Ying-Qian Zhang,Yi-Ran Jia,Xingyuan Wang,Qiong Niu,Nian-Dong Chen

DOI: https://doi.org/10.1109/access.2020.3039323

IF: 3.9

2020-01-01

IEEE Access

Abstract:With the rapid development of artificial intelligence, the intellectual property protection of deep learning models appeals widespread concerns of scientists and engineers. The black-box watermarking protection scheme has been favored by many scholars due to its many advantages. The trigger set containing data content and data annotation is the key of black-box watermarking technology. However, most of the trigger sets in literates were constructed by comprehensible features, such as Gaussian noise and badges on original data content. Then, the attacks based on machine learning can obtain the watermarking features and generate fake trigger set. Therefore, fraudulent ownership claim attacks may occur. In this paper, we turn our attention to data annotation and propose a black-box watermarking scheme based on chaotic automatic data annotation. Chaos has superior features, such as the sensitivity of initial value, aperiodic behavior and unpredictability of the chaotic sequence. We applies these chaotic features on data annotation so as to against the fraudulent ownership claim attacks. Firstly, this scheme applies chaotic automatic data annotation, which is time-saving and non-manual labeling. Secondly, chaotic sequences are unpredictable for long-terms, which can break the principle of empirical or statistical machine learning based attacks when chaotic labeling the trigger samples. Thirdly, the initial value and parameters in chaos offer a large range of key space, which can facilitate the commercialization of the intelligent models. The key formulation also guarantees the separation of the secret key and the trigger set. In addition, experiments and simulations show that the scheme is effective, secure and robust. It can resist fine-tuning attacks, compression attacks, fraudulent ownership claim attacks and overwriting attacks.

Xinyun Chen,Wenxiao Wang,Yiming Ding,Chris Bender,R. Jia,Bo Li,D. Song

2019-01-01

Abstract:Deep neural networks have achieved tremendous success in various fields; however, training these models from scratch could be computationally expensive and requires a lot of training data. Therefore, recent work has explored different watermarking techniques to protect the pre-trained deep neural networks from potential copyright infringements. Although several existing techniques could effectively embed such watermarks into the DNNs, they could be vulnerable to adversaries who aim at removing the watermarks. In this work, we demonstrate that a carefullydesigned fine-tuning method enables the adversary with limited training data to effectively remove the watermarks, without compromising the model functionality. In particular, leveraging auxiliary unlabeled data significantly decreases the amount of labeled training data needed for effective watermark removal, even if the unlabeled data samples are not drawn from the same distribution as the benign data for model evaluation.

Dehui Wang,Shuang Zhou,Yingqian Zhang

DOI: https://doi.org/10.1016/j.asoc.2024.112004

IF: 8.7

2024-01-01

Applied Soft Computing

Abstract:With deep learning techniques achieving great results in modern industry, the intellectual property (IP) protection for deep learning models has attracted the attention of academics and engineers. However, training a commercially viable deep learning model usually needs professional resources and time. Once a malicious user clones, illegally distributes and uses the model, it can infringe on the model owner's IP and even steal its market share. Among the existing IP protection methods, scholars prefer the black-box watermarking approaches, of which the content of the trigger set and the label are the key part of the watermarking technique. However, most schemes do not consider the security and invisibility of the trigger set, which allows attackers to easily trigger the model by creating a fake trigger set, thereby committing a fraudulent ownership claim attack and claiming the ownership belongs to themselves. To overcome these drawbacks, we proposed a spatiotemporal chaotic data annotation method. Firstly, the unpredictability and acyclicity of chaos make the model resistant to fraudulent ownership claim attacks, statistical inference and other common machine learning attacks; Secondly, the trigger set and parameters are independent of each other, guaranteeing the security of the key; Thirdly, the spatiotemporal chaotic system provides a large key space, which meets the commercialization needs of deep learning models. Theoretical analysis and experimental results show that our scheme has security, practicality and robustness. To further validate the superiority of the proposed method, we also compare it with the Logistic chaotic annotation watermarking-based method, and the results show that our method performs better in terms of robustness, effectiveness, completeness, fidelity, security and practicality.

