Evaluating the Robustness of Trigger Set-Based Watermarks Embedded in Deep Neural Networks

TL;DR

This paper critically evaluates trigger set-based watermarking in deep neural networks, revealing significant vulnerabilities through comprehensive adversarial testing and proposing adaptive attacks that compromise existing schemes.

Contribution

It identifies flaws in current evaluation practices, introduces adaptive attacks, and demonstrates their effectiveness against multiple watermarking schemes, highlighting the need for more robust methods.

Findings

All tested schemes are vulnerable to at least two non-adaptive attacks.

Proposed adaptive attacks successfully break all 11 watermarking schemes.

Current evaluation practices are insufficient without comprehensive adversarial testing.

Abstract

Trigger set-based watermarking schemes have gained emerging attention as they provide a means to prove ownership for deep neural network model owners. In this paper, we argue that state-of-the-art trigger set-based watermarking algorithms do not achieve their designed goal of proving ownership. We posit that this impaired capability stems from two common experimental flaws that the existing research practice has committed when evaluating the robustness of watermarking algorithms: (1) incomplete adversarial evaluation and (2) overlooked adaptive attacks. We conduct a comprehensive adversarial evaluation of 11 representative watermarking schemes against six of the existing attacks and demonstrate that each of these watermarking schemes lacks robustness against at least two non-adaptive attacks. We also propose novel adaptive attacks that harness the adversary's knowledge of the underlying watermarking algorithm of a target model. We demonstrate that the proposed attacks effectively break all of the 11 watermarking schemes, consequently allowing adversaries to obscure the ownership of any watermarked model. We encourage follow-up studies to consider our guidelines when evaluating the robustness of their watermarking schemes via conducting comprehensive adversarial evaluation that includes our adaptive attacks to demonstrate a meaningful upper bound of watermark robustness.