Towards the Resistance of Neural Network Watermarking to Fine-tuning
Ling Tang, Yuefeng Chen, Hui Xue, Quanshi Zhang
TL;DR
This paper introduces a neural network watermarking technique that embeds ownership information into low-frequency components of convolutional filters, making it resistant to fine-tuning and certain model transformations.
Contribution
The paper presents a novel watermarking method leveraging frequency domain properties of convolutional filters to enhance robustness against fine-tuning.
Findings
Watermark remains intact after fine-tuning.
Frequency components are invariant to weight scaling and permutations.
Preliminary experiments confirm the method's effectiveness.
Abstract
This paper proves a new watermarking method to embed the ownership information into a deep neural network (DNN), which is robust to fine-tuning. Specifically, we prove that when the input feature of a convolutional layer only contains low-frequency components, specific frequency components of the convolutional filter will not be changed by gradient descent during the fine-tuning process, where we propose a revised Fourier transform to extract frequency components from the convolutional filter. Additionally, we also prove that these frequency components are equivariant to weight scaling and weight permutations. In this way, we design a watermark module to encode the watermark information to specific frequency components in a convolutional filter. Preliminary experiments demonstrate the effectiveness of our method.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Steganography and Watermarking Techniques · Vehicle License Plate Recognition · Chaos-based Image/Signal Encryption