Tong Qiao,Yuyan Ma,Ning Zheng,Hanzhou Wu,Yanli Chen,Ming Xu,Xiangyang Luo

DOI: https://doi.org/10.1016/j.cose.2023.103102

2023-01-15

Abstract:With the advance of deep learning, it definitely has achieved the unprecedented success in the community of artificial intelligence. However, the issue of the intellectual property (IP) protection towards deep learning model is usually ignored, which largely threats the interests of the model owner. Currently, although a few schemes of model watermarking have been continuously proposed, in order to protect the specific neural network designed for detection or classification task, most of them are hardly directly applicable to generative adversarial networks (GAN). To our knowledge, the GAN model has plays more and more important role in the computer vision, such as image-to-image translation, text-to-image translation, image inpainting and etc., which remarkably improves the capability of image generation. Similarly, the malicious attackers possibly steal a trained GAN model to infringe the IP of the true model owner. To address that challenging issue, it is proposed to establish the framework of model watermarking towards GAN model. In particular, we first establish the trigger set by combining the watermark label with the verification image. Next, the watermarked generator is efficiently trained on the premise of preserving the original model performance. Finally, only relying on the correct watermark label, the synthetic watermark can be successfully triggered by the model owner for IP protection. The extensive experiments have verified the effectiveness and generalization of our designed method, which can easily be applicable to the benchmark GAN models such as WGAN-GP, ProGAN and StyleGAN2. Moreover, our proposed model watermark is robust enough to resist against the mainstream attacks, such as parameter fine-tuning and model pruning.

computer science, information systems

Mingfu Xue,Shichang Sun,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

IF: 5.3

2022-03-24

Applied Intelligence

Abstract:Recently, the intellectual properties (IP) protection of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing DNN watermarking methods can only verify the ownership of the model after the piracy occurs, which cannot actively prevent the occurrence of the piracy and do not support users' identities management, thus can not satisfy the requirements of commercial DNN copyright management. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based DNN watermarking methods. In this paper, we propose an active intellectual properties protection technique for DNN models via stealthy backdoor and users' identities authentication. For the first time, we use a set of clean images (as the watermark key samples) to embed an additional class into the DNN for ownership verification, and use the image steganography to embed users' identity information into these watermark key images. Each user will be assigned with a unique identity image for identity authentication and authorization control. Since the backdoor instances are clean images outside the dataset, the backdoor trigger is visually imperceptible and concealed. In addition, we embed the watermark by exploiting an additional class outside the main tasks, which establishes a strong connection for watermark key samples and the corresponding label. As a result, the proposed method is concealed, robust, and can resist common attacks and query modification attack. Experimental results demonstrate that, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate on Fashion-MNIST and CIFAR-10 datasets. In addition, the proposed method is demonstrated to be robust against the model fine-tuning attack, model pruning attack, and query modification attack. Compared with three existing DNN watermarking methods, the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

computer science, artificial intelligence

Zhihua Gan,Yuhao Zhong

DOI: https://doi.org/10.1007/978-3-030-87571-8_35

2021-01-01

Abstract:Steganography is an effective technique in the field of information hiding that typically involves embedding secret information into an image to resist steganalysis detection. In recent years, several works on image steganography based on deep learning have been presented, but these works still have issues with steganographic image and revealed image quality, invisibility, and security. In this paper, a novel grayscale image steganography via generative adversarial network is proposed. To boost the invisibility of the model, we construct an encoding network, which is comprised of a secret image feature extraction module and an integration module that conceals a grayscale secret image into another color cover image of the same size. Moreover, considering the security of the model, adversarial training between the encoding-decoding network and the steganalyzer is used. As compared to state-of-the-art steganography models, experimental results show that our proposed steganography scheme not only has higher peak signal-to-noise ratio and structural similarity index but also better invisibility.

