Protecting Intellectual Property of EEG-based Neural Networks with Watermarking

TL;DR

The paper addresses IP protection for EEG-based neural networks by introducing a cryptographic wonder-filter watermarking framework that embeds a verifiable watermark during training with minimal impact on EEG task performance. It leverages out-of-bound input values and a dual normal/null embedding scheme to achieve persistence and deter piracy, underpinned by digital signatures and collision-resistant hashing for authentication. Evaluations on the DEAP dataset across CCNN, EEGNet, and TSception show strong watermark detectability (near $100\%$ for true embeddings) and robustness to fine-tuning, transfer learning, and pruning, while secondary watermarks suffer significant accuracy losses, discouraging ownership piracy. The approach provides a tamper-proof, auditable IP protection mechanism suitable for healthcare and biometric applications, addressing limitations of prior trigger-based methods and enabling cryptographic ownership verification.

Abstract

EEG-based neural networks, pivotal in medical diagnosis and brain-computer interfaces, face significant intellectual property (IP) risks due to their reliance on sensitive neurophysiological data and resource-intensive development. Current watermarking methods, particularly those using abstract trigger sets, lack robust authentication and fail to address the unique challenges of EEG models. This paper introduces a cryptographic wonder filter-based watermarking framework tailored for EEG-based neural networks. Leveraging collision-resistant hashing and public-key encryption, the wonder filter embeds the watermark during training, ensuring minimal distortion ($\leq 5\%$ drop in EEG task accuracy) and high reliability (100\% watermark detection). The framework is rigorously evaluated against adversarial attacks, including fine-tuning, transfer learning, and neuron pruning. Results demonstrate persistent watermark retention, with classification accuracy for watermarked states remaining above 90\% even after aggressive pruning, while primary task performance degrades faster, deterring removal attempts. Piracy resistance is validated by the inability to embed secondary watermarks without severe accuracy loss ( $>10\%$ in EEGNet and CCNN models). Cryptographic hashing ensures authentication, reducing brute-force attack success probabilities. Evaluated on the DEAP dataset across models (CCNN, EEGNet, TSception), the method achieves $>99.4\%$ null-embedding accuracy, effectively eliminating false positives. By integrating wonder filters with EEG-specific adaptations, this work bridges a critical gap in IP protection for neurophysiological models, offering a secure, tamper-proof solution for healthcare and biometric applications. The framework's robustness against adversarial modifications underscores its potential to safeguard sensitive EEG models while maintaining diagnostic utility.

Figures (12)

• Figure 1: Example of a wonder filter mask. The color of each pixel represents the value of that pixel in: white means no changes, black means pattern 0 and gray means pattern 1.
• Figure 2: Normal embedding using the original pattern of $\mathbb{W}$, which teaches the model to classify all the filtered images into a single target label $y_w$.
• Figure 3: Null embedding using the inverted pattern of $\mathbb{W}$, which teaches the model to classify each inversely filtered image into the same label of the original, unfiltered image.
• Figure 4: Embedding a watermark during model training: $O_{private}$ is the owner's private key, $v$ is an identifier string, $\mathbb{W}$ is the wonder filter with $y_w$ as its target classification label, and $h_1, h_2, h_3, h_4$ are predetermined hash functions. Training samples and their variations are used together to train the watermarked model $F_{\theta}$.
• Figure 6: The accuracies of the primary task (EEG) and watermark (Null & True Embedding) when FineTuning FromScratch models for different four methods.