White-Box Watermarking Scheme for Fully-Connected Layers in Fine-Tuning Model

Kuribayashi, Minoru; Tanaka, Takuro; Suzuki, Shunta; Yasui, Tatsuya; Funabiki, Nobuo

doi:10.1145/3437880.3460402

Cited by 11 publications

(14 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…These models were trained using more than 1,000,000 images from the ImageNet [ 37 ] database. A watermark was embedded into the fine-tuning model during training, similar to the experiments in [ 12 ].…”

Section: Resultsmentioning

confidence: 99%

“…For instance, the constraint given by Equation ( 5 ) can be applied to the embedding operations in [ 6 , 7 , 8 , 9 ]. In the case of the method presented in [ 12 ], the embedding operation based on the constraint can be regarded as the initial assignment of weight parameters to a DNN model, and the change in weights at each epoch is corrected by iteratively performing the operation.…”

Section: Proposed Dnn Watermarkingmentioning

confidence: 99%

“…Empirical evidence has shown that a local minimum for deeper or larger models is sufficient because their loss values are similar. With this characteristic, the watermark was embedded into some sampled weight values in [ 12 , 13 ]. In [ 13 ], the sample weight values were inputted to a DNN model that is independent of the host model, and error back-propagation was used to embed the watermark in both the host model and the independent model.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

et al. 2022

Self Cite

View full text Add to dashboard Cite

Deep Neural Network (DNN) watermarking techniques are increasingly being used to protect the intellectual property of DNN models. Basically, DNN watermarking is a technique to insert side information into the DNN model without significantly degrading the performance of its original task. A pruning attack is a threat to DNN watermarking, wherein the less important neurons in the model are pruned to make it faster and more compact. As a result, removing the watermark from the DNN model is possible. This study investigates a channel coding approach to protect DNN watermarking against pruning attacks. The channel model differs completely from conventional models involving digital images. Determining the suitable encoding methods for DNN watermarking remains an open problem. Herein, we presented a novel encoding approach using constant weight codes to protect the DNN watermarking against pruning attacks. The experimental results confirmed that the robustness against pruning attacks could be controlled by carefully setting two thresholds for binary symbols in the codeword.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Proposed Dnn Watermarkingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

et al. 2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…We systematize the existing DNN watermarking schemes into parameter-embedding and data-poisoning watermarking schemes based on whether the owner needs to access the suspicious model in ownership verification. Parameter-embedding watermarking scheme embeds watermarks into the target model's parameters [18,38] or the activations of hidden layers [30,36]. Uchida et al [38] proposed embedding watermarks into the model parameters by using a parameter regularizer with a designed embedding loss.…”

Section: Related Work 21 Dnn Watermarkingmentioning

confidence: 99%

“…In general, the parameterembedding and data-poisoning are two mainstream watermarking schemes [6,14,25,45]. Noticeably, the parameter embedding watermarking scheme requires white-box access to the suspicious model which is not practical in the real-world scenario [18,42]. The data-poisoning watermarking scheme crafts a set of samplelabel pairs (also called verification samples) to enforce the DNN model memorizing them via carefully model fine-tuning.…”

Section: Introductionmentioning

confidence: 99%

Free Fine-tuning: A Plug-and-Play Watermarking Scheme for Deep Neural Networks

Wang¹,

Ren²,

Li³

et al. 2022

Preprint

View full text Add to dashboard Cite

Watermarking has been widely adopted for protecting the intellectual property (IP) of Deep Neural Networks (DNN) to defend the unauthorized distribution. Unfortunately, the popular datapoisoning DNN watermarking scheme relies on target model finetuning to embed watermarks, which limits its practical applications in tackling real-world tasks. Specifically, the learning of watermarks via tedious model fine-tuning on a poisoned dataset (carefullycrafted sample-label pairs) is not efficient in tackling the tasks on challenging datasets and production-level DNN model protection.To address the aforementioned limitations, in this paper, we propose a plug-and-play watermarking scheme for DNN models by injecting an independent proprietary model into the target model to serve the watermark embedding and ownership verification. In contrast to the prior studies, our proposed method by incorporating a proprietary model is free of target model fine-tuning without involving any parameters update of the target model, thus the fidelity is well preserved. Furthermore, our method is scaleable to challenging datasets, large production-level models, and diverse tasks (e.g., speaker recognition). Experimental results on real-world challenging datasets (e.g., ImageNet) and real-world DNN models demonstrated its effectiveness, fidelity w.r.t. the functionality preserving of the target model, robustness against popular watermark removal attacks (i.e., fine-tuning attack, pruning, input preprocessing), and the plug-and-play deployment. Our proposed watermarking scheme also outperforms the two competitive baselines in terms of fidelity preserving and robustness against watermark removal attacks. Our research findings reveal that model fine-tuning with poisoned data is not prepared for the IP protection of DNN models deployed in real-world tasks and poses a new research direction toward a more thorough understanding and investigation of adopting the proprietary model for DNN watermarking. The source code and models are available at https://github.com/AntigoneRandy/PTYNet. CCS CONCEPTS• Security and privacy → Human and societal aspects of security and privacy; • Computing methodologies → Artificial intelligence.

show abstract

Digital Watermarking Method for Copyright Protection of Deep Neural Networks

Vybornova

2023

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

White-Box Watermarking Scheme for Fully-Connected Layers in Fine-Tuning Model

Cited by 11 publications

References 4 publications

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

Coded DNN Watermark: Robustness against Pruning Models Using Constant Weight Code

Free Fine-tuning: A Plug-and-Play Watermarking Scheme for Deep Neural Networks

Digital Watermarking Method for Copyright Protection of Deep Neural Networks

Contact Info

Product

Resources

About