├── README.md
├── blackboxWM
    ├── DeepSigns.pyc
    ├── main_blackbox.py
    ├── result
    │   ├── markedWeights.h5
    │   └── unmarked_weights.h5
    └── utils.py
└── whiteboxWM
    ├── DeepSigns.pyc
    ├── main_whitebox.py
    ├── result
        ├── projection_matrix.npy
        └── wmarked_weights.h5
    └── utils.pyc


/README.md:
--------------------------------------------------------------------------------
 1 | # DeepSigns
 2 | 
 3 | This repository provides an API for DeepSign framework. DeepSign is an end-to-end watermarking framework for IP protection of deep neural networks. The paper 'DeepSigns: A Generic Watermarking Framework for IP Protection of Deep Learning Models' is available on arXiv: https://arxiv.org/abs/1804.00750. Detailed description of different experiments can be found in our paper.
 4 | 
 5 | ## Python Packages Required:
 6 | Keras 1.1.2, Tensorflow 0.12.1
 7 | 
 8 | ## Contact Info:
 9 | If you have any questions, please email bita@ucsd.edu or huc044@ucsd.edu.
10 | 


--------------------------------------------------------------------------------
/blackboxWM/DeepSigns.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/blackboxWM/DeepSigns.pyc


--------------------------------------------------------------------------------
/blackboxWM/main_blackbox.py:
--------------------------------------------------------------------------------
 1 | import DeepSigns
 2 | from DeepSigns import key_generation
 3 | from DeepSigns import count_response_mismatch
 4 | from DeepSigns import compute_mismatch_threshold
 5 | 
 6 | import keras.utils.np_utils as kutils
 7 | from utils import create_model
 8 | from keras.optimizers import SGD
 9 | from keras.datasets import mnist
10 | import numpy as np
11 | 
12 | # from blackboxWM_mnistmlp import blackboxWM_demo
13 | 
14 | if __name__ == '__main__':
15 |     
16 |     num_classes = 10
17 |     batch_size = 128
18 | 
19 |     # the data, shuffled and split between train and test sets
20 |     (x_train, y_train), (x_test, y_test) = mnist.load_data()
21 |     x_train = x_train.reshape(60000, 784)
22 |     x_test = x_test.reshape(10000, 784)
23 |     x_train = x_train.astype('float32')
24 |     x_test = x_test.astype('float32')
25 |     x_train /= 255
26 |     x_test /= 255
27 | 
28 |     # convert class vectors to binary class matrices
29 |     y_train = kutils.to_categorical(y_train, num_classes)
30 |     y_test = kutils.to_categorical(y_test, num_classes)
31 | 
32 | 
33 |     key_len = 20              ## desired WM key length
34 |     embed_lr = 0.0008
35 |     p_threshold = 0.0001
36 |     embed_epoch = 2 
37 | 
38 |     ## ---- Embed WM ------ ##
39 |     model = create_model()
40 |     model.load_weights('result/unmarked_weights.h5')
41 |     model.compile(loss='categorical_crossentropy',
42 |                 optimizer=SGD(lr=embed_lr, momentum=0.9, decay=0.0, nesterov=True), metrics=['accuracy'])
43 |     X_key, Y_key = key_generation(x_train, y_train, model, key_len, num_classes, embed_epoch)
44 | 
45 | 
46 |     ## ----- Detect WM ------ ##
47 |     marked_model = create_model()
48 |     marked_model.load_weights('result/markedWeights'+'.h5')
49 |     marked_model.compile(loss='categorical_crossentropy',
50 |                 optimizer=SGD(lr=embed_lr, momentum=0.9, decay=0.0, nesterov=True), metrics=['accuracy'])
51 |     preds_onehot = marked_model.predict(X_key, batch_size = batch_size )
52 |     Y_preds = np.reshape(np.argmax(preds_onehot, axis=1), (key_len, 1))
53 |     m = count_response_mismatch(Y_preds, Y_key)
54 |     theta = compute_mismatch_threshold(C=num_classes, Kp=key_len, p=p_threshold) # pk = 1/C, |K|: # trials
55 | 
56 |     print('probability threshold p is ', p_threshold)
57 |     print('Mismatch threshold is : ', theta)
58 |     print('Mismatch count of marked model on WM key set = ', m)
59 |     print(" If the marked model is correctly authenticated by owner: ", m < theta)
60 | 


--------------------------------------------------------------------------------
/blackboxWM/result/markedWeights.h5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/blackboxWM/result/markedWeights.h5


--------------------------------------------------------------------------------
/blackboxWM/result/unmarked_weights.h5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/blackboxWM/result/unmarked_weights.h5


--------------------------------------------------------------------------------
/blackboxWM/utils.py:
--------------------------------------------------------------------------------
 1 | from __future__ import division
 2 | from __future__ import print_function
 3 | import keras.utils.np_utils as kutils
 4 | import keras
 5 | from keras.datasets import mnist
 6 | from keras.models import Sequential
 7 | from keras.layers import Dense, Dropout
 8 | from keras.optimizers import RMSprop, SGD
 9 | import keras.backend as K
10 | import numpy as np
11 | 
12 | 
13 | def create_model(num_classes=10):
14 |     model = Sequential()
15 |     model.add(Dense(512, activation='relu', input_shape=(784,)))
16 |     model.add(Dropout(0.2))
17 |     model.add(Dense(512, activation='relu'))
18 |     model.add(Dropout(0.2))
19 |     model.add(Dense(num_classes, activation='softmax'))
20 |     # model.summary()
21 | 
22 |     return model
23 | 


