FedReverse: Multiparty Reversible Deep Neural Network Watermarking

TL;DR

FedReverse is a multiparty reversible watermarking method for DNNs that ensures robust copyright protection, allows collaborative embedding, and can be completely removed with client consent, all with minimal impact on model performance.

Contribution

The paper introduces FedReverse, a novel multiparty reversible watermarking technique for DNNs that enhances robustness, privacy, and reversibility compared to existing methods.

Findings

FedReverse provides robust watermarking with minimal accuracy loss.

It enables collaborative embedding from multiple parties.

The method is resistant to Known Original Attacks.

Abstract

The proliferation of Deep Neural Networks (DNN) in commercial applications is expanding rapidly. Simultaneously, the increasing complexity and cost of training DNN models have intensified the urgency surrounding the protection of intellectual property associated with these trained models. In this regard, DNN watermarking has emerged as a crucial safeguarding technique. This paper presents FedReverse, a novel multiparty reversible watermarking approach for robust copyright protection while minimizing performance impact. Unlike existing methods, FedReverse enables collaborative watermark embedding from multiple parties after model training, ensuring individual copyright claims. In addition, FedReverse is reversible, enabling complete watermark removal with unanimous client consent. FedReverse demonstrates perfect covering, ensuring that observations of watermarked content do not reveal any information about the hidden watermark. Additionally, it showcases resistance against Known Original Attacks (KOA), making it highly challenging for attackers to forge watermarks or infer the key. This paper further evaluates FedReverse through comprehensive simulations involving Multi-layer Perceptron (MLP) and Convolutional Neural Networks (CNN) trained on the MNIST dataset. The simulations demonstrate FedReverse's robustness, reversibility, and minimal impact on model accuracy across varying embedding parameters and multiple client scenarios.