A Protocol for Secure Verification of Watermarks Embedded into Machine Learning Models

Kapusta, Katarzyna; Thouvenot, Vincent; Bettan, Olivier; Beguinet, Hugo; Senet, Hugo

doi:10.1145/3437880.3460409

Cited by 9 publications

(5 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An efficient black-box watermarking should meet several requirements, such as being resistant to model transformations that could lead to watermarks erasure or being clearly tied to owner's identity in order to avoid confusion (Kapusta, Thouvenot, and Bettan 2020). Moreover, their impact on the network performance should be ideally negligible.…”

Section: Relevant Work ML Watermarkingmentioning

confidence: 99%

“…It does not however eliminate totally the risk of sophisticated attacks, where an attacker will use the transferability properties of adversarial attacks to create its counterfeit watermarks in advance. A secure protocol for verification of ML watermarks was proposed in (Kapusta et al 2021). Its first step consists of verification if the claimer of a model has the ability of proving that they possesses both a non-marked model and a watermarked one.…”

Section: The Right Verification Protocolmentioning

confidence: 99%

See 1 more Smart Citation

Protecting ownership rights of ML models using watermarking in the light of adversarial attacks

Kapusta,

Mattioli,

Addad

et al. 2024

AI Ethics

Self Cite

View full text Add to dashboard Cite

In this paper, we present and analyze two novel -and seemingly distant -research trends in Machine Learning: ML watermarking and adversarial patches. First, we show how ML watermarking uses specially crafted inputs to provide a proof of model ownership. Second, we demonstrate how an attacker can craft adversarial samples in order to trigger an abnormal behavior in a model and thus perform an ambiguity attack on ML watermarking. Finally, we describe three countermeasures that could be applied in order to prevent ambiguity attacks. We illustrate our works using the example of a binary classification model for welding inspection.

show abstract

Section: Relevant Work ML Watermarkingmentioning

confidence: 99%

Section: The Right Verification Protocolmentioning

confidence: 99%

Protecting ownership rights of ML models using watermarking in the light of adversarial attacks

Kapusta,

Mattioli,

Addad

et al. 2024

AI Ethics

Self Cite

View full text Add to dashboard Cite

show abstract

“…To assess the quality of the trigger (and thus the quality of the watermark), outlier detection attacks [9] are implemented in order to verify if an adversary can detect trigger inputs from legitimate data. Hence, in order to protect watermarked model from outlier detection attacks, several techniques [3,12,15] have been developed to make watermark verification queries in an encrypted fashion using for instance Multi-Party Computation (MPC) or Fully Homomorphic Encryption (FHE).…”

Section: Related Workmentioning

confidence: 99%

BlindSpot: Watermarking Through Fairness

Lounici¹,

Önen

Ermis

et al. 2022

Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security

View full text Add to dashboard Cite

With the increasing development of machine learning models in daily businesses, a strong need for intellectual property protection arised. For this purpose, current works suggest to leverage backdoor techniques to embed a watermark into the model, by overfitting to a set of particularly crafted and secret input-output pairs called triggers. By sending verification queries containing triggers, the model owner can analyse the behavior of any suspect model on the queries to claim its ownership. However, when it comes to scenarios where frequent monitoring is needed, the computational overhead of these verification queries in terms of volume demonstrates that backdoor-based watermarking appears to be too sensitive to outlier detection attacks and cannot guarantee the secrecy of the triggers.To solve this issue, we introduce BlindSpot, to watermark machine learning models through fairness. Our trigger-less approach is compatible with a high number of verification queries while being robust to outlier detection attacks. We show on Fashion-MNIST and CIFAR-10 datasets that BlindSpot is efficiently watermarking models while robust to outlier detection attacks, at a performance cost on the accuracy of 2%. CCS CONCEPTS• Security and privacy; • Theory of computation → Design and analysis of algorithms;

show abstract

“…Methods for neural network watermarking can be divided into white-box [1][2][3][4][5] and black-box [6][7][8][9][10]13] approaches. White-box methods require direct access to the weights of the neural network.…”

Section: Introductionmentioning

confidence: 99%

Copyright protection for image classification models using pseudo-holographic watermarks

Vybornova

Ulyanov

2023

Fifteenth International Conference on Machine Vision (ICMV 2022)

View full text Add to dashboard Cite

With the growing number of solutions based on deep learning methods, there is a need to protect pretrained models against unauthorized distribution. For deep model watermarking, one of the most important criteria is to maintain the accuracy of predictions after embedding the protective information. In this paper, we propose a black-box watermarking method based on fine-tuning image classification models on a watermarking dataset, which is synthesized by superimposing pseudo-holograms on images of the original dataset. The proposed method allows to preserve the initial quality of classification, in addition, a series of experiments for five different models showed the invariance of the method to the architecture of a deep neural network. The conducted simulation of the most common attacks on watermarked models shows that adversarial attempts to completely remove the watermark are improbable without significant loss of model accuracy. Additionally, experimental results contain the selection of parameters, such as the number of triggers and original images in watermarking dataset, allowing to increase method efficiency.

show abstract

A Protocol for Secure Verification of Watermarks Embedded into Machine Learning Models

Cited by 9 publications

References 9 publications

Protecting ownership rights of ML models using watermarking in the light of adversarial attacks

Protecting ownership rights of ML models using watermarking in the light of adversarial attacks

BlindSpot: Watermarking Through Fairness

Copyright protection for image classification models using pseudo-holographic watermarks

Contact Info

Product

Resources

About