Verifying Integrity of Deep Ensemble Models by Lossless Black-box Watermarking with Sensitive Samples

TL;DR

This paper introduces a lossless black-box watermarking method using sensitive samples to verify the integrity of deep ensemble models without modifying them, effective even when some sub-models are attacked.

Contribution

A novel black-box watermarking approach for deep ensemble models that does not alter the original models and can verify integrity under attack scenarios.

Findings

Reliable verification of DEM integrity even if one sub-model is attacked

Method does not modify the original DEM, ensuring lossless verification

Effective in real-world attack scenarios

Abstract

With the widespread use of deep neural networks (DNNs) in many areas, more and more studies focus on protecting DNN models from intellectual property (IP) infringement. Many existing methods apply digital watermarking to protect the DNN models. The majority of them either embed a watermark directly into the internal network structure/parameters or insert a zero-bit watermark by fine-tuning a model to be protected with a set of so-called trigger samples. Though these methods work very well, they were designed for individual DNN models, which cannot be directly applied to deep ensemble models (DEMs) that combine multiple DNN models to make the final decision. It motivates us to propose a novel black-box watermarking method in this paper for DEMs, which can be used for verifying the integrity of DEMs. In the proposed method, a certain number of sensitive samples are carefully selected through mimicking real-world DEM attacks and analyzing the prediction results of the sub-models of the non-attacked DEM and the attacked DEM on the carefully crafted dataset. By analyzing the prediction results of the target DEM on these carefully crafted sensitive samples, we are able to verify the integrity of the target DEM. Different from many previous methods, the proposed method does not modify the original DEM to be protected, which indicates that the proposed method is lossless. Experimental results have shown that the DEM integrity can be reliably verified even if only one sub-model was attacked, which has good potential in practice.