On Function-Coupled Watermarks for Deep Neural Networks
- URL: http://arxiv.org/abs/2302.10296v3
- Date: Sat, 1 Apr 2023 16:27:00 GMT
- Title: On Function-Coupled Watermarks for Deep Neural Networks
- Authors: Xiangyu Wen, Yu Li, Wei Jiang, Qiang Xu
- Abstract summary: We propose a novel DNN watermarking solution that can effectively defend against watermark removal attacks.
Our key insight is to enhance the coupling of the watermark and model functionalities.
Results show a 100% watermark authentication success rate under aggressive watermark removal attacks.
- Score: 15.478746926391146
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Well-performed deep neural networks (DNNs) generally require massive labelled
data and computational resources for training. Various watermarking techniques
are proposed to protect such intellectual properties (IPs), wherein the DNN
providers implant secret information into the model so that they can later
claim IP ownership by retrieving their embedded watermarks with some dedicated
trigger inputs. While promising results are reported in the literature,
existing solutions suffer from watermark removal attacks, such as model
fine-tuning and model pruning.
In this paper, we propose a novel DNN watermarking solution that can
effectively defend against the above attacks. Our key insight is to enhance the
coupling of the watermark and model functionalities such that removing the
watermark would inevitably degrade the model's performance on normal inputs. To
this end, unlike previous methods relying on secret features learnt from
out-of-distribution data, our method only uses features learnt from
in-distribution data. Specifically, on the one hand, we propose to sample
inputs from the original training dataset and fuse them as watermark triggers.
On the other hand, we randomly mask model weights during training so that the
information of our embedded watermarks spreads in the network. By doing so,
model fine-tuning/pruning would not forget our function-coupled watermarks.
Evaluation results on various image classification tasks show a 100\% watermark
authentication success rate under aggressive watermark removal attacks,
significantly outperforming existing solutions. Code is available:
https://github.com/cure-lab/Function-Coupled-Watermark.
Related papers
- Towards Robust Model Watermark via Reducing Parametric Vulnerability [57.66709830576457]
backdoor-based ownership verification becomes popular recently, in which the model owner can watermark the model.
We propose a mini-max formulation to find these watermark-removed models and recover their watermark behavior.
Our method improves the robustness of the model watermarking against parametric changes and numerous watermark-removal attacks.
arXiv Detail & Related papers (2023-09-09T12:46:08Z) - Safe and Robust Watermark Injection with a Single OoD Image [90.71804273115585]
Training a high-performance deep neural network requires large amounts of data and computational resources.
We propose a safe and robust backdoor-based watermark injection technique.
We induce random perturbation of model parameters during watermark injection to defend against common watermark removal attacks.
arXiv Detail & Related papers (2023-09-04T19:58:35Z) - Exploring Structure Consistency for Deep Model Watermarking [122.38456787761497]
The intellectual property (IP) of Deep neural networks (DNNs) can be easily stolen'' by surrogate model attack.
We propose a new watermarking methodology, namely structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed.
arXiv Detail & Related papers (2021-08-05T04:27:15Z) - Reversible Watermarking in Deep Convolutional Neural Networks for
Integrity Authentication [78.165255859254]
We propose a reversible watermarking algorithm for integrity authentication.
The influence of embedding reversible watermarking on the classification performance is less than 0.5%.
At the same time, the integrity of the model can be verified by applying the reversible watermarking.
arXiv Detail & Related papers (2021-04-09T09:32:21Z) - Piracy-Resistant DNN Watermarking by Block-Wise Image Transformation
with Secret Key [15.483078145498085]
The proposed method embeds a watermark pattern in a model by using learnable transformed images.
It is piracy-resistant, so the original watermark cannot be overwritten by a pirated watermark.
The results show that it was resilient against fine-tuning and pruning attacks while maintaining a high watermark-detection accuracy.
arXiv Detail & Related papers (2021-04-09T08:21:53Z) - Robust Black-box Watermarking for Deep NeuralNetwork using Inverse
Document Frequency [1.2502377311068757]
We propose a framework for watermarking a Deep Neural Networks (DNNs) model designed for a textual domain.
The proposed embedding procedure takes place in the model's training time, making the watermark verification stage straightforward.
The experimental results show that watermarked models have the same accuracy as the original ones.
arXiv Detail & Related papers (2021-03-09T17:56:04Z) - Don't Forget to Sign the Gradients! [60.98885980669777]
GradSigns is a novel watermarking framework for deep neural networks (DNNs)
We present GradSigns, a novel watermarking framework for deep neural networks (DNNs)
arXiv Detail & Related papers (2021-03-05T14:24:32Z) - Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal
Attack for DNN Models [72.9364216776529]
We propose a novel watermark removal attack from a different perspective.
We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations.
Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
arXiv Detail & Related papers (2020-09-18T09:14:54Z) - Removing Backdoor-Based Watermarks in Neural Networks with Limited Data [26.050649487499626]
Trading deep models is highly demanded and lucrative nowadays.
naive trading schemes typically involve potential risks related to copyright and trustworthiness issues.
We propose a novel backdoor-based watermark removal framework using limited data, dubbed WILD.
arXiv Detail & Related papers (2020-08-02T06:25:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.