A Systematic Review on Model Watermarking for Neural Networks

Machine learning (ML) models are applied in an increasing variety of domains. The availability of large amounts of data and computational resources encourages the development of ever more complex and valuable models. These models are considered the intellectual property of the legitimate parties who have trained them, which makes their protection against stealing, illegitimate redistribution, and unauthorized application an urgent need. Digital watermarking presents a strong mechanism for marking model ownership and, thereby, offers protection against those threats. This work presents a taxonomy identifying and analyzing different classes of watermarking schemes for ML models. It introduces a unified threat model to allow structured reasoning on and comparison of the effectiveness of watermarking methods in different scenarios. Furthermore, it systematizes desired security requirements and attacks against ML model watermarking. Based on that framework, representative literature from the field is surveyed to illustrate the taxonomy. Finally, shortcomings and general limitations of existing approaches are discussed, and an outlook on future research directions is given.

[1]  Simon S. Woo,et al.  Neural Network Laundering: Removing Black-Box Backdoor Watermarks from Deep Neural Networks , 2020, Comput. Secur..

[2]  Lixin Fan,et al.  Protect, Show, Attend and Tell: Image Captioning Model with Ownership Protection , 2020, ArXiv.

[3]  Shanqing Guo,et al.  How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN , 2019, ACSAC.

[4]  Cao Yuan,et al.  A novel method for identifying the deep neural network model with the Serial Number , 2019, ArXiv.

[5]  Florian Kerschbaum,et al.  Robust and Undetectable White-Box Watermarks for Deep Neural Networks , 2019, ArXiv.

[6]  Yunhui Guo,et al.  A Survey on Methods and Theories of Quantized Neural Networks , 2018, ArXiv.

[7]  Yixin Chen,et al.  Compressing Neural Networks with the Hashing Trick , 2015, ICML.

[8]  Hung Dang,et al.  Effectiveness of Distillation Attack and Countermeasure on Neural Network Watermarking , 2019, ArXiv.

[9]  Farinaz Koushanfar,et al.  BlackMarks: Blackbox Multibit Watermarking for Deep Neural Networks , 2018, ArXiv.

[10]  Michael P. Wellman,et al.  SoK: Security and Privacy in Machine Learning , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[11]  Tribhuvanesh Orekondy,et al.  Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks , 2020, ICLR.

[12]  Jian Wang,et al.  DNN Intellectual Property Protection: Taxonomy, Methods, Attack Resistance, and Evaluations , 2020, ArXiv.

[13]  Florian Kerschbaum,et al.  On the Robustness of Backdoor-based Watermarking in Deep Neural Networks , 2019, IH&MMSec.

[14]  Erwan Le Merrer,et al.  Adversarial frontier stitching for remote neural network watermarking , 2017, Neural Computing and Applications.

[15]  Geoffrey E. Hinton,et al.  Learning a Nonlinear Embedding by Preserving Class Neighbourhood Structure , 2007, AISTATS.

[16]  Lejla Batina,et al.  CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information , 2018, IACR Cryptol. ePrint Arch..

[17]  William Hsu,et al.  Sequential Triggers for Watermarking of Deep Reinforcement Learning Policies , 2019, ArXiv.

[18]  Hui Wu,et al.  Protecting Intellectual Property of Deep Neural Networks with Watermarking , 2018, AsiaCCS.

[19]  Bo Luo,et al.  I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators , 2018, ACSAC.

[20]  Ivan Laptev,et al.  Learning and Transferring Mid-level Image Representations Using Convolutional Neural Networks , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[21]  Shin'ichi Satoh,et al.  Embedding Watermarks into Deep Neural Networks , 2017, ICMR.

[22]  Giovanni Felici,et al.  Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers , 2013, Int. J. Secur. Networks.

[23]  Farinaz Koushanfar,et al.  DeepSigns: A Generic Watermarking Framework for IP Protection of Deep Learning Models , 2018, IACR Cryptol. ePrint Arch..

[24]  Qiang Yang,et al.  Protecting Intellectual Property of Generative Adversarial Networks from Ambiguity Attacks , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Geoffrey E. Hinton,et al.  Distilling the Knowledge in a Neural Network , 2015, ArXiv.

[26]  David Berthelot,et al.  High Accuracy and High Fidelity Extraction of Neural Networks , 2020, USENIX Security Symposium.

[27]  Vitaly Shmatikov,et al.  Machine Learning Models that Remember Too Much , 2017, CCS.

[28]  Song Han,et al.  EIE: Efficient Inference Engine on Compressed Deep Neural Network , 2016, 2016 ACM/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA).

