Robust and Large-Payload DNN Watermarking via Fixed, Distribution-Optimized, Weights

TL;DR

This paper introduces a novel DNN watermarking method that pre-sets weights to optimize payload and robustness, maintaining network performance and secrecy against modifications and retraining.

Contribution

The paper proposes a fixed, distribution-optimized watermarking approach that achieves large payloads and strong robustness without impacting network accuracy.

Findings

Achieves high payload and robustness against network modifications.

Maintains network accuracy with minimal impact.

Ensures watermark secrecy through distribution optimization.

Abstract

The design of an effective multi-bit watermarking algorithm hinges upon finding a good trade-off between the three fundamental requirements forming the watermarking trade-off triangle, namely, robustness against network modifications, payload, and unobtrusiveness, ensuring minimal impact on the performance of the watermarked network. In this paper, we first revisit the nature of the watermarking trade-off triangle for the DNN case, then we exploit our findings to propose a white-box, multi-bit watermarking method achieving very large payload and strong robustness against network modification. In the proposed system, the weights hosting the watermark are set prior to training, making sure that their amplitude is large enough to bear the target payload and survive network modifications, notably retraining, and are left unchanged throughout the training process. The distribution of the weights carrying the watermark is theoretically optimised to ensure the secrecy of the watermark and make sure that the watermarked weights are indistinguishable from the non-watermarked ones. The proposed method can achieve outstanding performance, with no significant impact on network accuracy, including robustness against network modifications, retraining and transfer learning, while ensuring a payload which is out of reach of state of the art methods achieving a lower - or at most comparable - robustness.