CycleGANWM: A CycleGAN watermarking method for ownership verification

TL;DR

This paper introduces CycleGANWM, a novel watermarking method for CycleGAN models that embeds ownership information while maintaining high image translation quality, and demonstrates robustness against post-processing and surrogate attacks.

Contribution

The paper proposes a new watermarking technique for CycleGAN that combines watermark embedding with image translation, ensuring robustness and ownership verification.

Findings

Effective watermark embedding without degrading image quality.

Robustness against common image post-processing operations.

Resistance to surrogate model attacks.

Abstract

Due to the proliferation and widespread use of deep neural networks (DNN), their Intellectual Property Rights (IPR) protection has become increasingly important. This paper presents a novel model watermarking method for an unsupervised image-to-image translation (I2IT) networks, named CycleGAN, which leverage the image translation visual quality and watermark embedding. In this method, a watermark decoder is trained initially. Then the decoder is frozen and used to extract the watermark bits when training the CycleGAN watermarking model. The CycleGAN watermarking (CycleGANWM) is trained with specific loss functions and optimized to get a good performance on both I2IT task and watermark embedding. For watermark verification, this work uses statistical significance test to identify the ownership of the model from the extract watermark bits. We evaluate the robustness of the model against image post-processing and improve it by fine-tuning the model with adding data augmentation on the output images before extracting the watermark bits. We also carry out surrogate model attack under black-box access of the model. The experimental results prove that the proposed method is effective and robust to some image post-processing, and it is able to resist surrogate model attack.