Authors:
Xudong Pan, Shengyao Zhang, Mi Zhang, Yifan Yan, Min Yang
Publication:
This paper is included in the Proceedings of the 36th Annual Conference on Neural Information Processing Systems (NeurIPS 2022)
Abstract:
In this paper, we present a capacity-aware neuron steganography scheme (i.e., Cans) to covertly transmit multiple private machine learning (ML) datasets via a scheduled-to-publish deep neural network (DNN) as the carrier model. Unlike existing steganography schemes which treat the DNN parameters as bit strings, \textit{Cans} for the first time exploits the learning capacity of the carrier model via a novel parameter sharing mechanism. Extensive evaluation shows, Cans is the first working scheme which can covertly transmit over 10000 real-world data samples within a carrier model which has 220x less parameters than the total size of the stolen data, and simultaneously transmit multiple heterogeneous datasets within a single carrier model, under a trivial distortion rate (<10^-5) and with almost no utility loss on the carrier model (<1%). Besides, Cans implements by-design redundancy to be resilient against common post-processing techniques on the carrier model before the publishing.