TY - GEN
T1 - Untargeted Backdoor Watermark
T2 - 36th Conference on Neural Information Processing Systems, NeurIPS 2022
AU - Li, Yiming
AU - Bai, Yang
AU - Jiang, Yong
AU - Yang, Yong
AU - Xia, Shu Tao
AU - Li, Bo
N1 - Funding Information:
This work is supported in part by the National Natural Science Foundation of China under Grant 62171248, the PCNL Key Project (PCL2021A07), the Tencent Rhino-Bird Research Program, and the C3 AI and Amazon research awards. We also sincerely thank Linghui Zhu from Tsinghua University for her assistance in the experiments of resistance to saliency-based backdoor defenses.
Publisher Copyright:
© 2022 Neural information processing systems foundation. All rights reserved.
PY - 2022
Y1 - 2022
N2 - Deep neural networks (DNNs) have demonstrated their superiority in practice. Arguably, the rapid development of DNNs is largely benefited from high-quality (open-sourced) datasets, based on which researchers and developers can easily evaluate and improve their learning methods. Since the data collection is usually time-consuming or even expensive, how to protect their copyrights is of great significance and worth further exploration. In this paper, we revisit dataset ownership verification. We find that existing verification methods introduced new security risks in DNNs trained on the protected dataset, due to the targeted nature of poison-only backdoor watermarks. To alleviate this problem, in this work, we explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. Specifically, we introduce two dispersibilities and prove their correlation, based on which we design the untargeted backdoor watermark under both poisoned-label and clean-label settings. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification. Experiments on benchmark datasets verify the effectiveness of our methods and their resistance to existing backdoor defenses. Our codes are available at https://github.com/THUYimingLi/Untargeted_Backdoor_Watermark.
AB - Deep neural networks (DNNs) have demonstrated their superiority in practice. Arguably, the rapid development of DNNs is largely benefited from high-quality (open-sourced) datasets, based on which researchers and developers can easily evaluate and improve their learning methods. Since the data collection is usually time-consuming or even expensive, how to protect their copyrights is of great significance and worth further exploration. In this paper, we revisit dataset ownership verification. We find that existing verification methods introduced new security risks in DNNs trained on the protected dataset, due to the targeted nature of poison-only backdoor watermarks. To alleviate this problem, in this work, we explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. Specifically, we introduce two dispersibilities and prove their correlation, based on which we design the untargeted backdoor watermark under both poisoned-label and clean-label settings. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification. Experiments on benchmark datasets verify the effectiveness of our methods and their resistance to existing backdoor defenses. Our codes are available at https://github.com/THUYimingLi/Untargeted_Backdoor_Watermark.
UR - http://www.scopus.com/inward/record.url?scp=85148613265&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85148613265&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85148613265
T3 - Advances in Neural Information Processing Systems
BT - Advances in Neural Information Processing Systems 35 - 36th Conference on Neural Information Processing Systems, NeurIPS 2022
A2 - Koyejo, S.
A2 - Mohamed, S.
A2 - Agarwal, A.
A2 - Belgrave, D.
A2 - Cho, K.
A2 - Oh, A.
PB - Neural information processing systems foundation
Y2 - 28 November 2022 through 9 December 2022
ER -