Masoumeh Shafieinejad,Jiaqi Wang,Nils Lukas,Xinda Li,Florian Kerschbaum

DOI: https://doi.org/10.48550/arXiv.1906.07745

2019-11-26

Abstract:Obtaining the state of the art performance of deep learning models imposes a high cost to model generators, due to the tedious data preparation and the substantial processing requirements. To protect the model from unauthorized re-distribution, watermarking approaches have been introduced in the past couple of years. We investigate the robustness and reliability of state-of-the-art deep neural network watermarking schemes. We focus on backdoor-based watermarking and propose two -- a black-box and a white-box -- attacks that remove the watermark. Our black-box attack steals the model and removes the watermark with minimum requirements; it just relies on public unlabeled data and a black-box access to the classification label. It does not need classification confidences or access to the model's sensitive information such as the training data set, the trigger set or the model parameters. The white-box attack, proposes an efficient watermark removal when the parameters of the marked model are available; our white-box attack does not require access to the labeled data or the trigger set and improves the runtime of the black-box attack up to seventeen times. We as well prove the security inadequacy of the backdoor-based watermarking in keeping the watermark undetectable by proposing an attack that detects whether a model contains a watermark. Our attacks show that a recipient of a marked model can remove a backdoor-based watermark with significantly less effort than training a new model and some other techniques are needed to protect against re-distribution by a motivated attacker.

Machine Learning,Cryptography and Security

Kangli Hao,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.23919/jcc.2020.11.012

2020-01-01

China Communications

Abstract:Digital watermark embeds information bits into digital cover such as images and videos to prove the creator’s ownership of his work. In this paper, we propose a robust image watermark algorithm based on a generative adversarial network. This model includes two modules, generator and adversary. Generator is mainly used to generate images embedded with watermark, and decode the image damaged by noise to obtain the watermark. Adversary is used to discriminate whether the image is embedded with watermark and damage the image by noise. Based on the model Hidden（hiding data with deep networks）, we add a high-pass filter in front of the discriminator, making the watermark tend to be embedded in the mid-frequency region of the image. Since the human visual system pays more attention to the central area of the image, we give a higher weight to the image center region, and a lower weight to the edge region when calculating the loss between cover and embedded image. The watermarked image obtained by this scheme has a better visual performance. Experimental results show that the proposed architecture is more robust against noise interference compared with the state-of-art schemes.

Shichang Sun,Mingfu Xue,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-022-03339-0

2021-04-19

Abstract:Recently, the research on protecting the intellectual properties (IP) of deep neural networks (DNN) has attracted serious concerns. A number of DNN copyright protection methods have been proposed. However, most of the existing watermarking methods focus on verifying the copyright of the model, which do not support the authentication and management of users' fingerprints, thus can not satisfy the requirements of commercial copyright protection. In addition, the query modification attack which was proposed recently can invalidate most of the existing backdoor-based watermarking methods. To address these challenges, in this paper, we propose a method to protect the intellectual properties of DNN models by using an additional class and steganographic images. Specifically, we use a set of watermark key samples to embed an additional class into the DNN, so that the watermarked DNN will classify the watermark key sample as the predefined additional class in the copyright verification stage. We adopt the least significant bit (LSB) image steganography to embed users' fingerprints into watermark key images. Each user will be assigned with a unique fingerprint image so that the user's identity can be authenticated later. Experimental results demonstrate that, the proposed method can protect the copyright of DNN models effectively. On Fashion-MNIST and CIFAR-10 datasets, the proposed method can obtain 100% watermark accuracy and 100% fingerprint authentication success rate. In addition, the proposed method is demonstrated to be robust to the model fine-tuning attack, model pruning attack, and the query modification attack. Compared with three existing watermarking methods (the logo-based, noise-based, and adversarial frontier stitching watermarking methods), the proposed method has better performance on watermark accuracy and robustness against the query modification attack.