Tong Qiao,Yuyan Ma,Ning Zheng,Hanzhou Wu,Yanli Chen,Ming Xu,Xiangyang Luo

DOI: https://doi.org/10.1016/j.cose.2023.103102

2023-01-15

Abstract:With the advance of deep learning, it definitely has achieved the unprecedented success in the community of artificial intelligence. However, the issue of the intellectual property (IP) protection towards deep learning model is usually ignored, which largely threats the interests of the model owner. Currently, although a few schemes of model watermarking have been continuously proposed, in order to protect the specific neural network designed for detection or classification task, most of them are hardly directly applicable to generative adversarial networks (GAN). To our knowledge, the GAN model has plays more and more important role in the computer vision, such as image-to-image translation, text-to-image translation, image inpainting and etc., which remarkably improves the capability of image generation. Similarly, the malicious attackers possibly steal a trained GAN model to infringe the IP of the true model owner. To address that challenging issue, it is proposed to establish the framework of model watermarking towards GAN model. In particular, we first establish the trigger set by combining the watermark label with the verification image. Next, the watermarked generator is efficiently trained on the premise of preserving the original model performance. Finally, only relying on the correct watermark label, the synthetic watermark can be successfully triggered by the model owner for IP protection. The extensive experiments have verified the effectiveness and generalization of our designed method, which can easily be applicable to the benchmark GAN models such as WGAN-GP, ProGAN and StyleGAN2. Moreover, our proposed model watermark is robust enough to resist against the mainstream attacks, such as parameter fine-tuning and model pruning.

computer science, information systems

Xiuli Chai,Zongwei Tang,Zhihua Gan,Yang Lu,Binjie Wang,Yushu Zhang

DOI: https://doi.org/10.1016/j.bspc.2023.105877

IF: 5.1

2024-01-01

Biomedical Signal Processing and Control

Abstract:The development of the Internet of Medical Things heavily relies on big data, and data security based on medical images has become a growing concern in society. Digital watermarking serves as a crucial technique for protecting and tracing medical image data copyright, as well as enabling forensic analysis. However, existing deep watermarking methods often neglect the protection of watermarks after extraction, leading to potential copyright disputes. To address this issue, this paper proposes SE-NDEND, a novel symmetric watermarking framework with neural network-based chaotic encryption for the Internet of Medical Things that significantly enhances the effectiveness and security of watermarking while maintaining robustness. Specifically, the SE-NDEND leverages neural networks to simulate chaotic systems and generate chaotic sequences, mitigating the complexity and high cost of implementing chaotic systems using hardware circuits. Moreover, we introduce a new noise layer with Moire ' distortion that interacts with the decoder, forming a symmetric network structure that bolsters the robustness of watermarking. Parameters are jointly trained and shared during the training process to counteract potential interference from the noise layer. Experimental results validate the effectiveness of SE-NDEND in enhancing copyright protection, traceability, and forensic capabilities, surpassing existing deep learning methods in terms of visual quality (with PSNR of 45.8492 dB and SSIM of 0.9874), security, and robustness. The proposed framework can find application in protecting medical image data in the Internet of Medical Things.

Huanjie Lin,Shuyuan Shen,Haojie Lyu

DOI: https://doi.org/10.1007/s11042-023-15980-z

IF: 2.577

2024-01-01

Multimedia Tools and Applications

Abstract:As deep learning technology matures, it’s being widely deployed in fields like image classification and speech recognition. However, training a functional deep learning model requires vast computing power and a large training dataset, leading to the emergence of a new business model of selling pre-trained models. However, these models are highly susceptible to theft, which poses a threat to the interests of their creators. Moreover, the network topology and weight parameters are considered intellectual property. To address these challenges, a method that can tag trained models to claim ownership without affecting their performance is necessary. Therefore, we propose a novel neural network watermarking protocol. In this method, the trigger set is constructed differently from previous methods by using a key obtained from the authority to generate a scrambling sequence, followed by using the sequence to scramble the pixels and assign their original labels. Finally, the trigger set is put into the network training together with the original training set to complete the watermark embedding. Since Logistic chaos mapping is nonlinear, unpredictable, and sensitive to initial values, we use Logistic chaos mapping as the generation method of dislocation sequence. We involve a third-party copyright center in the embedding process to prevent forgery attacks. The third-party only needs to store the disruption key and timestamp for each owner, reducing their storage burden. Our experimental results demonstrate that the ResNet model exhibits a mere 0.05 percentage point decrease in accuracy when using fine-tuning for watermark embedding, and a mere 0.03 percentage point decrease when using the training-from-scratch method. On the other hand, when using the SENet model, embedding watermarks via fine-tuning resulted in a 1.35 percentage point decrease in classification accuracy, while embedding watermarks from training-from-scratch resulted in a 0.94 percentage point increase in classification accuracy. Furthermore, our model exhibited robustness against various attacks in the robustness experiments, including model fine-tuning, model compression, and watermark overlay.

