Persistence of Backdoor-based Watermarks for Neural Networks: A Comprehensive Evaluation

TL;DR

This paper evaluates the robustness of backdoor-based watermarks in neural networks against fine-tuning and introduces a data-driven method to restore watermarks without exposing trigger sets, demonstrating high restoration accuracy.

Contribution

It provides a comprehensive evaluation of watermark persistence and proposes a novel data-driven approach to restore watermarks after fine-tuning without revealing trigger data.

Findings

Watermarks can be restored after fine-tuning with additional training data.

Trigger accuracy can reach up to 100% after restoration.

Introducing training data during fine-tuning helps prevent watermark loss.

Abstract

Deep Neural Networks (DNNs) have gained considerable traction in recent years due to the unparalleled results they gathered. However, the cost behind training such sophisticated models is resource intensive, resulting in many to consider DNNs to be intellectual property (IP) to model owners. In this era of cloud computing, high-performance DNNs are often deployed all over the internet so that people can access them publicly. As such, DNN watermarking schemes, especially backdoor-based watermarks, have been actively developed in recent years to preserve proprietary rights. Nonetheless, there lies much uncertainty on the robustness of existing backdoor watermark schemes, towards both adversarial attacks and unintended means such as fine-tuning neural network models. One reason for this is that no complete guarantee of robustness can be assured in the context of backdoor-based watermark. In this paper, we extensively evaluate the persistence of recent backdoor-based watermarks within neural networks in the scenario of fine-tuning, we propose/develop a novel data-driven idea to restore watermark after fine-tuning without exposing the trigger set. Our empirical results show that by solely introducing training data after fine-tuning, the watermark can be restored if model parameters do not shift dramatically during fine-tuning. Depending on the types of trigger samples used, trigger accuracy can be reinstated to up to 100%. Our study further explores how the restoration process works using loss landscape visualization, as well as the idea of introducing training data in fine-tuning stage to alleviate watermark vanishing.