Artificial Intelligence

Xuandong Zhao,Kexun Zhang,Zihao Su,Saastha Vasan,Ilya Grishchenko,Christopher Kruegel,Giovanni Vigna,Yu-Xiang Wang,Lei Li

2024-11-01

Abstract:Invisible watermarks safeguard images' copyrights by embedding hidden messages only detectable by owners. They also prevent people from misusing images, especially those generated by AI models. We propose a family of regeneration attacks to remove these invisible watermarks. The proposed attack method first adds random noise to an image to destroy the watermark and then reconstructs the image. This approach is flexible and can be instantiated with many existing image-denoising algorithms and pre-trained generative models such as diffusion models. Through formal proofs and extensive empirical evaluations, we demonstrate that pixel-level invisible watermarks are vulnerable to this regeneration attack. Our results reveal that, across four different pixel-level watermarking schemes, the proposed method consistently achieves superior performance compared to existing attack techniques, with lower detection rates and higher image quality. However, watermarks that keep the image semantically similar can be an alternative defense against our attacks. Our finding underscores the need for a shift in research/industry emphasis from invisible watermarks to semantic-preserving watermarks. Code is available at <a class="link-external link-https" href="https://github.com/XuandongZhao/WatermarkAttacker" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition

Yuexin Xiang,Tiantian Li,Wei Ren,Tianqing Zhu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.jisa.2023.103662

2022-08-04

Abstract:With the increasing attention to deep neural network (DNN) models, attacks are also upcoming for such models. For example, an attacker may carefully construct images in specific ways (also referred to as adversarial examples) aiming to mislead the DNN models to output incorrect classification results. Similarly, many efforts are proposed to detect and mitigate adversarial examples, usually for certain dedicated attacks. In this paper, we propose a novel digital watermark-based method to generate image adversarial examples to fool DNN models. Specifically, partial main features of the watermark image are embedded into the host image almost invisibly, aiming to tamper with and damage the recognition capabilities of the DNN models. We devise an efficient mechanism to select host images and watermark images and utilize the improved discrete wavelet transform (DWT) based Patchwork watermarking algorithm with a set of valid hyperparameters to embed digital watermarks from the watermark image dataset into original images for generating image adversarial examples. The experimental results illustrate that the attack success rate on common DNN models can reach an average of 95.47% on the CIFAR-10 dataset and the highest at 98.71%. Besides, our scheme is able to generate a large number of adversarial examples efficiently, concretely, an average of 1.17 seconds for completing the attacks on each image on the CIFAR-10 dataset. In addition, we design a baseline experiment using the watermark images generated by Gaussian noise as the watermark image dataset that also displays the effectiveness of our scheme. Similarly, we also propose the modified discrete cosine transform (DCT) based Patchwork watermarking algorithm. To ensure repeatability and reproducibility, the source code is available on GitHub.

Computer Vision and Pattern Recognition,Cryptography and Security

Guang Hua,Andrew Beng Jin Teoh,Yong Xiang,Hao Jiang

DOI: https://doi.org/10.1109/tnnls.2023.3250210

IF: 14.255

2023-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:The unprecedented success of deep learning could not be achieved without the synergy of big data, computing power, and human knowledge, among which none is free. This calls for the copyright protection of deep neural networks (DNNs), which has been tackled via DNN watermarking. Due to the special structure of DNNs, backdoor watermarks have been one of the popular solutions. In this article, we first present a big picture of DNN watermarking scenarios with rigorous definitions unifying the black-and white-box concepts across watermark embedding, attack, and verification phases. Then, from the perspective of data diversity, especially adversarial and open set examples overlooked in the existing works, we rigorously reveal the vulnerability of backdoor watermarks against black-box ambiguity attacks. To solve this problem, we propose an unambiguous backdoor watermarking scheme via the design of deterministically dependent trigger samples and labels, showing that the cost of ambiguity attacks will increase from the existing linear complexity to exponential complexity. Furthermore, noting that the existing definition of backdoor fidelity is solely concerned with classification accuracy, we propose to more rigorously evaluate fidelity via examining training data feature distributions and decision boundaries before and after backdoor embedding. Incorporating the proposed prototype guided regularizer (PGR) and fine-tune all layers (FTAL) strategy, we show that backdoor fidelity can be substantially improved. Experimental results using two versions of the basic ResNet18, advanced wide residual network (WRN28_10) and EfficientNet-B0, on MNIST, CIFAR-10, CIFAR-100, and FOOD-101 classification tasks, respectively, illustrate the advantages of the proposed method.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Hongxia Wang,Xianfeng Zhao,Yunqing Shi,Hyoung Joong Kim,Alessandro Piva

