Ensuring the legal usage of deep models is crucial to promoting trustable, accountable, and responsible artificial intelligence innovation. Current passport-based methods that obfuscate model functionality for license-to-use and ownership verifications suffer from capacity and quality constraints, as they require retraining the owner model for new users. They are also vulnerable to advanced Expanded Residual Block ambiguity attacks. We propose Steganographic Passport, which uses an invertible steganographic network to decouple license-to-use from ownership verification by hiding the user's identity images into the owner-side passport and recovering them from their respective user-side passports. An irreversible and collision-resistant hash function is used to avoid exposing the owner-side passport from the derived user-side passports and increase the uniqueness of the model signature. To safeguard both the passport and model's weights against advanced ambiguity attacks, an activation-level obfuscation is proposed for the verification branch of the owner's model. By jointly training the verification and deployment branches, their weights become tightly coupled. The proposed method supports agile licensing of deep models by providing a strong ownership proof and license accountability without requiring a separate model retraining for the admission of every new user. Experiment results show that our Steganographic Passport outperforms other passport-based deep model protection methods in robustness against various known attacks.

翻译：确保深度模型的合法使用对于推动可信、可问责及负责任的AI创新至关重要。当前基于护照的方法通过混淆模型功能来实现使用许可与所有权验证，但受限于容量与质量瓶颈——每新增用户需重新训练所有者模型，且易遭受高级扩展残差块歧义攻击。本文提出隐蔽护照（Steganographic Passport），利用可逆隐写网络将用户身份图像隐藏至所有者端护照，并可从各自用户端护照恢复，从而解耦使用许可与所有权验证。采用不可逆且抗碰撞的哈希函数，避免从派生用户端护照暴露所有者端护照，同时增强模型签名的唯一性。为抵御高级歧义攻击对护照与模型权重的威胁，提出面向所有者模型验证分支的激活层混淆方法。通过联合训练验证分支与部署分支，使两者权重紧密耦合。该方法无需为每个新用户单独重新训练模型即可实现深度模型的敏捷授权，提供强有力的所有权证明与许可问责。实验结果表明，本方法在对抗多种已知攻击的鲁棒性方面优于其他基于护照的深度模型保护方法。