FreeMark: A Non-Invasive White-Box Watermarking for Deep Neural Networks

TL;DR

FreeMark introduces a non-invasive, cryptography-based watermarking method for DNNs that preserves model performance and resists removal attacks by generating secret keys from the model's activation values.

Contribution

It presents a novel watermarking framework that does not modify the original DNN, using cryptographic principles and secret keys derived from the model for robust IP protection.

Findings

Resists various watermark removal attacks

Maintains high watermark capacity

Does not reduce model performance

Abstract

Deep neural networks (DNNs) have achieved significant success in real-world applications. However, safeguarding their intellectual property (IP) remains extremely challenging. Existing DNN watermarking for IP protection often require modifying DNN models, which reduces model performance and limits their practicality. This paper introduces FreeMark, a novel DNN watermarking framework that leverages cryptographic principles without altering the original host DNN model, thereby avoiding any reduction in model performance. Unlike traditional DNN watermarking methods, FreeMark innovatively generates secret keys from a pre-generated watermark vector and the host model using gradient descent. These secret keys, used to extract watermark from the model's activation values, are securely stored with a trusted third party, enabling reliable watermark extraction from suspect models. Extensive experiments demonstrate that FreeMark effectively resists various watermark removal attacks while maintaining high watermark capacity.