Hot-Swap MarkBoard: An Efficient Black-box Watermarking Approach for Large-scale Model Distribution

TL;DR

Hot-Swap MarkBoard is a novel black-box watermarking technique for large-scale distributed models, allowing efficient user-specific watermark customization without retraining, thus enhancing IP protection in on-device AI deployments.

Contribution

It introduces a flexible watermarking method using multi-branch LoRA modules and branch swapping, enabling efficient, customizable, and robust ownership verification for large-scale models.

Findings

Achieves 100% verification accuracy across various tasks and models.

Supports black-box verification and is compatible with multiple architectures.

Demonstrates superior efficiency and adaptability over existing watermarking methods.

Abstract

Recently, Deep Learning (DL) models have been increasingly deployed on end-user devices as On-Device AI, offering improved efficiency and privacy. However, this deployment trend poses more serious Intellectual Property (IP) risks, as models are distributed on numerous local devices, making them vulnerable to theft and redistribution. Most existing ownership protection solutions (e.g., backdoor-based watermarking) are designed for cloud-based AI-as-a-Service (AIaaS) and are not directly applicable to large-scale distribution scenarios, where each user-specific model instance must carry a unique watermark. These methods typically embed a fixed watermark, and modifying the embedded watermark requires retraining the model. To address these challenges, we propose Hot-Swap MarkBoard, an efficient watermarking method. It encodes user-specific $n$-bit binary signatures by independently embedding multiple watermarks into a multi-branch Low-Rank Adaptation (LoRA) module, enabling efficient watermark customization without retraining through branch swapping. A parameter obfuscation mechanism further entangles the watermark weights with those of the base model, preventing removal without degrading model performance. The method supports black-box verification and is compatible with various model architectures and DL tasks, including classification, image generation, and text generation. Extensive experiments across three types of tasks and six backbone models demonstrate our method's superior efficiency and adaptability compared to existing approaches, achieving 100\% verification accuracy.