Box-Free Model Watermarks Are Prone to Black-Box Removal Attacks

TL;DR

This paper demonstrates that box-free model watermarking techniques are vulnerable to black-box removal attacks, including gradient-based and transfer-based methods, highlighting the need for more robust watermarking solutions.

Contribution

The paper introduces new black-box removal attacks against box-free model watermarks, including the EGG remover and transfer-based methods, exposing significant vulnerabilities in current techniques.

Findings

Proposed an extractor-gradient-guided (EGG) remover effective against ReLU-based extractors.

Designed adversarial attack-based removers for unknown extractors.

Developed transferable removers using private proxy models that can remove watermarks without degrading image quality.

Abstract

Box-free model watermarking is an emerging technique to safeguard the intellectual property of deep learning models, particularly those for low-level image processing tasks. Existing works have verified and improved its effectiveness in several aspects. However, in this paper, we reveal that box-free model watermarking is prone to removal attacks, even under the real-world threat model such that the protected model and the watermark extractor are in black boxes. Under this setting, we carry out three studies. 1) We develop an extractor-gradient-guided (EGG) remover and show its effectiveness when the extractor uses ReLU activation only. 2) More generally, for an unknown extractor, we leverage adversarial attacks and design the EGG remover based on the estimated gradients. 3) Under the most stringent condition that the extractor is inaccessible, we design a transferable remover based on a set of private proxy models. In all cases, the proposed removers can successfully remove embedded watermarks while preserving the quality of the processed images, and we also demonstrate that the EGG remover can even replace the watermarks. Extensive experimental results verify the effectiveness and generalizability of the proposed attacks, revealing the vulnerabilities of the existing box-free methods and calling for further research.