随着人工智能技术飞速发展，神经网络模型已被广泛的应用于机器人、金融、医学等多个商业领域，共享预先训练的深度神经网络模型一直是促进研究快速进步发展的重要手段。但建立一个生产级的深度学习模型是一项非凡的任务，它需要大量的有价值的训练数据、强大的计算资源和专业人力资源，因此经过专门训练的模型对于它们的所有者来说应该是重要的私有资产，神经网络模型的知识产权保护技术应运而生。本课题主要对深度神经网络模型的版权保护问题进行了研究，主要研究内容和创新点如下：

（1）总结了神经网络模型的知识产权保护技术的定义、分类和应用情况，说明了神经网络模型知识产权保护方法的基本框架及评价标准。针对目前水印形式普遍单一的问题，提出将具有形状意义的灰度图像作为水印信息，使其具有了直观的视觉特征，可以提高模型水印的鲁棒性，丰富了神经网络模型的水印形式。

（2）基于图像水印形式，设计了一种基于可视水印的神经网络模型保护方法，构建了基于F分布的可视水印的神经网络模型的保护框架。以灰度图像作为原始水印信息，首先进行水印信息的加密及预处理，然后研究了基于F分布的MLP、LeNet、WRN神经网络模型的水印嵌入，最终实现在不影响神经网络模型功能的条件下动态嵌入模型水印，并成功进行了水印的提取和解密鉴权工作。实验结果表明，本文方法与其他传统的水印嵌入方法相比，提取的鉴权水印图片与原始水印图片更加接近，有效的保留了水印的特征信息。

（3）公开的深度神经网络模型往往面临着诸多非法攻击，所以良好的抗攻击能力也是模型水印的重要特性。通过探索深度神经网络模型可能受到的攻击类型，实现了针对本文提出水印方法的预期鲁棒性测试。采用模型微调、模型压缩等方法进行攻击测试，详细设计描述了模型水印方案的攻击场景，并进行了对比评估测试。实验结果表明，本文提出的水印方法鲁棒性良好，能够有效抵抗普遍的去除水印攻击。

With the rapid development lor='red'>of artificial intelligence technology, neural network model has been widely used in many business fields such as robotics, finance, medicine and so on. Sharing pre-trained deep neural network model has always been an important means to promote the rapid development lor='red'>of research. But to create a production level lor='red'>of deep learning model is a special task, it requires a lot lor='red'>of valuable training data, powerful computing resources and prlor='red'>ofessional human resources, therefore specially trained model should be important to their owners lor='red'>of private assets, the neural network model lor='red'>of the protection lor='red'>of intellectual property rights technology arises at the historic moment. This topic mainly studies the copyright protection lor='red'>of deep neural network model. The main contents and innovations are as follows:

(1) The definition, classification and application lor='red'>of intellectual property protection technology lor='red'>of neural network model are summarized, and the basic framework and evaluation criteria lor='red'>of intellectual property protection method lor='red'>of neural network model are explained. Aiming at the problem lor='red'>of single watermarking form at present, the grayscale image with shape meaning is used as watermarking information to make it have intuitive visual characteristics, which can improve the robustness lor='red'>of model watermarking and enrich the watermarking form lor='red'>of neural network model.

(2) Based on the form lor='red'>of image watermarking, a neural network model protection method based on visual watermarking is designed, and a neural network model protection framework based on F distribution visual watermarking is constructed. With black and white images as the original watermark information, first for watermark encryption and preprocessing. Then the watermark embedding lor='red'>of MLP, LeNet and WRN neural network models based on F distribution is studied. Finally, the watermarking lor='red'>of the network model is dynamically embedded without affecting the function lor='red'>of the neural network model, and the watermarking is extracted and decrypted successfully. Experimental results show that compared with other traditional watermark embedding methods, the extracted authentication watermark images are closer to the original watermark information, and the characteristic information lor='red'>of the watermark is preserved more effectively.

(3) Open deep neural network models lor='red'>often face many illegal attacks, so good anti-attack ability is also an important feature lor='red'>of model watermarking. By exploring the possible attack types lor='red'>of the deep neural network model, the expected robustness test lor='red'>of the watermarking method proposed in this paper is realized. Model fine-tuning, model compression and other methods were used to test the attack, and the attack scenario lor='red'>of model watermarking scheme was designed and described in detail, and the comparative evaluation test was carried out. Experimental results show that the proposed watermarking method has good robustness and can effectively resist common watermarking removal attacks.