Papers
Topics
Authors
Recent
2000 character limit reached

Robust and Large-Payload DNN Watermarking via Fixed, Distribution-Optimized, Weights

Published 23 Aug 2022 in cs.CV and cs.CR | (2208.10973v3)

Abstract: The design of an effective multi-bit watermarking algorithm hinges upon finding a good trade-off between the three fundamental requirements forming the watermarking trade-off triangle, namely, robustness against network modifications, payload, and unobtrusiveness, ensuring minimal impact on the performance of the watermarked network. In this paper, we first revisit the nature of the watermarking trade-off triangle for the DNN case, then we exploit our findings to propose a white-box, multi-bit watermarking method achieving very large payload and strong robustness against network modification. In the proposed system, the weights hosting the watermark are set prior to training, making sure that their amplitude is large enough to bear the target payload and survive network modifications, notably retraining, and are left unchanged throughout the training process. The distribution of the weights carrying the watermark is theoretically optimised to ensure the secrecy of the watermark and make sure that the watermarked weights are indistinguishable from the non-watermarked ones. The proposed method can achieve outstanding performance, with no significant impact on network accuracy, including robustness against network modifications, retraining and transfer learning, while ensuring a payload which is out of reach of state of the art methods achieving a lower - or at most comparable - robustness.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (30)
  1. Y. Adi, C. Baum, M. Cissé, B. Pinkas, and J. Keshet, “Turning your weakness into a strength: Watermarking deep neural networks by backdooring,” in 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, W. Enck and A. P. Felt, Eds.   USENIX Association, 2018, pp. 1615–1631. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/adi
  2. H. Chen, B. D. Rouhani, C. Fu, J. Zhao, and F. Koushanfar, “Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models,” in Proceedings of the 2019 on International Conference on Multimedia Retrieval, 2019, pp. 105–113.
  3. Z. He, T. Zhang, and R. B. Lee, “Verideep: Verifying integrity of deep neural networks through sensitive-sample fingerprinting,” arXiv preprint arXiv:1808.03277, 2018.
  4. D. S. Ong, C. S. Chan, K. W. Ng, L. Fan, and Q. Yang, “Protecting intellectual property of generative adversarial networks from ambiguity attacks,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 3630–3639.
  5. S. Craver, N. Memon, B. L. Yeo, and M. M. Yeung, “Resolving rightful ownerships with invisible watermarking techniques: limitations, attacks, and implications,” IEEE Journal on Selected areas in Communications, vol. 16, no. 4, pp. 573–586, 1998.
  6. L. Fan, K. W. Ng, and C. S. Chan, “Rethinking deep neural network ownership verification: Embedding passports to defeat ambiguity attacks,” in Advances in Neural Information Processing Systems, H. Wallach, H. Larochelle, A. Beygelzimer, F. Alché-Buc, E. Fox, and R. Garnett, Eds., vol. 32.   Curran Associates, Inc., 2019. [Online]. Available: https://proceedings.neurips.cc/paper/2019/file/75455e062929d32a333868084286bb68-Paper.pdf
  7. F.-Q. Li, S.-L. Wang, and A. W.-C. Liew, “Watermarking protocol for deep neural network ownership regulation in federated learning,” in 2022 IEEE International Conference on Multimedia and Expo Workshops (ICMEW), 2022, pp. 1–4.
  8. J. S. S. K. J. H. L. J. Park, J. Kim, “Illegal 3d content distribution tracking system based on dnn forensic watermarking,” in International Conference on Artificial Intelligence in Information and Communication (ICAIIC), February 2023, pp. 777–781.
  9. F. Cayre, C. Fontaine, and T. Furon, “Watermarking security: theory and practice,” IEEE Transactions on signal processing, vol. 53, no. 10, pp. 3976–3987, 2005.
