MEA-Defender: A Robust Watermark against Model Extraction Attack

TL;DR

This paper introduces MEA-Defender, a novel watermarking technique designed to protect DNN models from model extraction attacks by embedding a watermark that remains intact during such attacks.

Contribution

The paper proposes a new watermarking method that combines input samples from different classes and ensures the watermark's robustness against model extraction attacks.

Findings

MEA-Defender is highly robust against multiple model extraction attacks.

The watermark remains detectable even after various removal and detection attempts.

Extensive experiments validate the effectiveness across different models and datasets.

Abstract

Recently, numerous highly-valuable Deep Neural Networks (DNNs) have been trained using deep learning algorithms. To protect the Intellectual Property (IP) of the original owners over such DNN models, backdoor-based watermarks have been extensively studied. However, most of such watermarks fail upon model extraction attack, which utilizes input samples to query the target model and obtains the corresponding outputs, thus training a substitute model using such input-output pairs. In this paper, we propose a novel watermark to protect IP of DNN models against model extraction, named MEA-Defender. In particular, we obtain the watermark by combining two samples from two source classes in the input domain and design a watermark loss function that makes the output domain of the watermark within that of the main task samples. Since both the input domain and the output domain of our watermark are indispensable parts of those of the main task samples, the watermark will be extracted into the stolen model along with the main task during model extraction. We conduct extensive experiments on four model extraction attacks, using five datasets and six models trained based on supervised learning and self-supervised learning algorithms. The experimental results demonstrate that MEA-Defender is highly robust against different model extraction attacks, and various watermark removal/detection approaches.