any one of claims 1 to 8.

Description

Distributed sparse model fingerprint method based on double-key driving Technical Field The invention relates to the related fields of artificial intelligent security, information processing technology and the like, in particular to a distributed sparse model fingerprint method based on double-key driving. Background The deep neural network model is used as a core digital asset in the artificial intelligence field, has been deeply energized in key industrial scenes such as automatic driving, medical image diagnosis, intelligent security monitoring and the like, and has the advantages that high calculation cost, labor cost and time cost are required to be input in the research and development process, and meanwhile, the core technical secrets and business secrets of a research and development main body are borne, and the intellectual property protection is directly related to the health and orderly development of the artificial intelligence industry. However, with the development of open source ecology and the increase of the prior deployment demands of the deep neural network model, the propagation and use scenes of the deep neural network model are more complex, and the infringement risks such as parameter stealing, unauthorized multiplexing, deformation piracy and the like are continuously aggravated, so that the legal rights and interests of the research and development subject are seriously damaged. Under the background, how to construct a verifiable and low-invasive identity identification system and ownership authentication mechanism for a model on the premise of not obviously reducing the performance and the usability of the model becomes a key technical problem to be solved in the field of artificial intelligence safety, and is also a basic premise of maintaining algorithm intellectual property rights and guaranteeing the ecological orderly development of industries. Currently, the intellectual property protection technology of the deep neural network model is mainly divided into two major categories, namely active defense and passive evidence collection. Active defense techniques block unauthorized use from the source by embedding constraint logic in the model distribution, loading and reasoning stages. The passive evidence obtaining technology is taken as an important supplement of the active defense technology, is one of the main flow paths of the intellectual property protection of the current deep neural network model, and the core realizes the postmortem ownership evidence through the deep neural network model watermarking technology and the deep neural network model fingerprint technology, but has obvious limitations. Firstly, the deep neural network model watermarking technology needs to balance performance overhead and trigger sample detectability and attack risk, and has weak capability of resisting composite infringement means such as model compression, fine tuning and the like, and watermark loss or failure is easy to cause. Secondly, early fingerprint technology relies on antagonism sample or decision boundary characteristics, and stability is poor, and is easy to lose efficacy after model fine tuning, modification or structure adjustment, and is difficult to satisfy cross-version tracking requirements. In summary, aiming at the problems, the invention provides a distributed sparse model fingerprint method based on double-key driving based on the advantage of zero deployment cost of the inheritance passive fingerprint technology, and the technical scheme which is more in line with the actual industrial requirements is provided for protecting the intellectual property of the model by introducing a double-key control mechanism and an identity binding strategy to remarkably improve the security, the concealment and the cross-generation tracking capability of the model fingerprint. Disclosure of Invention The invention mainly aims to provide a distributed sparse model fingerprint method based on double key driving, which aims to solve the problems of weak composite intrusion resistance, insufficient stability of model fingerprint technology, insufficient cross-version tracking capability, lack of effective identity binding and safety management and control mechanism and the like of the existing model technology, and improves the safety, concealment and cross-generation tracking capability of model fingerprints by adopting a secret key driving weight sampling, random projection of identity identification binding and a double key control mechanism, thereby providing a new technical scheme for protecting model intellectual property rights. Based on a first main aspect of the present invention, there is provided a distributed sparse model fingerprint method based on dual key driven, comprising a computer system performing the steps of, S1, inputting an original model, an owner secret key and an identity identifier into a computer system; s2, taking the secret key of the owner as a deterministic