On the Robustness of the Backdoor-based Watermarking in Deep Neural Networks

Shafieinejad, Masoumeh; Wang, Jiaqi; Lukas, Nils; Li, Xinda; Kerschbaum, Florian

doi:10.48550/arxiv.1906.07745

Cited by 14 publications

(39 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is successful if the surrogate model does not retain the watermark, and it has a similar utility (measured in test accuracy) as the source model. We survey (i) known removal attacks [14], [18], [21], [35]- [38], (ii) methods that derive a surrogate model but have not been evaluated as removal attacks against DNN watermarking [22], [39]- [43], [43]- [47] and (iii) novel, adaptive attacks proposed in this paper. We investigate which of these methods successfully remove watermarks.…”

Section: Watermark Removal Attack Categoriesmentioning

confidence: 99%

“…Adversarial Training [41], Fine-Tuning (RTLL, RTAL) [14], Weight Quantization [47], Label Smoothing [48], Fine Pruning [38], Feature Permutation (Ours), Weight Pruning [21], Weight Shifting (Ours), Neural Cleanse [37], Regularization [18], Neural Laundering [35] Model Modification White-box Domain…”

Section: A Attacker's Goalsmentioning

confidence: 99%

“…Regularization [18] is a two-phased attack that strongly regularizes the model in the first phase, leading to a drop in test accuracy, which is compensated by fine-tuning the model in the second phase. The idea of the regularization phase is to move the model's parameter far away from their origin, while the fine-tuning phase finds a (different) local minima.…”

Section: B Model Modificationmentioning

confidence: 99%

“…We make the observations that (i) attacks designed against one category of watermarks are not necessarily effective against watermarks from this category, and (ii) no scheme is robust against all model extraction attacks. Neural Cleanse [35] and Regularization [18] were designed against model independent watermarks, but they often only decrease the watermark accuracy instead of removing the watermark. Jia is robust against retraining, but not against transfer learning suggesting that it is encoded into the low-level features of the source model.…”

Section: G Attack's Effectivenessmentioning

confidence: 99%

“…Watermarking schemes that are robust against such watermark removal attacks are needed to deter redistribution by adversaries. Claimed security properties of some existing watermarking schemes [16], [17] had been broken by novel attacks [18]- [20], but it is unclear how these attacks generalize to other watermarks.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

SoK: How Robust is Image Classification Deep Neural Network Watermarking? (Extended Version)

Lukas,

Jiang,

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Deep Neural Network (DNN) watermarking is a method for provenance verification of DNN models. Watermarking should be robust against watermark removal attacks that derive a surrogate model that evades provenance verification. Many watermarking schemes that claim robustness have been proposed, but their robustness is only validated in isolation against a relatively small set of attacks. There is no systematic, empirical evaluation of these claims against a common, comprehensive set of removal attacks. This uncertainty about a watermarking scheme's robustness causes difficulty to trust their deployment in practice. In this paper, we evaluate whether recently proposed watermarking schemes that claim robustness are robust against a large set of removal attacks. We survey methods from the literature that (i) are known removal attacks, (ii) derive surrogate models but have not been evaluated as removal attacks, and (iii) novel removal attacks. Weight shifting and smooth retraining are novel removal attacks adapted to the DNN watermarking schemes surveyed in this paper. We propose taxonomies for watermarking schemes and removal attacks. Our empirical evaluation includes an ablation study over sets of parameters for each attack and watermarking scheme on the image classification datasets CIFAR-10 and ImageNet. Surprisingly, our study shows that none of the surveyed watermarking schemes is robust in practice. We find that schemes fail to withstand adaptive attacks and known methods for deriving surrogate models that have not been evaluated as removal attacks. This points to intrinsic flaws in how robustness is currently evaluated. Our evaluation includes a discussion of the runtime of each attack to underpin their practical relevance. While none of the schemes is robust against all attacks, none of the attacks removes all watermarks. We show that attacks can be combined and find combined attacks that remove all watermarks. We show that watermarking schemes need to be evaluated against a more extensive set of removal attacks with a more realistic adversary model. Our source code and a complete dataset of evaluation results are publicly available, which allows to independently verify our conclusions.

show abstract

Section: Watermark Removal Attack Categoriesmentioning

confidence: 99%

Section: A Attacker's Goalsmentioning

confidence: 99%

Section: B Model Modificationmentioning

confidence: 99%

Section: G Attack's Effectivenessmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SoK: How Robust is Image Classification Deep Neural Network Watermarking? (Extended Version)

Lukas,

Jiang,

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Removing Backdoor-Based Watermarks in Neural Networks with Limited Data

Liu

Wen

et al. 2021

2020 25th International Conference on Pattern Recognition (ICPR)

View full text Add to dashboard Cite

Deep neural networks have been widely applied and achieved great success in various fields. As training deep models usually consumes massive data and computational resources, trading the trained deep models is highly-demanded and lucrative nowadays. Unfortunately, the naive trading schemes typically involves potential risks related to copyright and trustworthiness issues, e.g., a sold model can be illegally resold to others without further authorization to reap huge profits. To tackle this problem, various watermarking techniques are proposed to protect the model intellectual property, amongst which the backdoorbased watermarking is the most commonly-used one. However, the robustness of these watermarking approaches is not well evaluated under realistic settings, such as limited in-distribution data availability and agnostic of watermarking patterns. In this paper, we benchmark the robustness of watermarking, and propose a novel backdoor-based watermark removal framework using limited data, dubbed WILD. The proposed WILD removes the watermarks of deep models with only a small portion of training data, and the output model can perform the same as models trained from scratch without watermarks injected. In particular, a novel data augmentation method is utilized to mimic the behavior of watermark triggers. Combining with the distribution alignment between the normal and perturbed (e.g., occluded) data in the feature space, our approach generalizes well on all typical types of trigger contents. The experimental results demonstrate that our approach can effectively remove the watermarks without compromising the deep model performance for the original task with the limited access to training data.

show abstract