DeepMarks: A Digital Fingerprinting Framework for Deep Neural Networks

TL;DR

DeepMarks is a new framework for embedding unique, robust fingerprints into deep neural network models' parameters to protect intellectual property and identify unauthorized usage, even after model transformations.

Contribution

It introduces the first systematic fingerprinting method that embeds fingerprints in model weights, robust against collusion and common network transformations.

Findings

Effective fingerprint embedding in model weights.

Robust against model compression and fine-tuning.

Validated on multiple datasets and architectures.

Abstract

This paper proposes DeepMarks, a novel end-to-end framework for systematic fingerprinting in the context of Deep Learning (DL). Remarkable progress has been made in the area of deep learning. Sharing the trained DL models has become a trend that is ubiquitous in various fields ranging from biomedical diagnosis to stock prediction. As the availability and popularity of pre-trained models are increasing, it is critical to protect the Intellectual Property (IP) of the model owner. DeepMarks introduces the first fingerprinting methodology that enables the model owner to embed unique fingerprints within the parameters (weights) of her model and later identify undesired usages of her distributed models. The proposed framework embeds the fingerprints in the Probability Density Function (pdf) of trainable weights by leveraging the extra capacity available in contemporary DL models. DeepMarks is robust against fingerprints collusion as well as network transformation attacks, including model compression and model fine-tuning. Extensive proof-of-concept evaluations on MNIST and CIFAR10 datasets, as well as a wide variety of deep neural networks architectures such as Wide Residual Networks (WRNs) and Convolutional Neural Networks (CNNs), corroborate the effectiveness and robustness of DeepMarks framework.