Chaoyue Huang,Hanzhou Wu

2025-01-02

Abstract:Watermarking deep neural network (DNN) models has attracted a great deal of attention and interest in recent years because of the increasing demand to protect the intellectual property of DNN models. Many practical algorithms have been proposed by covertly embedding a secret watermark into a given DNN model through either parametric/structural modulation or backdooring against intellectual property infringement from the attacker while preserving the model performance on the original task. Despite the performance of these approaches, the lack of basic research restricts the algorithmic design to either a trial-based method or a data-driven technique. This has motivated the authors in this paper to introduce a game between the model attacker and the model defender for trigger-based black-box model watermarking. For each of the two players, we construct the payoff function and determine the optimal response, which enriches the theoretical foundation of model watermarking and may inspire us to develop novel schemes in the future.

Cryptography and Security

Dehui Wang,Jinfu Liu,Yingqian Zhang,Nian Zhang,Xingyuan Wang

DOI: https://doi.org/10.2174/2210298102666220411113929

2022-01-01

Current Chinese Science

Abstract:Background: Face recognition which belongs to biometric recognition has great application value. Nowadays, face recognition based on deep learning has been widely used in many fields such as internet payment, network login and authentication. However, the face recognition deep learning model are easily replaced and tampered with. Once the models are illegally attacked, it will infringe the intellectual property rights of the model owner and cause economic losses. To deal with these threats, we use watermarking technology to add identity into the face recognition deep learning model. When it is replaced or tampered with, we can prove that the model belongs to us by extracting the watermarks. Objective: In this study, our innovate framework is designed to add watermarks into the face recognition deep learning model as identity, which makes it have features of both trigger sets and data sets. The model will be robust enough to resist common machine learning attacks. With special watermarks, its ownership can be guaranteed. Method: We construct a special watermark trigger set and embed it into the model, which makes it trained without human intervention and annotation. To be flexible for a variety of applications, this scheme uses chaotic sequences to label a watermark trigger set, which guarantees the non-generalization of the watermark. The initial value and parameters used in the method are designed respectively as key to the model. We train 4 models with different number of trigger samples, which is used to study the effect of the number of trigger samples on the model accuracy. Results: We successfully propose a watermarking method for adding identity to the face recognition deep learning model. Watermark extraction rate of the proposed framework is 100%, which means our method can successfully prove ownership of the face recognition deep learning model. In destructive experiments, Models subject to fine-tuning attack still have high face recognition rates which are over 99.00%, and extraction rates of watermarks of each model is 100%. Under overwriting attack, the extraction rates of watermarks of models are less than 25%, models cannot maintain the original performance, which means that watermarks can provide protection until the model loses its ability. The experimental results indicate that the proposed scheme is robust against common machine learning attacks and it prevent the model from being replaced and tempering with. Conclusion: The robustness of the proposed method is capable of resisting machine learning attacks and fine-tuning attacks. It also provides good fidelity, safety, practicality, completeness and effectiveness. With the help of special watermarks, related departments can effectively manage face recognition deep learning models. Besides, it can facilitate the commercialization of intelligent models.

Wei Zhang,Wenxue Cui,Feng Jiang,Chifu Yang,Ran Li

DOI: https://doi.org/10.1109/trustcom53373.2021.00028

2021-01-01

Abstract:Deep neural network (DNN), as a key component of deep learning technology, plays a vital role in its development. Most major technology companies use deep neural network as a key component to build their artificial intelligence products and service. Building a deep neural network model requires us to pay a huge price: large-scale labeled data sets, a large number of computing resources, and highly specialized domain knowledge. Therefore, we believe that the model owner owns the intellectual property rights of the model, and it is very important to design a technology that protects the intellectual property rights of the deep neural network model and allows the owner to externally verify its copyright. Through statistical analysis of a large number of pre-trained network parameters, we propose an end-to-end network model protection framework-Deep Water based on the distribution of network model parameters. First, we propose a new research problem: embedding watermarks into deep neural networks. We also define the requirements for watermarking in deep neural networks, the embedding situation, and the types of attacks. Secondly, we propose a general framework for embedding the watermark into the parameter distribution function of each layer of the convolutional network. Our method does not harm the performance of the network where the watermark is placed, because the watermark is embedded when the host network is trained. Finally, we conducted a comprehensive experiment to reveal the potential of watermarking deep neural networks as the basis for this new research work. We proved that our framework can embed watermarks in the process of training deep neural networks from scratch and in the process of fine-tuning and distillation without compromising its performance. Even after migration learning and watermark overlay operations, the embedded watermark will not disappear. Even if 65% of the parameters are trimmed, the watermark remains intact.

