Adaptive White-Box Watermarking with Self-Mutual Check Parameters in Deep Neural Networks

TL;DR

This paper introduces an adaptive white-box watermarking method for deep neural networks that detects, locates, and restores tampered parameters, improving security and accuracy retention under attack conditions.

Contribution

It presents a novel adaptive embedding technique combined with self-mutual check parameters for precise tampering detection and model restoration.

Findings

Achieved high recovery performance with modification rates below 20%

Recovered over 15% of accuracy loss in models with significant watermarking impact

Effective in detecting and restoring tampered parameters in neural networks

Abstract

Artificial Intelligence (AI) has found wide application, but also poses risks due to unintentional or malicious tampering during deployment. Regular checks are therefore necessary to detect and prevent such risks. Fragile watermarking is a technique used to identify tampering in AI models. However, previous methods have faced challenges including risks of omission, additional information transmission, and inability to locate tampering precisely. In this paper, we propose a method for detecting tampered parameters and bits, which can be used to detect, locate, and restore parameters that have been tampered with. We also propose an adaptive embedding method that maximizes information capacity while maintaining model accuracy. Our approach was tested on multiple neural networks subjected to attacks that modified weight parameters, and our results demonstrate that our method achieved great recovery performance when the modification rate was below 20%. Furthermore, for models where watermarking significantly affected accuracy, we utilized an adaptive bit technique to recover more than 15% of the accuracy loss of the model.