Deep Model Intellectual Property Protection via Deep Watermarking

TL;DR

This paper introduces a novel deep watermarking framework to protect neural network intellectual property by embedding invisible watermarks into model outputs, resisting various attack methods.

Contribution

It proposes a new model watermarking method that embeds invisible watermarks into outputs, robust against different attack strategies and adaptable to various tasks.

Findings

Watermarks can be embedded invisibly into model outputs.

The framework resists attacks with different network structures.

Watermarks are robust and can be extracted after attacks.

Abstract

Despite the tremendous success, deep neural networks are exposed to serious IP infringement risks. Given a target deep model, if the attacker knows its full information, it can be easily stolen by fine-tuning. Even if only its output is accessible, a surrogate model can be trained through student-teacher learning by generating many input-output training pairs. Therefore, deep model IP protection is important and necessary. However, it is still seriously under-researched. In this work, we propose a new model watermarking framework for protecting deep networks trained for low-level computer vision or image processing tasks. Specifically, a special task-agnostic barrier is added after the target model, which embeds a unified and invisible watermark into its outputs. When the attacker trains one surrogate model by using the input-output pairs of the barrier target model, the hidden watermark will be learned and extracted afterwards. To enable watermarks from binary bits to high-resolution images, a deep invisible watermarking mechanism is designed. By jointly training the target model and watermark embedding, the extra barrier can even be absorbed into the target model. Through extensive experiments, we demonstrate the robustness of the proposed framework, which can resist attacks with different network structures and objective functions.