TATTOOED: A Robust Deep Neural Network Watermarking Scheme based on Spread-Spectrum Channel Coding

TL;DR

This paper introduces TATTOOED, a robust deep neural network watermarking scheme based on spread-spectrum channel coding, capable of resisting model modifications like fine-tuning and pruning while maintaining model performance.

Contribution

TATTOOED is a novel DNN watermarking method that offers high robustness against removal attacks and is easy to integrate into training without affecting accuracy.

Findings

Successfully verifies ownership even with 99% parameter alterations.

Demonstrates robustness against fine-tuning, pruning, and shuffling.

Negligible impact on model performance.

Abstract

Watermarking of deep neural networks (DNNs) has gained significant traction in recent years, with numerous (watermarking) strategies being proposed as mechanisms that can help verify the ownership of a DNN in scenarios where these models are obtained without the permission of the owner. However, a growing body of work has demonstrated that existing watermarking mechanisms are highly susceptible to removal techniques, such as fine-tuning, parameter pruning, or shuffling. In this paper, we build upon extensive prior work on covert (military) communication and propose TATTOOED, a novel DNN watermarking technique that is robust to existing threats. We demonstrate that using TATTOOED as their watermarking mechanisms, the DNN owner can successfully obtain the watermark and verify model ownership even in scenarios where 99% of model parameters are altered. Furthermore, we show that TATTOOED is easy to employ in training pipelines, and has negligible impact on model performance.