Knowledge-Free Black-Box Watermark and Ownership Proof for Image Classification Neural Networks

TL;DR

This paper introduces a novel knowledge-free black-box watermarking method for image classification neural networks that does not require training data and ensures security and performance preservation.

Contribution

It presents a data-free distillation-based approach for watermarking neural networks, addressing real-world industrial challenges and security concerns.

Findings

The scheme effectively preserves network performance.

It demonstrates strong security against knowledgeable adversaries.

Experimental results confirm its robustness and practicality.

Abstract

Watermarking has become a plausible candidate for ownership verification and intellectual property protection of deep neural networks. Regarding image classification neural networks, current watermarking schemes uniformly resort to backdoor triggers. However, injecting a backdoor into a neural network requires knowledge of the training dataset, which is usually unavailable in the real-world commercialization. Meanwhile, established watermarking schemes oversight the potential damage of exposed evidence during ownership verification and the watermarking algorithms themselves. Those concerns decline current watermarking schemes from industrial applications. To confront these challenges, we propose a knowledge-free black-box watermarking scheme for image classification neural networks. The image generator obtained from a data-free distillation process is leveraged to stabilize the network's performance during the backdoor injection. A delicate encoding and verification protocol is designed to ensure the scheme's security against knowledgable adversaries. We also give a pioneering analysis of the capacity of the watermarking scheme. Experiment results proved the functionality-preserving capability and security of the proposed watermarking scheme.