Abstract
We want to detect whether a particular image dataset has been used to train a
model. We propose a new technique, radioactive data, that makes
imperceptible changes to this dataset such that any model trained on it will
bear an identifiable mark. The mark is robust to strong variations such as
different architectures or optimization methods. Given a trained model, our
technique detects the use of radioactive data and provides a level of
confidence (p-value). Our experiments on large-scale benchmarks (Imagenet),
using standard architectures (Resnet-18, VGG-16, Densenet-121) and training
procedures, show that we can detect usage of radioactive data with high
confidence (p<10^-4) even when only 1% of the data used to trained our model is
radioactive. Our method is robust to data augmentation and the stochasticity of
deep network optimization. As a result, it offers a much higher signal-to-noise
ratio than data poisoning and backdoor methods.
Users
Please
log in to take part in the discussion (add own reviews or comments).