--------------------------------------------------------------------------------
/whiteboxWM/DeepSigns.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/whiteboxWM/DeepSigns.pyc


--------------------------------------------------------------------------------
/whiteboxWM/main_whitebox.py:
--------------------------------------------------------------------------------
 1 | import DeepSigns
 2 | from DeepSigns import subsample_training_data
 3 | from DeepSigns import WM_activity_regularizer
 4 | from DeepSigns import get_activations
 5 | from DeepSigns import extract_WM_from_activations 
 6 | from DeepSigns import compute_BER
 7 | 
 8 | from utils import create_marked_model
 9 | 
10 | 
11 | import numpy as np 
12 | from keras.datasets import mnist
13 | from keras.models import Model
14 | from keras.models import Sequential
15 | import keras.utils.np_utils as kutils
16 | from keras.layers import Dense, Dropout, Input
17 | from keras.optimizers import RMSprop 
18 | import keras.callbacks as callbacks
19 | 
20 | ## ------ Demo of white-box activation watermarking on MNIST-MLP benchmark ---- ##
21 | if __name__ == '__main__':
22 | 
23 |     (x_train, y_train_vec), (x_test, y_test_vec) = mnist.load_data()
24 |     x_train = x_train.reshape(60000, 784)
25 |     x_test = x_test.reshape(10000, 784)
26 |     x_train = x_train.astype('float32')
27 |     x_test = x_test.astype('float32')
28 |     x_train /= 255
29 |     x_test /= 255
30 | 
31 |     num_classes = 10 
32 |     y_train = kutils.to_categorical(y_train_vec, num_classes)
33 |     y_test = kutils.to_categorical(y_test_vec, num_classes)
34 |     
35 |     
36 |     ## WM configs ---- ##
37 |     scale = 0.01      # for loss1
38 |     gamma2 = 0.01     # for loss2 
39 |     target_dense_idx = 2      #  target layer to carry WM
40 |     embed_bits = 16      
41 |     target_class = 0
42 |     epochs = 1
43 | 
44 |     b = np.random.randint(2, size=(embed_bits, num_classes))  # binary prior info to be embedded, shape (T, 10)
45 |     aux_ip = Input(shape=[None], name='aux_input')
46 |     WM_reg = WM_activity_regularizer(gamma1=scale, gamma2=gamma2, b=b, target_class=target_class, label=aux_ip,num_classes=num_classes)  
47 | 
48 |     ## ---- Build model ----- ##
49 |     main_ip = Input(shape=(784, ), name='main_input')
50 |     x = Dense(512, activation='relu', input_shape=(784,))(main_ip)
51 |     x = Dropout(0.2)(x)
52 |     marked_FC = Dense(512, activation='relu', activity_regularizer=WM_reg)
53 |     x = marked_FC(x)
54 |     marked_FC.trainable_weights=marked_FC.trainable_weights+[WM_reg.centers]
55 |     x = Dropout(0.2)(x)
56 |     x = Dense(num_classes, activation='softmax')(x)
57 |     model = Model(input=[main_ip, aux_ip], output=x)
58 | 
59 |     model.compile(loss='categorical_crossentropy',
60 |                   optimizer=RMSprop(lr=0.001, rho=0.9, epsilon=1e-08, decay=0.001),
61 |                   metrics=['accuracy'])         
62 | 
63 |     history = model.fit([x_train, y_train_vec], y_train, nb_epoch=epochs, verbose=1,
64 |                         validation_data=([x_test, y_test_vec], y_test))
65 |     score = model.evaluate([x_test, y_test_vec], y_test, verbose=0)
66 |     print('Test loss:', score[0])
67 |     print('Test accuracy:', score[1])
68 |     marked_FC.trainable_weights = marked_FC.trainable_weights[0:2]
69 |     model.save_weights('result/wmarked_weights.h5')
70 | 
71 | 
72 |     ## ---- Validate WM ---- ##
73 |     marked_model = create_marked_model()
74 |     marked_model.summary()
75 |     marked_model.load_weights('result/wmarked_weights.h5')
76 |     marked_model.compile(loss='categorical_crossentropy', optimizer=RMSprop(), metrics=['accuracy'])
77 | 
78 |     x_train_subset, y_train_subset = subsample_training_data(x_train, y_train_vec, target_class)
79 |     marked_activations = get_activations(marked_model, x_train_subset, print_shape_only=True)        # this is list
80 |     print("Get activations of marked FC layer")
81 |     marked_FC_activations = marked_activations[target_dense_idx+1]           # choose the activations from first wmarked dense layer
82 |     A = np.load('result/projection_matrix.npy')
83 |     print('A = ', A)
84 |     decoded_WM = extract_WM_from_activations(marked_FC_activations, A)
85 |     BER = compute_BER(decoded_WM, b[:, target_class])
86 |     print("BER in class {} is {}: ".format(target_class, BER))
87 | 


--------------------------------------------------------------------------------
/whiteboxWM/result/projection_matrix.npy:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/whiteboxWM/result/projection_matrix.npy


--------------------------------------------------------------------------------
/whiteboxWM/result/wmarked_weights.h5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/whiteboxWM/result/wmarked_weights.h5


--------------------------------------------------------------------------------
/whiteboxWM/utils.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bitadr/DeepSigns/dd5c861cb47e45c1fce59c37cd9ddb6465833f2c/whiteboxWM/utils.pyc


--------------------------------------------------------------------------------