ROSE: A RObust and SEcure DNN Watermarking

TL;DR

This paper introduces ROSE, a lightweight, secure, and robust black-box DNN watermarking method that uses cryptographic functions and key image-label pairs during training to prove ownership and resist attacks.

Contribution

It presents a novel watermarking protocol that does not alter model parameters or pipelines, ensuring security and robustness through cryptographic techniques and in-task key pairs.

Findings

Effective protection across multiple datasets.

Resistant to various attack methods.

Maintains model accuracy and security levels.

Abstract

Protecting the Intellectual Property rights of DNN models is of primary importance prior to their deployment. So far, the proposed methods either necessitate changes to internal model parameters or the machine learning pipeline, or they fail to meet both the security and robustness requirements. This paper proposes a lightweight, robust, and secure black-box DNN watermarking protocol that takes advantage of cryptographic one-way functions as well as the injection of in-task key image-label pairs during the training process. These pairs are later used to prove DNN model ownership during testing. The main feature is that the value of the proof and its security are measurable. The extensive experiments watermarking image classification models for various datasets as well as exposing them to a variety of attacks, show that it provides protection while maintaining an adequate level of security and robustness.