Neural Radiance Field (NeRF) models have gained significant attention in the
computer vision community in the recent past with state-of-the-art visual
quality and produced impressive demonstrations. Since then, technopreneurs have
sought to leverage NeRF models into a profitable business. Therefore, NeRF
models make it worth the risk of plagiarizers illegally copying,
re-distributing, or misusing those models. This paper proposes a comprehensive
intellectual property (IP) protection framework for the NeRF model in both
black-box and white-box settings, namely IPR-NeRF. In the black-box setting, a
diffusion-based solution is introduced to embed and extract the watermark via a
two-stage optimization process. In the white-box setting, a designated digital
signature is embedded into the weights of the NeRF model by adopting the sign
loss objective. Our extensive experiments demonstrate that not only does our
approach maintain the fidelity (\ie, the rendering quality) of IPR-NeRF models,
but it is also robust against both ambiguity and removal attacks compared to
prior arts.

该研究提出了一种全面的知识产权 (IP) 保护框架，名为 IPR-NeRF，用于保护 Neural Radiance Field (NeRF) 模型的版权，其中包括黑盒模式和白盒模式两种设置。

IPR-NeRF：所有权验证与神经亮度场相遇

IPR-NeRF: Ownership Verification meets Neural Radiance Field

Natural images are virtually surrounded by low-density misclassified regions
that can be efficiently discovered by gradient-guided search --- enabling the
generation of adversarial images. While many techniques for detecting these
attacks have been proposed, they are easily bypassed when the adversary has
full knowledge of the detection mechanism and adapts the attack strategy
accordingly. In this paper, we adopt a novel perspective and regard the
omnipresence of adversarial perturbations as a strength rather than a weakness.
We postulate that if an image has been tampered with, these adversarial
directions either become harder to find with gradient methods or have
substantially higher density than for natural images. We develop a practical
test for this signature characteristic to successfully detect adversarial
attacks, achieving unprecedented accuracy under the white-box setting where the
adversary is given full knowledge of our detection mechanism.

通过梯度方法可以发现虚假的区域，该文认为这些区域不是弱点而是优势，提出了一种通过检测这些区域的方法来成功检测出对抗攻击的方法，在攻击者完全了解检测机制的情况下，实现了前所未有的准确性。

一种新的对抗图像防御方法：将弱点转化为优势

A New Defense Against Adversarial Images: Turning a Weakness into a  Strength

Membership inference (MI) attacks exploit the fact that machine learning
algorithms sometimes leak information about their training data through the
learned model. In this work, we study membership inference in the white-box
setting in order to exploit the internals of a model, which have not been
effectively utilized by previous work. Leveraging new insights about how
overfitting occurs in deep neural networks, we show how a model's idiosyncratic
use of features can provide evidence for membership to white-box
attackers---even when the model's black-box behavior appears to generalize
well---and demonstrate that this attack outperforms prior black-box methods.
Taking the position that an effective attack should have the ability to provide
confident positive inferences, we find that previous attacks do not often
provide a meaningful basis for confidently inferring membership, whereas our
attack can be effectively calibrated for high precision. Finally, we examine
popular defenses against MI attacks, finding that (1) smaller generalization
error is not sufficient to prevent attacks on real models, and (2) while
small-$\epsilon$-differential privacy reduces the attack's effectiveness, this
often comes at a significant cost to the model's accuracy; and for larger
$\epsilon$ that are sometimes used in practice (e.g., $\epsilon=16$), the
attack can achieve nearly the same accuracy as on the unprotected model.

本研究通过对深度神经网络如何发生过拟合的新认识，研究了成员推断攻击，并展示了如何利用模型的内部来提供攻击者成员身份的证据，该攻击方法可校准，并可以有效地进行高精度的成员推论。同时，对于流行的成员推断攻击防御方法，发现较小的一阶差分隐私并不能防止攻击，而较大的隐私预算则使得攻击几乎具有与未受保护的模型相同的准确性。