Reversible Watermarking in Deep Convolutional Neural Networks for Integrity Authentication

TL;DR

This paper introduces a reversible watermarking method for deep convolutional neural networks that enables integrity authentication without permanently altering the model, allowing full recovery and detection of unauthorized modifications.

Contribution

It proposes a novel reversible watermarking algorithm based on model pruning and histogram shifting, suitable for verifying model integrity while preserving original parameters.

Findings

Embedding has less than 0.5% impact on classification accuracy

Model parameters can be fully recovered after watermark extraction

Model integrity can be effectively verified through watermark comparison

Abstract

Deep convolutional neural networks have made outstanding contributions in many fields such as computer vision in the past few years and many researchers published well-trained network for downloading. But recent studies have shown serious concerns about integrity due to model-reuse attacks and backdoor attacks. In order to protect these open-source networks, many algorithms have been proposed such as watermarking. However, these existing algorithms modify the contents of the network permanently and are not suitable for integrity authentication. In this paper, we propose a reversible watermarking algorithm for integrity authentication. Specifically, we present the reversible watermarking problem of deep convolutional neural networks and utilize the pruning theory of model compression technology to construct a host sequence used for embedding watermarking information by histogram shift. As shown in the experiments, the influence of embedding reversible watermarking on the classification performance is less than 0.5% and the parameters of the model can be fully recovered after extracting the watermarking. At the same time, the integrity of the model can be verified by applying the reversible watermarking: if the model is modified illegally, the authentication information generated by original model will be absolutely different from the extracted watermarking information.