Solving the Capsulation Attack against Backdoor-based Deep Neural Network Watermarks by Reversing Triggers

TL;DR

This paper introduces a capsulation attack that can invalidate most backdoor-based DNN watermarks and proposes a new scheme that is resistant to such attacks by reversing encoding and randomizing triggers.

Contribution

It presents the capsulation attack method and a novel watermarking scheme that enhances security against this attack in DNN models.

Findings

Capsulation attack effectively invalidates existing watermarks.

The proposed scheme resists capsulation attack by reversing encoding.

CAScore measures watermark security against capsulation attack.

Abstract

Backdoor-based watermarking schemes were proposed to protect the intellectual property of artificial intelligence models, especially deep neural networks, under the black-box setting. Compared with ordinary backdoors, backdoor-based watermarks need to digitally incorporate the owner's identity, which fact adds extra requirements to the trigger generation and verification programs. Moreover, these concerns produce additional security risks after the watermarking scheme has been published for as a forensics tool or the owner's evidence has been eavesdropped on. This paper proposes the capsulation attack, an efficient method that can invalidate most established backdoor-based watermarking schemes without sacrificing the pirated model's functionality. By encapsulating the deep neural network with a rule-based or Bayes filter, an adversary can block ownership probing and reject the ownership verification. We propose a metric, CAScore, to measure a backdoor-based watermarking scheme's security against the capsulation attack. This paper also proposes a new backdoor-based deep neural network watermarking scheme that is secure against the capsulation attack by reversing the encoding process and randomizing the exposure of triggers.