Overview of artificial intelligence model watermarking

以神经网络为代表的人工智能技术在计算机视觉、模式识别和自然语言处理等诸多应用领域取得了巨大的成功，包括谷歌、微软在内的许多科技公司都将人工智能模型部署在商业产品中，以提升服务质量和经济效益。然而，构建性能优异的人工智能模型需要消耗大量的数据、计算资源和专家知识，并且人工智能模型易于被未经授权的用户窃取、篡改和贩卖。在人工智能技术迅速发展的同时，如何保护人工智能模型的知识产权具有显著学术意义和产业需求。在此背景下，本文主要介绍基于数字水印的人工智能模型产权保护技术。通过与传统多媒体水印技术进行对比，首先概述了人工模型水印的研究意义、基础概念和评价指标；然后，依据水印提取者是否需要掌握目标模型的内容细节以及是否需要和目标模型进行交互，从“白盒”模型水印、“黑盒”模型水印、“无盒”模型水印3个不同的角度分别梳理了国内外研究现状并总结了不同方法的差异，与此同时，对脆弱模型水印也进行了分析和讨论；最后，通过对比不同方法的特点、优势和不足，总结了不同场景下模型水印的共性技术问题，并对发展趋势进行了展望。;The deep neural networks(DNNs) -relevant artificial intelligence(AI) technique has been developing intensively in the context of such domains like computer vision, pattern analysis, natural language processing, bioinformatics, and games. Especially, AI models have widely deployed cloud by technology companies to provide smart personalized services. However, creating state-of-the-art requires a lot high-quality data, powerful computing resources expert knowledge architecture design. Furthermore, are threatened be copied, tampered redistributed an unauthorized manner. It indicates that it is necessary protect against intellectual property infringement, which yields researchers concern about protection. Current techniques concerned digital watermarking for protection models, referred model watermarking. The core embed secret watermark revealing ownership protected into through imperceptible way. unlike many multimedia methods treat media data as static signal, required information with specific task. We cannot directly apply conventional since simply modifying given may significantly impair performance on its original motivates people design specifically models. For embedding watermark, watermarked task should not degraded embedded concealed able extracted identify when disputes arise. Considering whether extractor know internal details target or not, we can divide existing two categories, i. e., white-box black-box watermarking, so he extract from parameters structures. does model, but ability query prediction results correspondence set trigger samples. samples carefully crafted. By checking consistent pre-specific labels samples, capable determining model. A special case box-free no access means interact any sample generated verified via extracting output. In addition, fragile also investigated recently. Unlike focus robust verification, enables us detect was modified thereby achieving integrity verification To review latest developments trends, advanced methodologies analyzed mentioned below:1) aims objectives, basic concepts, evaluation metrics technical classification introduced. 2) development status summarized analyzed. 3) Such pros cons compared well. 4) prospects trend potentials relevance security provided.