DOI: https://doi.org/10.1007/978-3-030-43575-2

2020-01-01

Abstract:Steganography has been widely used to conceal secret information in multimedia content. Using generative adversarial networks (GAN) where two subnetworks compete against each other, steganography can learn good distortion measurement. Nevertheless, the convergence speed of GAN is usually slow, and the performance of GAN-based steganography has large room to improve. In this paper, we propose a new GAN-based spatial steganographic scheme. The proposed learning framework consists of two parts: a steganographic generator and a steganalytic discriminator. The former generates stego images, and the latter evaluates their steganography security. Different from existing GAN-based steganography, we reconstruct the generator by combining multiple feature maps, and then expand the maximum number of feature channels to 256. The reconstruction generator can effectively generate a sophisticated probability map, which is used to calculate optimal distortion measurement and further provides a better guidance for adaptive information embedding. Comprehensive experimental results show that, with the same discriminant network, the anti-steganalysis performance of our method is better than that of ASDL-GAN scheme and Yang’s scheme.

Li Zhang,Yong Liu,Xinpeng Zhang,Hanzhou Wu

2023-05-21

Abstract:Protecting deep neural networks (DNNs) against intellectual property (IP) infringement has attracted an increasing attention in recent years. Recent advances focus on IP protection of generative models, which embed the watermark information into the image generated by the model to be protected. Although the generated marked image has good visual quality, it introduces noticeable artifacts to the marked image in high-frequency area, which severely impairs the imperceptibility of the watermark and thereby reduces the security of the watermarking system. To deal with this problem, in this paper, we propose a novel framework for generative model watermarking that can suppress those high-frequency artifacts. The main idea of the proposed framework is to design a new watermark embedding network that can suppress high-frequency artifacts by applying anti-aliasing. To realize anti-aliasing, we use low-pass filtering for the internal sampling layers of the new watermark embedding network. Meanwhile, joint loss optimization and adversarial training are applied to enhance the effectiveness and robustness. Experimental results indicate that the marked model not only maintains the performance very well on the original task, but also demonstrates better imperceptibility and robustness on the watermarking task. This work reveals the importance of suppressing high-frequency artifacts for enhancing imperceptibility and security of generative model watermarking.

Cryptography and Security

Fangqi Li,Shilin Wang,Yun Zhu

DOI: https://doi.org/10.48550/arxiv.2208.14127

2022-01-01

Abstract: Backdoor-based watermarking schemes were proposed to protect the intellectual property of artificial intelligence models, especially deep neural networks, under the black-box setting. Compared with ordinary backdoors, backdoor-based watermarks need to digitally incorporate the owner's identity, which fact adds extra requirements to the trigger generation and verification programs. Moreover, these concerns produce additional security risks after the watermarking scheme has been published for as a forensics tool or the owner's evidence has been eavesdropped on. This paper proposes the capsulation attack, an efficient method that can invalidate most established backdoor-based watermarking schemes without sacrificing the pirated model's functionality. By encapsulating the deep neural network with a rule-based or Bayes filter, an adversary can block ownership probing and reject the ownership verification. We propose a metric, CAScore, to measure a backdoor-based watermarking scheme's security against the capsulation attack. This paper also proposes a new backdoor-based deep neural network watermarking scheme that is secure against the capsulation attack by reversing the encoding process and randomizing the exposure of triggers.

Shaofeng Li,Minhui Xue,Benjamin Zi Hao Zhao,Haojin Zhu,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.1909.02742

