On Function-Coupled Watermarks for Deep Neural Networks

Download PDF

Xiangyu Wen, YU LI, Wei Jiang, Qiang Xu

20 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: watermark, neural networks, function-coupled, robustness
TL;DR: A simple yet effective way to inject watermarks to DNN models
Abstract: Well-performed deep neural networks (DNNs) generally require massive labelled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs). These techniques allow DNN providers to embed secret information within the model, enabling them to subsequently assert IP rights by extracting the embedded watermarks using specific trigger inputs. Despite the encouraging results seen in recent studies, many of these watermarking methods are vulnerable to removal attacks, notably model fine-tuning and pruning. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model's performance on normal inputs. To this end, unlike previous methods relying on secret features learned from out-of-distribution data, our method only uses features learned from in-distribution data. Specifically, on the one hand, we propose to sample inputs from the original training dataset and fuse them as watermark triggers. On the other hand, we randomly mask model weights during training so that the information of our embedded watermarks spreads in the network. By doing so, model fine-tuning/pruning would not forget our \emph{function-coupled} watermarks. Empirical results across multiple image classification tasks underscore the enhanced resilience of our watermarks against robust removal attacks, significantly outperforming existing solutions. Our code is available at: https://anonymous.4open.science/r/Function-Coupled-Watermark-EC9A.
Primary Area: general machine learning (i.e., none of the above)
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 2364