Staining and locking computer vision models without retraining

TL;DR

This paper presents novel methods to watermark and lock pre-trained computer vision models by directly modifying a few weights, enabling ownership verification and access control without retraining, with provable security guarantees.

Contribution

The authors introduce new watermarking and locking techniques that do not require retraining, offering provable guarantees and minimal performance impact on models.

Findings

Effective watermarking and locking of models demonstrated

Provable guarantees on false positive rates provided

Minimal impact on model performance observed

Abstract

We introduce new methods of staining and locking computer vision models, to protect their owners' intellectual property. Staining, also known as watermarking, embeds secret behaviour into a model which can later be used to identify it, while locking aims to make a model unusable unless a secret trigger is inserted into input images. Unlike existing methods, our algorithms can be used to stain and lock pre-trained models without requiring fine-tuning or retraining, and come with provable, computable guarantees bounding their worst-case false positive rates. The stain and lock are implemented by directly modifying a small number of the model's weights and have minimal impact on the (unlocked) model's performance. Locked models are unlocked by inserting a small `trigger patch' into the corner of the input image. We present experimental results showing the efficacy of our methods and demonstrating their practical performance on a variety of computer vision models.