Hongyu Zhu,Sichu Liang,Wentao Hu,Fangqi Li,Ju Jia,Shilin Wang

2024-04-21

Abstract:With the rise of Machine Learning as a Service (MLaaS) platforms,safeguarding the intellectual property of deep learning models is becoming paramount. Among various protective measures, trigger set watermarking has emerged as a flexible and effective strategy for preventing unauthorized model distribution. However, this paper identifies an inherent flaw in the current paradigm of trigger set watermarking: evasion adversaries can readily exploit the shortcuts created by models memorizing watermark samples that deviate from the main task distribution, significantly impairing their generalization in adversarial settings. To counteract this, we leverage diffusion models to synthesize unrestricted adversarial examples as trigger sets. By learning the model to accurately recognize them, unique watermark behaviors are promoted through knowledge injection rather than error memorization, thus avoiding exploitable shortcuts. Furthermore, we uncover that the resistance of current trigger set watermarking against removal attacks primarily relies on significantly damaging the decision boundaries during embedding, intertwining unremovability with adverse impacts. By optimizing the knowledge transfer properties of protected models, our approach conveys watermark behaviors to extraction surrogates without aggressively decision boundary perturbation. Experimental results on CIFAR-10/100 and Imagenette datasets demonstrate the effectiveness of our method, showing not only improved robustness against evasion adversaries but also superior resistance to watermark removal attacks compared to state-of-the-art solutions.

Cryptography and Security,Artificial Intelligence

Arpit Bansal,Ping-yeh Chiang,Michael Curry,Rajiv Jain,Curtis Wigington,Varun Manjunatha,John P Dickerson,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2207.07972

2022-07-17

Abstract:Watermarking is a commonly used strategy to protect creators' rights to digital images, videos and audio. Recently, watermarking methods have been extended to deep learning models -- in principle, the watermark should be preserved when an adversary tries to copy the model. However, in practice, watermarks can often be removed by an intelligent adversary. Several papers have proposed watermarking methods that claim to be empirically resistant to different types of removal attacks, but these new techniques often fail in the face of new or better-tuned adversaries. In this paper, we propose a certifiable watermarking method. Using the randomized smoothing technique proposed in Chiang et al., we show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold. In addition to being certifiable, our watermark is also empirically more robust compared to previous watermarking methods. Our experiments can be reproduced with code at <a class="link-external link-https" href="https://github.com/arpitbansal297/Certified_Watermarks" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security

Na Zhao,Kejiang Chen,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.48550/arXiv.2312.06488

2024-04-14

Abstract:With the development of deep learning, high-value and high-cost models have become valuable assets, and related intellectual property protection technologies have become a hot topic. However, existing model watermarking work in black-box scenarios mainly originates from training-based backdoor methods, which probably degrade primary task performance. To address this, we propose a branch backdoor-based model watermarking protocol to protect model intellectual property, where a construction based on a message authentication scheme is adopted as the branch indicator after a comparative analysis with secure cryptographic technologies primitives. We prove the lossless performance of the protocol by reduction. In addition, we analyze the potential threats to the protocol and provide a secure and feasible watermarking instance for language models.

Cryptography and Security

Jie Zhang,Dongdong Chen,Jing Liao,Weiming Zhang,Huamin Feng,Gang Hua,Nenghai Yu

DOI: https://doi.org/10.1109/tpami.2021.3064850

IF: 23.6

2022-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Despite the tremendous success, deep neural networks are exposed to serious IP infringement risks. Given a target deep model, if the attacker knows its full information, it can be easily stolen by fine-tuning. Even if only its output is accessible, a surrogate model can be trained through student-teacher learning by generating many input-output training pairs. Therefore, deep model IP protection is important and necessary. However, it is still seriously under-researched. In this work, we propose a new model watermarking framework for protecting deep networks trained for low-level computer vision or image processing tasks. Specifically, a special task-agnostic barrier is added after the target model, which embeds a unified and invisible watermark into its outputs. When the attacker trains one surrogate model by using the input-output pairs of the barrier target model, the hidden watermark will be learned and extracted afterwards. To enable watermarks from binary bits to high-resolution images, a deep invisible watermarking mechanism is designed. By jointly training the target model and watermark embedding, the extra barrier can even be absorbed into the target model. Through extensive experiments, we demonstrate the robustness of the proposed framework, which can resist attacks with different network structures and objective functions.

