An Implicit Watermark Framework for Adversary Identification

Download PDF

Sen Li, Minhao Cheng

24 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Supplementary Material: pdf
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: Adversarial attack, Forensic investigation
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Security of deep neural networks based machine learning systems has been an emerging research topic, especially after the discovery of adversarial attacks. In general, however, it is very difficult to build a machine learning system that is resistant to different types of attacks. Instead of directly improving the robustness of neural networks, Cheng et al. proposed the first framework to trace the first compromised model under the black-box adversarial attack in a forensic view. However, the black-box assumption has limited the usage of the framework since users will require detailed model information to facilitate their own use in the modern MLaaS system. In this paper, instead of considering the limited black-box attacks, we investigate more general and harder white-box setting where all users will have full access to model. Explicit modification on the model architecture during the inference will be no longer effective because those mechanisms could be easily bypassed by adversary. To address this challenge, a novel identification framework is proposed that can achieve high tracking accuracy to trace the source of white-box adversarial attack. Specifically, to differentiate adversarial examples generated from different copies, we first design an implicit watermark from backdooring before the model distribution. Then we design a data-free method to identify the adversary with only adversarial example available. Extensive experiments on different attacks including both white-box and black-box attacks, datasets, and model architectures verify the effectiveness of the proposed method. Our code will be made publicly available.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 8752