OVLA: Neural Network Ownership Verification using Latent Watermarks

TL;DR

This paper introduces OVLA, a neural network ownership verification method using latent watermarks that remain dormant unless activated by a secret key, providing robust protection against various attacks.

Contribution

The paper proposes a novel latent watermarking approach that decouples normal network operation from watermark responses, enhancing security against multiple attack vectors.

Findings

Effective resistance to backdoor detection and removal

Strong defense against surrogate model attacks

Maintains normal network performance without watermark activation

Abstract

Ownership verification for neural networks is important for protecting these models from illegal copying, free-riding, re-distribution and other intellectual property misuse. We present a novel methodology for neural network ownership verification based on the notion of latent watermarks. Existing ownership verification methods either modify or introduce constraints to the neural network parameters, which are accessible to an attacker in a white-box attack and can be harmful to the network's normal operation, or train the network to respond to specific watermarks in the inputs similar to data poisoning-based backdoor attacks, which are susceptible to backdoor removal techniques. In this paper, we address these problems by decoupling a network's normal operation from its responses to watermarked inputs during ownership verification. The key idea is to train the network such that the watermarks remain dormant unless the owner's secret key is applied to activate it. The secret key is realized as a specific perturbation only known to the owner to the network's parameters. We show that our approach offers strong defense against backdoor detection, backdoor removal and surrogate model attacks.In addition, our method provides protection against ambiguity attacks where the attacker either tries to guess the secret weight key or uses fine-tuning to embed their own watermarks with a different key into a pre-trained neural network. Experimental results demonstrate the advantages and effectiveness of our proposed approach.