Mikhail Pautov,Nikita Bogdanov,Stanislav Pyatkin,Oleg Rogov,Ivan Oseledets

2024-09-19

Abstract:As deep learning (DL) models are widely and effectively used in Machine Learning as a Service (MLaaS) platforms, there is a rapidly growing interest in DL watermarking techniques that can be used to confirm the ownership of a particular model. Unfortunately, these methods usually produce watermarks susceptible to model stealing attacks. In our research, we introduce a novel trigger set-based watermarking approach that demonstrates resilience against functionality stealing attacks, particularly those involving extraction and distillation. Our approach does not require additional model training and can be applied to any model architecture. The key idea of our method is to compute the trigger set, which is transferable between the source model and the set of proxy models with a high probability. In our experimental study, we show that if the probability of the set being transferable is reasonably high, it can be effectively used for ownership verification of the stolen model. We evaluate our method on multiple benchmarks and show that our approach outperforms current state-of-the-art watermarking techniques in all considered experimental setups.

Cryptography and Security,Artificial Intelligence

Jian Zhao,Mingquan Zhou,Hongmei Xie,Jinye Peng,Xin Zhou

DOI: https://doi.org/10.1007/978-3-540-28648-6_106

2004-01-01

Abstract:Digital watermarks have been proposed in recent literature as a means for copyright protection of multimedia data. In the absence of standardization and specific requirements imposed on watermarking procedures, anyone can claim ownership of any watermarked images. In order to protect against these counterfeiting techniques, we examine the properties that are necessary for resolving ownership via invisible watermarking. A method for watermarking of chaos and neural network is proposed in this paper. The watermark is embedded in the wavelet descriptors. Watermarks generated by this nonlinear technique can be successfully detected even after rotation, translation, scaling. And watermarks of our scheme are good at protecting from many kind watermark attacks. The experimental results demonstrate that the watermark is useful and practical.

Meng Li,Qi Zhong,Leo Yu Zhang,Yajuan Du,Jun Zhang,Yong Xiangt,Yong Xiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00062

2020-12-01

Abstract:Similar to other digital assets, deep neural network (DNN) models could suffer from piracy threat initiated by insider and/or outsider adversaries due to their inherent commercial value. DNN watermarking is a promising technique to mitigate this threat to intellectual property. This work focuses on black-box DNN watermarking, with which an owner can only verify his ownership by issuing special trigger queries to a remote suspicious model. However, informed attackers, who are aware of the watermark and somehow obtain the triggers, could forge fake triggers to claim their ownerships since the poor robustness of triggers and the lack of correlation between the model and the owner identity. This consideration calls for new watermarking methods that can achieve better trade-off for addressing the discrepancy. In this paper, we exploit frequency domain image watermarking to generate triggers and build our DNN watermarking algorithm accordingly. Since watermarking in the frequency domain is high concealment and robust to signal processing operation, the proposed algorithm is superior to existing schemes in resisting fraudulent claim attack. Besides, extensive experimental results on 3 datasets and 8 neural networks demonstrate that the proposed DNN watermarking algorithm achieves similar performance on functionality metrics and better performance on security metrics when compared with existing algorithms.

Huiying Li,Emily Willson,Hai-Tao Zheng,Ben Y. Zhao

2019-01-01

Abstract:As companies continue to invest heavily in larger, more accurate and more robust deep learning models, they are exploring approaches to monetize their models while protecting their intellectual property. Model licensing is promising, but requires a robust tool for owners to claim ownership of models, i.e. a watermark. Unfortunately, current designs have not been able to address piracy attacks, where third parties falsely claim model ownership by embedding their own into an already-watermarked model. We observe that resistance to piracy attacks is fundamentally at odds with the current use of incremental training to embed watermarks into models. In this work, we propose null embedding, a new way to build piracy-resistant watermarks into DNNs that can only take place at a model's initial training. A null embedding takes a bit string (watermark value) as input, and builds strong dependencies between the model's normal classification accuracy and the watermark. As a result, attackers cannot remove an embedded watermark via tuning or incremental training, and cannot add new pirate watermarks to already watermarked models. We empirically show that our proposed watermarks achieve piracy resistance and other watermark properties, over a wide range of tasks and models. Finally, we explore a number of adaptive counter-measures, and show our watermark remains robust against a variety of model modifications, including model fine-tuning, compression, and existing methods to detect/remove backdoors. Our watermarked models are also amenable to transfer learning without losing their watermark properties.

