A Systematic Review on Model Watermarking for Neural Networks

TL;DR

This paper systematically reviews various watermarking techniques for neural network models, proposing a taxonomy, threat model, and security requirements to evaluate and compare their effectiveness and limitations.

Contribution

It introduces a unified framework for analyzing ML model watermarking schemes, including a taxonomy, threat model, and security criteria, and surveys existing methods within this structure.

Findings

Identifies key classes of watermarking schemes

Provides a structured comparison framework

Highlights limitations and future research directions

Abstract

Machine learning (ML) models are applied in an increasing variety of domains. The availability of large amounts of data and computational resources encourages the development of ever more complex and valuable models. These models are considered intellectual property of the legitimate parties who have trained them, which makes their protection against stealing, illegitimate redistribution, and unauthorized application an urgent need. Digital watermarking presents a strong mechanism for marking model ownership and, thereby, offers protection against those threats. This work presents a taxonomy identifying and analyzing different classes of watermarking schemes for ML models. It introduces a unified threat model to allow structured reasoning on and comparison of the effectiveness of watermarking methods in different scenarios. Furthermore, it systematizes desired security requirements and attacks against ML model watermarking. Based on that framework, representative literature from the field is surveyed to illustrate the taxonomy. Finally, shortcomings and general limitations of existing approaches are discussed, and an outlook on future research directions is given.