Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Persistence of Backdoor-based Watermarks for Neural Networks: A Comprehensive Evaluation

Anh Tu Ngo, Chuan Song Heng, Nandish Chattopadhyay, Anupam Chattopadhyay

TL;DR

This paper investigates the persistence of backdoor-based watermarks in neural networks under post-deployment fine-tuning and model extraction. It introduces a data-driven restoration approach that, by injecting additional training data after fine-tuning, can revive the watermark, achieving trigger accuracy up to $100\%$ when parameter drift is small and the trigger scheme is effective. A multi-label FGSM-based trigger scheme and a comprehensive set of per-stage hyperparameters are evaluated across ResNet and ViT architectures, with loss-landscape analyses to explain restoration dynamics. The findings highlight the robustness—and potential fragility—of backdoor watermarks under typical model-adaptation workflows, underscoring implications for IP protection and watermark-design strategies.

Abstract

Deep Neural Networks (DNNs) have gained considerable traction in recent years due to the unparalleled results they gathered. However, the cost behind training such sophisticated models is resource intensive, resulting in many to consider DNNs to be intellectual property (IP) to model owners. In this era of cloud computing, high-performance DNNs are often deployed all over the internet so that people can access them publicly. As such, DNN watermarking schemes, especially backdoor-based watermarks, have been actively developed in recent years to preserve proprietary rights. Nonetheless, there lies much uncertainty on the robustness of existing backdoor watermark schemes, towards both adversarial attacks and unintended means such as fine-tuning neural network models. One reason for this is that no complete guarantee of robustness can be assured in the context of backdoor-based watermark. In this paper, we extensively evaluate the persistence of recent backdoor-based watermarks within neural networks in the scenario of fine-tuning, we propose/develop a novel data-driven idea to restore watermark after fine-tuning without exposing the trigger set. Our empirical results show that by solely introducing training data after fine-tuning, the watermark can be restored if model parameters do not shift dramatically during fine-tuning. Depending on the types of trigger samples used, trigger accuracy can be reinstated to up to 100%. Our study further explores how the restoration process works using loss landscape visualization, as well as the idea of introducing training data in fine-tuning stage to alleviate watermark vanishing.

Persistence of Backdoor-based Watermarks for Neural Networks: A Comprehensive Evaluation

TL;DR

This paper investigates the persistence of backdoor-based watermarks in neural networks under post-deployment fine-tuning and model extraction. It introduces a data-driven restoration approach that, by injecting additional training data after fine-tuning, can revive the watermark, achieving trigger accuracy up to when parameter drift is small and the trigger scheme is effective. A multi-label FGSM-based trigger scheme and a comprehensive set of per-stage hyperparameters are evaluated across ResNet and ViT architectures, with loss-landscape analyses to explain restoration dynamics. The findings highlight the robustness—and potential fragility—of backdoor watermarks under typical model-adaptation workflows, underscoring implications for IP protection and watermark-design strategies.

Abstract

Deep Neural Networks (DNNs) have gained considerable traction in recent years due to the unparalleled results they gathered. However, the cost behind training such sophisticated models is resource intensive, resulting in many to consider DNNs to be intellectual property (IP) to model owners. In this era of cloud computing, high-performance DNNs are often deployed all over the internet so that people can access them publicly. As such, DNN watermarking schemes, especially backdoor-based watermarks, have been actively developed in recent years to preserve proprietary rights. Nonetheless, there lies much uncertainty on the robustness of existing backdoor watermark schemes, towards both adversarial attacks and unintended means such as fine-tuning neural network models. One reason for this is that no complete guarantee of robustness can be assured in the context of backdoor-based watermark. In this paper, we extensively evaluate the persistence of recent backdoor-based watermarks within neural networks in the scenario of fine-tuning, we propose/develop a novel data-driven idea to restore watermark after fine-tuning without exposing the trigger set. Our empirical results show that by solely introducing training data after fine-tuning, the watermark can be restored if model parameters do not shift dramatically during fine-tuning. Depending on the types of trigger samples used, trigger accuracy can be reinstated to up to 100%. Our study further explores how the restoration process works using loss landscape visualization, as well as the idea of introducing training data in fine-tuning stage to alleviate watermark vanishing.
Paper Structure (6 sections, 5 figures, 3 tables, 2 algorithms)

This paper contains 6 sections, 5 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Fine-tuning strategy
  2. Multi-labeling algorithm
  3. Hyper-parameters
  4. Model performance after watermark embedding
  5. Model extraction accuracy
  6. Figures

Figures (5)

  • Figure 1: Trigger accuracy during fine-tuning of ViT models
  • Figure 2: Trigger accuracy during retraining of ViT models
  • Figure 3: Comparison of trigger accuracies between mixing and without mixing of training data $\mathcal{D}_\textsc{Train}$ (ViT)
  • Figure 4: Trigger accuracy during retraining of extracted models
  • Figure 5: Loss landscape visualization for model extraction (ResNet) - The contours illustrate trigger loss, orange lines depict a few last epochs of extraction phase while blue lines represent retraining. It can be seen that the trajectories during retraining do not turn as sharply as in fine-tuning attack.