  10. T. Kalker, “Considerations on watermarking security,” in 2001 IEEE Fourth Workshop on Multimedia Signal Processing (Cat. No. 01TH8564).   IEEE, 2001, pp. 201–206.
  11. M. Barni, F. Pérez-González, and B. Tondi, “Dnn watermarking: Four challenges and a funeral,” in Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, 2021, pp. 189–196.
  12. Y. Uchida, Y. Nagai, S. Sakazawa, and S. Satoh, “Embedding watermarks into deep neural networks,” in Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017, pp. 269–277.
  13. B. D. Rouhani, H. Chen, and F. Koushanfar, “Deepsigns: an end-to-end watermarking framework for protecting the ownership of deep neural networks,” in ACM International Conference on Architectural Support for Programming Languages and Operating Systems, 2019.
  14. J. Fei, Z. Xia, B. Tondi, and M. Barni, “Supervised gan watermarking for intellectual property protection,” in 2022 IEEE International Workshop on Information Forensics and Security (WIFS).   IEEE, 2022, pp. 1–6.
  15. Y. Uchida, Y. Nagai, S. Sakazawa, and S. Satoh, “Embedding watermark into deep neural networks,” in Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, 2017, pp. 269–277.
  16. B. Cortiñas-Lorenzo and F. Pérez-González, “Adam and the ants: On the influence of the optimization algorithm on the detectability of dnn watermarks,” Entropy, vol. 22, no. 12, 2020. [Online]. Available: https://www.mdpi.com/1099-4300/22/12/1379
  17. H. Liu, Z. Weng, and Y. Zhu, “Watermarking deep neural networks with greedy residuals.” in ICML, 2021, pp. 6978–6988.
  18. Y. Li, B. Tondi, and M. Barni, “Spread-transform dither modulation watermarking of deep neural network,” in EURASIP Jounrnal on Infomration Security.
  19. E. Tartaglione, M. Grangetto, D. Cavagnino, and M. Botta, “Delving in the loss landscape to embed robust watermarks into neural networks,” in 2020 25th International Conference on Pattern Recognition (ICPR).   IEEE, 2021, pp. 1243–1250.
  20. S. J. Pan and Q. Yang, “A survey on transfer learning,” IEEE Transactions on knowledge and data engineering, vol. 22, no. 10, pp. 1345–1359, 2009.
  21. I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial networks,” Communications of the ACM, vol. 63, no. 11, pp. 139–144, 2020.
  22. A. Krizhevsky, G. Hinton et al., “Learning multiple layers of features from tiny images,” 2009.
  23. S. Houben, J. Stallkamp, J. Salmen, M. Schlipsing, and C. Igel, “Detection of traffic signs in real-world images: The German Traffic Sign Detection Benchmark,” in International Joint Conference on Neural Networks, no. 1288, 2013.
  24. T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehtinen, and T. Aila, “Analyzing and improving the image quality of StyleGAN,” in Proc. CVPR, 2020.
  25. D. Gragnaniello, D. Cozzolino, F. Marra, G. Poggi, and L. Verdoliva, “Are gan generated images easy to detect? a critical analysis of the state-of-the-art,” in 2021 IEEE International Conference on Multimedia and Expo (ICME).   IEEE, 2021, pp. 1–6.
  26. [Online]. Available: https://github.com/andreacos/gan-generated-face-detection
  27. G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 4700–4708.
  28. [Online]. Available: https://github.com/kuangliu/pytorch-cifar
  29. F. Yu, Y. Zhang, S. Song, A. Seff, and J. Xiao, “Lsun: Construction of a large-scale image dataset using deep learning with humans in the loop.” CoRR, vol. abs/1506.03365, 2015. [Online]. Available: http://dblp.uni-trier.de/db/journals/corr/corr1506.html#YuZSSX15
  30. F. Pérez-González, J. R. Hernández, and F. Balado, “Approaching the capacity limit in image watermarking: a perspective on coding techniques for data hiding applications,” Signal Processing, vol. 81, no. 6, pp. 1215–1238, 2001.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now

Whiteboard

Paper to Video (Beta)

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up