AWEncoder: Adversarial Watermarking Pre-trained Encoders in Contrastive Learning

TL;DR

This paper introduces AWEncoder, an adversarial watermarking method for protecting pre-trained contrastive learning encoders, ensuring ownership verification without significantly degrading downstream task performance.

Contribution

The paper proposes a novel adversarial watermarking technique for pre-trained encoders in contrastive learning, enhancing ownership verification and robustness.

Findings

Watermarked encoders maintain high performance on downstream tasks.

The method effectively verifies ownership under white-box and black-box conditions.

AWEncoder demonstrates robustness across different contrastive learning algorithms.

Abstract

As a self-supervised learning paradigm, contrastive learning has been widely used to pre-train a powerful encoder as an effective feature extractor for various downstream tasks. This process requires numerous unlabeled training data and computational resources, which makes the pre-trained encoder become valuable intellectual property of the owner. However, the lack of a priori knowledge of downstream tasks makes it non-trivial to protect the intellectual property of the pre-trained encoder by applying conventional watermarking methods. To deal with this problem, in this paper, we introduce AWEncoder, an adversarial method for watermarking the pre-trained encoder in contrastive learning. First, as an adversarial perturbation, the watermark is generated by enforcing the training samples to be marked to deviate respective location and surround a randomly selected key image in the embedding space. Then, the watermark is embedded into the pre-trained encoder by further optimizing a joint loss function. As a result, the watermarked encoder not only performs very well for downstream tasks, but also enables us to verify its ownership by analyzing the discrepancy of output provided using the encoder as the backbone under both white-box and black-box conditions. Extensive experiments demonstrate that the proposed work enjoys pretty good effectiveness and robustness on different contrastive learning algorithms and downstream tasks, which has verified the superiority and applicability of the proposed work.