Fostering the Robustness of White-Box Deep Neural Network Watermarks by Neuron Alignment

TL;DR

This paper proposes a neuron alignment method to improve the robustness of white-box DNN watermarks against permutation attacks, ensuring ownership verification remains reliable.

Contribution

It introduces a neuron alignment procedure that enhances the robustness of existing white-box DNN watermarking schemes against permutation-based attacks.

Findings

Neuron alignment improves watermark robustness.

Enhanced verification accuracy under permutation attacks.

Facilitates existing watermarking schemes.

Abstract

The wide application of deep learning techniques is boosting the regulation of deep learning models, especially deep neural networks (DNN), as commercial products. A necessary prerequisite for such regulations is identifying the owner of deep neural networks, which is usually done through the watermark. Current DNN watermarking schemes, particularly white-box ones, are uniformly fragile against a family of functionality equivalence attacks, especially the neuron permutation. This operation can effortlessly invalidate the ownership proof and escape copyright regulations. To enhance the robustness of white-box DNN watermarking schemes, this paper presents a procedure that aligns neurons into the same order as when the watermark is embedded, so the watermark can be correctly recognized. This neuron alignment process significantly facilitates the functionality of established deep neural network watermarking schemes.