ChainMarks: Securing DNN Watermark with Cryptographic Chain

TL;DR

ChainMarks introduces a cryptographic chain-based DNN watermarking scheme that enhances robustness and security, utilizing a two-phase Monte Carlo method for more accurate watermark verification and ownership proof.

Contribution

The paper presents a novel cryptographic chain approach for DNN watermarking combined with a two-phase Monte Carlo verification, improving robustness and security over existing methods.

Findings

ChainMarks outperforms state-of-the-art watermarking schemes in robustness.

It provides higher probability guarantees of watermark presence.

The scheme effectively resists watermark removal and ambiguity attacks.

Abstract

With the widespread deployment of deep neural network (DNN) models, dynamic watermarking techniques are being used to protect the intellectual property of model owners. However, recent studies have shown that existing watermarking schemes are vulnerable to watermark removal and ambiguity attacks. Besides, the vague criteria for determining watermark presence further increase the likelihood of such attacks. In this paper, we propose a secure DNN watermarking scheme named ChainMarks, which generates secure and robust watermarks by introducing a cryptographic chain into the trigger inputs and utilizes a two-phase Monte Carlo method for determining watermark presence. First, ChainMarks generates trigger inputs as a watermark dataset by repeatedly applying a hash function over a secret key, where the target labels associated with trigger inputs are generated from the digital signature of model owner. Then, the watermarked model is produced by training a DNN over both the original and watermark datasets. To verify watermarks, we compare the predicted labels of trigger inputs with the target labels and determine ownership with a more accurate decision threshold that considers the classification probability of specific models. Experimental results show that ChainMarks exhibits higher levels of robustness and security compared to state-of-the-art watermarking schemes. With a better marginal utility, ChainMarks provides a higher probability guarantee of watermark presence in DNN models with the same level of watermark accuracy.