2020-08-31

Abstract:Deep neural networks (DNNs) have been proven vulnerable to backdoor attacks, where hidden features (patterns) trained to a normal model, which is only activated by some specific input (called triggers), trick the model into producing unexpected behavior. In this paper, we create covert and scattered triggers for backdoor attacks, invisible backdoors, where triggers can fool both DNN models and human inspection. We apply our invisible backdoors through two state-of-the-art methods of embedding triggers for backdoor attacks. The first approach on Badnets embeds the trigger into DNNs through steganography. The second approach of a trojan attack uses two types of additional regularization terms to generate the triggers with irregular shape and size. We use the Attack Success Rate and Functionality to measure the performance of our attacks. We introduce two novel definitions of invisibility for human perception; one is conceptualized by the Perceptual Adversarial Similarity Score (PASS) and the other is Learned Perceptual Image Patch Similarity (LPIPS). We show that the proposed invisible backdoors can be fairly effective across various DNN models as well as four datasets MNIST, CIFAR-10, CIFAR-100, and GTSRB, by measuring their attack success rates for the adversary, functionality for the normal users, and invisibility scores for the administrators. We finally argue that the proposed invisible backdoor attacks can effectively thwart the state-of-the-art trojan backdoor detection approaches, such as Neural Cleanse and TABOR.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Zhiyi Cao,Shaozhang Niu,Jiwei Zhang,Xinyi Wang

DOI: https://doi.org/10.1049/iet-ipr.2019.0266

IF: 2.3

2019-01-01

IET Image Processing

Abstract:Previously visible watermark removal algorithms required the location of known watermarks. A corresponding removal algorithm is then proposed based on the location and the feature of the watermark. If the location of the watermark is random or the watermark has different angles, the watermark removal algorithm will encounter problems. The authors recommend a visible watermark removal algorithm based on generative adversarial networks (GANs) and self-attention mechanisms. During the training, the authors introduce a GANs model to build mappings between watermarked images and real images. The authors observe that the feature of the watermarked region in different watermarked images is invariant in nature, and the other regions are changed. The self-attention layer will automatically focus on this invariant feature. Experiments on two public datasets prove that the authors’ model has gained excellent performance. Compared with the other four most competitive watermark removal models, the authors improve the watermark removal rate indicator from 17 to 92%. For the other four evaluation indicators, the authors have improved performance by up to 20%.

Qi Li,Xingyuan Wang,Bin Ma,Xiaoyu Wang,Chunpeng Wang,Suo Gao,Yunqing Shi

DOI: https://doi.org/10.1109/tcsvt.2021.3138795

IF: 5.859

2021-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:While existing watermarking attack methods can disturb the correct extraction of watermark information, the visual quality of watermarked images will be greatly damaged. Therefore, a concealed attack based on generative adversarial network and perceptual losses for robust watermarking is proposed. First, the watermarked image is utilized as the input of generative networks, and its generating target (i.e. attacked watermarked image) is the original image. Inspired by the U-Net network, the generative networks consist of encoder-decoder architecture with skip connection, which can combine the low-level and high-level information to ensure the imperceptibility of the generated image. Next, to further improve the imperceptibility of the generated image, instead of the loss function based on MSE, a perceptual loss based on feature extraction is introduced. In addition, a discriminative network is also introduced to make the appearance and distribution of generated image similar to those of the original image. The addition of the discriminative network can remove watermark information effectively. Extensive experiments are conducted to verify the feasibility of the proposed concealed attack method. Experimental and analysis results demonstrate that the proposed concealed attack method has better imperceptibility and attack ability in comparison to the existing watermarking attack methods.

engineering, electrical & electronic

Ye Yao,Junyu Wang,Qi Chang,Yizhi Ren,Weizhi Meng

DOI: https://doi.org/10.1016/j.eswa.2024.123540

IF: 8.5

2024-03-02

Expert Systems with Applications

Abstract:Recently, extensive research is showing that deep learning has enormous potential in image steganography. However, most steganography methods based on deep learning are not sufficiently invisible. In this paper, a novel end-to-end deep neural network for image steganography based on generative adversarial network (GAN) and discrete wavelet transformation (DWT) is proposed, which can greatly improve the invisibility of the method. Firstly, the cover image is transformed from the RGB domain to the DWT domain to embed information in frequency. Furthermore, a multi-scale attention convolution to fuse different scales of feature information is proposed, which can help the model to find a better location to embed the information. Finally, the fusion module is used to embed the information into the cover image at different modification intensities. In addition, a new Discriminator that compares cover images and stego images in a patch-to-patch way to improve the ability of the Discriminator. We analyze our algorithm from multiple aspects (e.g., security and invisibility) to verify the superior performance of the proposed method. To demonstrate generalization ability, experiments are conducted on three widely used datasets and show the superior performance of our method compared to other steganography methods based on deep learning.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Wenjie Jiang,Donghui Hu,Cong Yu,Meng Li,Zhong-qiu Zhao

