Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FreeMark: A Non-Invasive White-Box Watermarking for Deep Neural Networks

Yuzhang Chen, Jiangnan Zhu, Yujie Gu, Minoru Kuribayashi, Kouichi Sakurai

TL;DR

FreeMark is introduced, a novel DNN watermarking framework that leverages cryptographic principles without altering the original host DNN model, thereby avoiding any reduction in model performance.

Abstract

Deep neural networks (DNNs) have achieved significant success in real-world applications. However, safeguarding their intellectual property (IP) remains extremely challenging. Existing DNN watermarking for IP protection often require modifying DNN models, which reduces model performance and limits their practicality. This paper introduces FreeMark, a novel DNN watermarking framework that leverages cryptographic principles without altering the original host DNN model, thereby avoiding any reduction in model performance. Unlike traditional DNN watermarking methods, FreeMark innovatively generates secret keys from a pre-generated watermark vector and the host model using gradient descent. These secret keys, used to extract watermark from the model's activation values, are securely stored with a trusted third party, enabling reliable watermark extraction from suspect models. Extensive experiments demonstrate that FreeMark effectively resists various watermark removal attacks while maintaining high watermark capacity.

FreeMark: A Non-Invasive White-Box Watermarking for Deep Neural Networks

TL;DR

FreeMark is introduced, a novel DNN watermarking framework that leverages cryptographic principles without altering the original host DNN model, thereby avoiding any reduction in model performance.

Abstract

Deep neural networks (DNNs) have achieved significant success in real-world applications. However, safeguarding their intellectual property (IP) remains extremely challenging. Existing DNN watermarking for IP protection often require modifying DNN models, which reduces model performance and limits their practicality. This paper introduces FreeMark, a novel DNN watermarking framework that leverages cryptographic principles without altering the original host DNN model, thereby avoiding any reduction in model performance. Unlike traditional DNN watermarking methods, FreeMark innovatively generates secret keys from a pre-generated watermark vector and the host model using gradient descent. These secret keys, used to extract watermark from the model's activation values, are securely stored with a trusted third party, enabling reliable watermark extraction from suspect models. Extensive experiments demonstrate that FreeMark effectively resists various watermark removal attacks while maintaining high watermark capacity.
Paper Structure (11 sections, 9 equations, 3 figures, 1 table, 3 algorithms)

This paper contains 11 sections, 9 equations, 3 figures, 1 table, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Proposed Method
  4. Watermark Embedding
  5. Watermark Extraction
  6. Watermark Verification
  7. Experiments And Results
  8. Experiments on Security
  9. Experiments on Integrity
  10. Experiments on Robustness
  11. Conclusion

Figures (3)

  • Figure 1: The workflow of our proposed method FreeMark. In watermark embedding, a secret key pair $(A, \boldsymbol{d})$ is generated by integrating the host model $H$ and the watermark $\boldsymbol{b}$. In watermark extraction, TTP employs secret keys to extract watermark $\boldsymbol{\hat{b}}$ from a suspect model $S$. In watermark verification, the BER between original watermark $\boldsymbol{b}$ and the extracted watermark $\boldsymbol{\hat{b}}$ is calculated to determine whether $S$ is a copy of $H$.
  • Figure 2: BER with forged secret keys.
  • Figure 3: BER after pruning.