[29]  Jae Y. Shin,et al.  Convolutional Neural Networks for Medical Image Analysis: Full Training or Fine Tuning? , 2016, IEEE transactions on medical imaging.

[30]  Deepsecure , 2018, Proceedings of the 55th Annual Design Automation Conference.

[31]  András Horváth,et al.  MimosaNet: An Unrobust Neural Network Preventing Model Stealing , 2019, ArXiv.

[32]  Andrew Zisserman,et al.  Speeding up Convolutional Neural Networks with Low Rank Expansions , 2014, BMVC.

[33]  Florian Kerschbaum,et al.  Deep Neural Network Fingerprinting by Conferrable Adversarial Examples , 2019, ICLR.

[34]  T. Kathirvalavakumar,et al.  Pruning algorithms of neural networks — a comparative study , 2013, Central European Journal of Computer Science.

[35]  Qi Li,et al.  Removing Backdoor-Based Watermarks in Neural Networks with Limited Data , 2020, 2020 25th International Conference on Pattern Recognition (ICPR).

[36]  Geoffrey E. Hinton,et al.  Analyzing and Improving Representations with the Soft Nearest Neighbor Loss , 2019, ICML.

[37]  Nicolas Papernot,et al.  Entangled Watermarks as a Defense against Model Extraction , 2020, USENIX Security Symposium.

[38]  Benny Pinkas,et al.  Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring , 2018, USENIX Security Symposium.

[39]  Florian Kerschbaum,et al.  Attacks on Digital Watermarks for Deep Neural Networks , 2019, ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[40]  Emi Myodo,et al.  Visual Decoding of Hidden Watermark in Trained Deep Neural Network , 2019, 2019 IEEE Conference on Multimedia Information Processing and Retrieval (MIPR).

[41]  Vijay Arya,et al.  Model Extraction Warning in MLaaS Paradigm , 2017, ACSAC.

[42]  Min Wu,et al.  Protect Your Deep Neural Networks from Piracy , 2018, 2018 IEEE International Workshop on Information Forensics and Security (WIFS).

[43]  Vishal Shrivastava,et al.  A Survey of Digital Watermarking Techniques and its Applications , 2014, ArXiv.

[44]  Stefan Carlsson,et al.  CNN Features Off-the-Shelf: An Astounding Baseline for Recognition , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition Workshops.

[45]  Dawn Song,et al.  REFIT: A Unified Watermark Removal Framework For Deep Learning Systems With Limited Data , 2021, AsiaCCS.

[46]  Chong-Wah Ngo,et al.  Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval , 2017, ICMR.

[47]  Jingjing Zhao,et al.  AFA: Adversarial fingerprinting authentication for deep neural networks , 2020, Comput. Commun..

[48]  Fan Zhang,et al.  Stealing Machine Learning Models via Prediction APIs , 2016, USENIX Security Symposium.

[49]  Brendan Dolan-Gavitt,et al.  Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks , 2018, RAID.

[50]  Miodrag Potkonjak,et al.  Watermarking Deep Neural Networks for Embedded Systems , 2018, 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[51]  Luigi V. Mancini,et al.  Have You Stolen My Model? Evasion Attacks Against Deep Neural Network Watermarking Techniques , 2018, ArXiv.

[52]  Zhang Xinpeng,et al.  Watermarking in Deep Neural Networks via Error Back-propagation , 2020, Media Watermarking, Security, and Forensics.

[53]  Bhavani Thuraisingham,et al.  Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security , 2017, CCS.

[54]  Ben Y. Zhao,et al.  Piracy Resistant Watermarks for Deep Neural Networks. , 2019 .

[55]  Ilya Mironov,et al.  Cryptanalytic Extraction of Neural Network Models , 2020, CRYPTO.

[56]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[57]  Timo Aila,et al.  Pruning Convolutional Neural Networks for Resource Efficient Inference , 2016, ICLR.

[58]  Farinaz Koushanfar,et al.  DeepMarks: A Secure Fingerprinting Framework for Digital Rights Management of Deep Learning Models , 2019, ICMR.

[59]  Edwin V. Bonilla,et al.  Proceedings of the Eleventh International Conference on Artificial Intelligence and Statistics, AISTATS 2007, San Juan, Puerto Rico, March 21-24, 2007 , 2007, International Conference on Artificial Intelligence and Statistics.

[60]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[61]  Lixin Fan,et al.  Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks , 2019, NeurIPS.

[62]  Jun Sakuma,et al.  Robust Watermarking of Neural Network with Exponential Weighting , 2019, AsiaCCS.

[63]  Mauro Barni,et al.  A survey of deep neural network watermarking techniques , 2021, Neurocomputing.