DOI: https://doi.org/10.1145/3393527.3393564

2020-05-22

Abstract:Steganography is an art to hide information in the carriers to prevent from being detected, while steganalysis is the opposite art to detect the presence of the hidden information. With the development of deep learning, several state-of-the-art steganography and steganalysis based on deep learning techniques have been proposed to improve hiding or detection capabilities. Generative Adversarial Networks (GANs) based steganography directly uses the minimax game between the generator and discriminator, to automatically generate steganography algorithms resisting being detected by powerful steganalysis. The steganography without embedding (SWE) based on GANs, where the generated cover images themselves are stego ones carrying secret information has shown its state-of-the-art steganography performance. However, SWE based on GANs has serious weaknesses, such as low information recovery accuracy, low steganography capacity and poor natural showing. To solve these problems, this paper proposes a new SWE based on adversarial training, with carefully designed generator, discriminator and extractor, as well as their loss functions and optimized training mode. The proposed method can achieve a very high information recovery accuracy (100% in some cases), and at the same time improve the steganography capacity and image quality.

Jianwei Fei,Zhihua Xia,Benedetta Tondi,Mauro Barni

DOI: https://doi.org/10.1109/tifs.2024.3443650

IF: 7.231

2024-09-20

IEEE Transactions on Information Forensics and Security

Abstract:We propose a novel multi-bit box-free watermarking method for the protection of Intellectual Property Rights (IPR) of GANs with improved robustness against white-box model-level attacks like fine-tuning, pruning, quantization, and surrogate model attacks. The watermark is embedded by adding an extra watermarking loss term during GAN training, ensuring that the images generated by the GAN contain an invisible watermark that can be retrieved by a pre-trained watermark decoder. In order to improve the robustness against white-box model-level attacks, we make sure that the model converges to a wide flat minimum of the watermarking loss term, in such a way that any modification of the model parameters does not erase the watermark. To do so, we add random noise vectors to the parameters of the generator and require that the watermarking loss term is as invariant as possible with respect to the presence of noise. This procedure forces the generator to converge to a wide flat minimum of the watermarking loss. The proposed method is architecture- and dataset-agnostic, thus being applicable to many different generation tasks and models, as well as to CNN-based image processing architectures. We present the results of extensive experiments showing that the presence of the watermark has a negligible impact on the quality of the generated images, and proving the superior robustness of the watermark against model modification and surrogate model attacks.

computer science, theory & methods,engineering, electrical & electronic

Xuankai Liu,Fengting Li,Bihan Wen,Qi Li

DOI: https://doi.org/10.1109/icpr48806.2021.9412684

2020-01-01

Abstract:Deep neural networks have been widely applied and achieved great success in various fields. As training deep models usually consumes massive data and computational resources, trading the trained deep models is highly demanded and lucrative nowadays. Unfortunately, the naive trading schemes typically involves potential risks related to copyright and trustworthiness issues, e.g., a sold model can be illegally resold to others without further authorization to reap huge profits. To tackle this problem, various watermarking techniques are proposed to protect the model intellectual property, amongst which the backdoor-based watermarking is the most commonly-used one. However, the robustness of these watermarking approaches is not well evaluated under realistic settings, such as limited in-distribution data availability and agnostic of watermarking patterns. In this paper, we benchmark the robustness of watermarking, and propose a novel backdoor-based watermark removal framework using limited data, dubbed WILD. The proposed WILD removes the watermarks of deep models with only a small portion of training data, and the output model can perform the same as models trained from scratch without watermarks injected. In particular, a novel data augmentation method is utilized to mimic the behavior of watermark triggers. Combining with the distribution alignment between the normal and perturbed (e.g., occluded) data in the feature space, our approach generalizes well on all typical types of trigger contents. The experimental results demonstrate that our approach can effectively remove the watermarks without compromising the deep model performance for the original task with the limited access to training data.