WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking

TL;DR

WaterMAS introduces a neural network watermarking technique that enhances robustness, imperceptibility, and security by sharpening weights during training, with experimental validation across multiple models and attack types.

Contribution

It presents WaterMAS, a novel white-box watermarking method that improves the robustness and security of neural network watermarks while maintaining imperceptibility and efficiency.

Findings

WaterMAS effectively resists various attacks such as pruning and quantization.

The method maintains high imperceptibility during training.

Experimental results show improved robustness across multiple models.

Abstract

Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack's strength: even small alterations of the watermarked weights would impact the model's performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.