Spread-Transform Dither Modulation Watermarking of Deep Neural Network

Li, Yue; Tondi, Benedetta; Barni, Mauro

doi:10.1016/j.jisa.2021.103004

Cited by 23 publications

(15 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 5 shows the effect of attacks on performance when ascending pruning attacks and random pruning attacks are performed with increasing pruning rates in previous studies [ 6 , 13 , 15 ]. In the ascending pruning attack, the top R % parameters are cut-off according to their absolute values in ascending, while in the random pruning attack, R In the evaluation of multilayer perceptron (MLP) and VGG, the bit error rate (BER) is zero up to a pruning rate of 0.9; in the evaluation of Wide ResNet (WRN), the BER is zero up to a pruning rate of 0.6 or 0.65.…”

Section: Resultsmentioning

confidence: 99%

“…Uchida et al showed experimentally that the watermark does not disappear even after a pruning attack that prunes 65% of the parameters [ 6 ]. Another study achieved robustness against 60% pruning [ 15 ]. This study adopted the idea of spread transform dither modulation (ST-DM) watermarking by extending the conventional spread spectrum (SS)-based DNN watermarking.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

et al. 2022

View full text Add to dashboard Cite

Deep Neural Network (DNN) watermarking techniques are increasingly being used to protect the intellectual property of DNN models. Basically, DNN watermarking is a technique to insert side information into the DNN model without significantly degrading the performance of its original task. A pruning attack is a threat to DNN watermarking, wherein the less important neurons in the model are pruned to make it faster and more compact. As a result, removing the watermark from the DNN model is possible. This study investigates a channel coding approach to protect DNN watermarking against pruning attacks. The channel model differs completely from conventional models involving digital images. Determining the suitable encoding methods for DNN watermarking remains an open problem. Herein, we presented a novel encoding approach using constant weight codes to protect the DNN watermarking against pruning attacks. The experimental results confirmed that the robustness against pruning attacks could be controlled by carefully setting two thresholds for binary symbols in the codeword.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

et al. 2022

View full text Add to dashboard Cite

show abstract

“…They regularize the selected weights to some secret values by adding a regularization loss during training. Li et al [24] improve the method in [35] by adding a Spread-Transform Dither Modulation (ST-DM)-like regularization term, which can reduce the impact of watermarking on the accuracy of the DNN model on normal inputs. Chen et al [3] improve [35] by implementing a watermarking system with anti-collision capabilities.…”

Section: Related Workmentioning

confidence: 99%

On Function-Coupled Watermarks for Deep Neural Networks

Liu¹,

Jiang²,

Xu³

2023

Preprint

View full text Add to dashboard Cite

Well-performed deep neural networks (DNNs) generally require massive labelled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers implant secret information into the model so that they can later claim IP ownership by retrieving their embedded watermarks with some dedicated trigger inputs. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning and model pruning.In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks.Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model's performance on normal inputs. To this end, unlike previous methods relying on secret features learnt from out-of-distribution data, our method only uses features learnt from in-distribution data. Specifically, on the one hand, we propose to sample inputs from the original training dataset and fuse them as watermark triggers. On the other hand, we randomly mask model weights during training so that the information of our embedded watermarks spreads in the network. By doing so, model fine-tuning/pruning would not forget our function-coupled watermarks. Evaluation results on various image classification tasks show a 100% watermark authentication success rate under aggressive watermark removal attacks, significantly outperforming existing solutions. Code is available here.

show abstract

“…Because the marked signal may be intentionally attacked prior to watermark extraction, the watermark embedding procedure Corresponding author: Hanzhou Wu (contact email: h.wu.phd@ieee.org) is required to be robust against attacks for reliable ownership identification. A straightforward idea to protect the IP of DNN models is to directly extend advanced watermarking strategies suited to media signals to the DNN models since media watermarking has been widely studied in the past two decades [18]- [20]. However, unlike media signals that are static data, DNN models are functional.…”

Section: Introductionmentioning

confidence: 99%

Generative Model Watermarking Based on Human Visual System

Zhang¹,

Liu²,

Liu³

et al. 2023

Communications in Computer and Information Science

View full text Add to dashboard Cite

Protecting deep neural networks (DNNs) against intellectual property (IP) infringement has attracted an increasing attention in recent years. Recent advances focus on IP protection of generative models, which embed the watermark information into the image generated by the model to be protected. Although the generated marked image has good visual quality, it introduces noticeable artifacts to the marked image in high-frequency area, which severely impairs the imperceptibility of the watermark and thereby reduces the security of the watermarking system. To deal with this problem, in this paper, we propose a novel framework for generative model watermarking that can suppress those highfrequency artifacts. The main idea of the proposed framework is to design a new watermark embedding network that can suppress high-frequency artifacts by applying anti-aliasing. To realize antialiasing, we use low-pass filtering for the internal sampling layers of the new watermark embedding network. Meanwhile, joint loss optimization and adversarial training are applied to enhance the effectiveness and robustness. Experimental results indicate that the marked model not only maintains the performance very well on the original task, but also demonstrates better imperceptibility and robustness on the watermarking task. This work reveals the importance of suppressing high-frequency artifacts for enhancing imperceptibility and security of generative model watermarking.

show abstract

Spread-Transform Dither Modulation Watermarking of Deep Neural Network

Cited by 23 publications

References 14 publications

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

On Function-Coupled Watermarks for Deep Neural Networks

Generative Model Watermarking Based on Human Visual System

Contact Info

Product

Resources

About