Renjie Zhu,Ping Wei,Sheng Li,Zhaoxia Yin,Xinpeng Zhang,Zhenxing Qian

DOI: https://doi.org/10.1007/978-3-030-82136-4_23

2021-01-01

Abstract:Recent studies show that deep neural networks are vulnerable to data poisoning and backdoor attacks, both of which involve malicious fine tuning of deep models. In this paper, we first propose a blackbox based fragile neural network watermarking method for the detection of malicious fine tuning. The watermarking process can be divided into three steps. Firstly, a set of trigger images is constructed based on a user-specific secret key. Then, a well trained DNN model is fine-tuned to classify the normal images in training set and trigger images in trigger set simultaneously in a two-stage alternate training manner. Fragile watermark is embedded by this means while keeping model's original classification ability. The watermarked model is sensitive to malicious fine tuning and will produce unstable classification results of the trigger images. At last, the integrity of the network model can be verified by analyzing the output of watermarked model with the trigger image set as input. The experiments on three benchmark datasets demonstrate that our proposed watermarking method is effective in detecting malicious fine tuning.

Yuxuan Li,Sarthak Kumar Maharana,Yunhui Guo

2024-07-19

Abstract:With the increasing prevalence of Machine Learning as a Service (MLaaS) platforms, there is a growing focus on deep neural network (DNN) watermarking techniques. These methods are used to facilitate the verification of ownership for a target DNN model to protect intellectual property. One of the most widely employed watermarking techniques involves embedding a trigger set into the source model. Unfortunately, existing methodologies based on trigger sets are still susceptible to functionality-stealing attacks, potentially enabling adversaries to steal the functionality of the source model without a reliable means of verifying ownership. In this paper, we first introduce a novel perspective on trigger set-based watermarking methods from a feature learning perspective. Specifically, we demonstrate that by selecting data exhibiting multiple features, also referred to as \emph{multi-view data}, it becomes feasible to effectively defend functionality stealing attacks. Based on this perspective, we introduce a novel watermarking technique based on Multi-view dATa, called MAT, for efficiently embedding watermarks within DNNs. This approach involves constructing a trigger set with multi-view data and incorporating a simple feature-based regularization method for training the source model. We validate our method across various benchmarks and demonstrate its efficacy in defending against model extraction attacks, surpassing relevant baselines by a significant margin. The code is available at: \href{<a class="link-external link-https" href="https://github.com/liyuxuan-github/MAT" rel="external noopener nofollow">this https URL</a>}{<a class="link-external link-https" href="https://github.com/liyuxuan-github/MAT" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Xuankai Liu,Fengting Li,Bihan Wen,Qi Li

DOI: https://doi.org/10.1109/icpr48806.2021.9412684

2020-01-01

Abstract:Deep neural networks have been widely applied and achieved great success in various fields. As training deep models usually consumes massive data and computational resources, trading the trained deep models is highly demanded and lucrative nowadays. Unfortunately, the naive trading schemes typically involves potential risks related to copyright and trustworthiness issues, e.g., a sold model can be illegally resold to others without further authorization to reap huge profits. To tackle this problem, various watermarking techniques are proposed to protect the model intellectual property, amongst which the backdoor-based watermarking is the most commonly-used one. However, the robustness of these watermarking approaches is not well evaluated under realistic settings, such as limited in-distribution data availability and agnostic of watermarking patterns. In this paper, we benchmark the robustness of watermarking, and propose a novel backdoor-based watermark removal framework using limited data, dubbed WILD. The proposed WILD removes the watermarks of deep models with only a small portion of training data, and the output model can perform the same as models trained from scratch without watermarks injected. In particular, a novel data augmentation method is utilized to mimic the behavior of watermark triggers. Combining with the distribution alignment between the normal and perturbed (e.g., occluded) data in the feature space, our approach generalizes well on all typical types of trigger contents. The experimental results demonstrate that our approach can effectively remove the watermarks without compromising the deep model performance for the original task with the limited access to training data.