SEW: Strengthening Robustness of Black-box DNN Watermarking via Specificity Enhancement

TL;DR

This paper introduces SEW, a novel black-box DNN watermarking method that enhances specificity to improve robustness against removal attacks, ensuring better protection of intellectual property.

Contribution

The paper proposes Specificity-Enhanced Watermarking (SEW), a new approach that increases watermark specificity to defend against removal attacks in black-box DNN watermarking.

Findings

SEW significantly improves robustness against six state-of-the-art removal attacks.

Enhancing specificity maintains watermark verification while resisting attacks.

Evaluation on three benchmarks confirms effectiveness of the proposed method.

Abstract

To ensure the responsible distribution and use of open-source deep neural networks (DNNs), DNN watermarking has become a crucial technique to trace and verify unauthorized model replication or misuse. In practice, black-box watermarks manifest as specific predictive behaviors for specially crafted samples. However, due to the generalization nature of DNNs, the keys to extracting the watermark message are not unique, which would provide attackers with more opportunities. Advanced attack techniques can reverse-engineer approximate replacements for the original watermark keys, enabling subsequent watermark removal. In this paper, we explore black-box DNN watermarking specificity, which refers to the accuracy of a watermark's response to a key. Using this concept, we introduce Specificity-Enhanced Watermarking (SEW), a new method that improves specificity by reducing the association between the watermark and approximate keys. Through extensive evaluation using three popular watermarking benchmarks, we validate that enhancing specificity significantly contributes to strengthening robustness against removal attacks. SEW effectively defends against six state-of-the-art removal attacks, while maintaining model usability and watermark verification performance.