Customized Watermarking for Deep Neural Networks via Label Distribution
Perturbation
- URL: http://arxiv.org/abs/2208.05477v1
- Date: Wed, 10 Aug 2022 08:27:26 GMT
- Title: Customized Watermarking for Deep Neural Networks via Label Distribution
Perturbation
- Authors: Tzu-Yun Chien, Chih-Ya Shen
- Abstract summary: We propose a new framework, Unified Soft-label Perturbation (USP), having a detector paired with the model to be watermarked, and Customized Soft-label Perturbation (CSP), embedding watermark via adding into the model output probability distribution.
We achieve 98.68% watermark accuracy while only affecting the main task accuracy by 0.59%.
- Score: 3.3453601632404064
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the increasing application value of machine learning, the intellectual
property (IP) rights of deep neural networks (DNN) are getting more and more
attention. With our analysis, most of the existing DNN watermarking methods can
resist fine-tuning and pruning attack, but distillation attack. To address
these problem, we propose a new DNN watermarking framework, Unified Soft-label
Perturbation (USP), having a detector paired with the model to be watermarked,
and Customized Soft-label Perturbation (CSP), embedding watermark via adding
perturbation into the model output probability distribution. Experimental
results show that our methods can resist all watermark removal attacks and
outperform in distillation attack. Besides, we also have an excellent trade-off
between the main task and watermarking that achieving 98.68% watermark accuracy
while only affecting the main task accuracy by 0.59%.
Related papers
- DeepEclipse: How to Break White-Box DNN-Watermarking Schemes [60.472676088146436]
We present obfuscation techniques that significantly differ from the existing white-box watermarking removal schemes.
DeepEclipse can evade watermark detection without prior knowledge of the underlying watermarking scheme.
Our evaluation reveals that DeepEclipse excels in breaking multiple white-box watermarking schemes.
arXiv Detail & Related papers (2024-03-06T10:24:47Z) - Wide Flat Minimum Watermarking for Robust Ownership Verification of GANs [23.639074918667625]
We propose a novel multi-bit box-free watermarking method for GANs with improved robustness against white-box attacks.
The watermark is embedded by adding an extra watermarking loss term during GAN training.
We show that the presence of the watermark has a negligible impact on the quality of the generated images.
arXiv Detail & Related papers (2023-10-25T18:38:10Z) - ClearMark: Intuitive and Robust Model Watermarking via Transposed Model
Training [50.77001916246691]
This paper introduces ClearMark, the first DNN watermarking method designed for intuitive human assessment.
ClearMark embeds visible watermarks, enabling human decision-making without rigid value thresholds.
It shows an 8,544-bit watermark capacity comparable to the strongest existing work.
arXiv Detail & Related papers (2023-10-25T08:16:55Z) - Towards Robust Model Watermark via Reducing Parametric Vulnerability [57.66709830576457]
backdoor-based ownership verification becomes popular recently, in which the model owner can watermark the model.
We propose a mini-max formulation to find these watermark-removed models and recover their watermark behavior.
Our method improves the robustness of the model watermarking against parametric changes and numerous watermark-removal attacks.
arXiv Detail & Related papers (2023-09-09T12:46:08Z) - Safe and Robust Watermark Injection with a Single OoD Image [90.71804273115585]
Training a high-performance deep neural network requires large amounts of data and computational resources.
We propose a safe and robust backdoor-based watermark injection technique.
We induce random perturbation of model parameters during watermark injection to defend against common watermark removal attacks.
arXiv Detail & Related papers (2023-09-04T19:58:35Z) - DiffWA: Diffusion Models for Watermark Attack [8.102989872457156]
We propose DiffWA, a conditional diffusion model with distance guidance for watermark attack.
The core of our method is training an image-to-image conditional diffusion model on unwatermarked images.
The results show that the model can remove the watermark with good effect and make the bit error rate of watermark extraction higher than 0.4.
arXiv Detail & Related papers (2023-06-22T10:45:49Z) - On Function-Coupled Watermarks for Deep Neural Networks [15.478746926391146]
We propose a novel DNN watermarking solution that can effectively defend against watermark removal attacks.
Our key insight is to enhance the coupling of the watermark and model functionalities.
Results show a 100% watermark authentication success rate under aggressive watermark removal attacks.
arXiv Detail & Related papers (2023-02-08T05:55:16Z) - Exploring Structure Consistency for Deep Model Watermarking [122.38456787761497]
The intellectual property (IP) of Deep neural networks (DNNs) can be easily stolen'' by surrogate model attack.
We propose a new watermarking methodology, namely structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed.
arXiv Detail & Related papers (2021-08-05T04:27:15Z) - Piracy-Resistant DNN Watermarking by Block-Wise Image Transformation
with Secret Key [15.483078145498085]
The proposed method embeds a watermark pattern in a model by using learnable transformed images.
It is piracy-resistant, so the original watermark cannot be overwritten by a pirated watermark.
The results show that it was resilient against fine-tuning and pruning attacks while maintaining a high watermark-detection accuracy.
arXiv Detail & Related papers (2021-04-09T08:21:53Z) - Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal
Attack for DNN Models [72.9364216776529]
We propose a novel watermark removal attack from a different perspective.
We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations.
Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
arXiv Detail & Related papers (2020-09-18T09:14:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.