Digital Watermarking for Machine Learning Model

Rapid developments of machine learning technologies such as deep learning and federated learning have nowadays affected everyone of us. On one hand, a large variety of machine learning models are used in all kinds of applications including finance, healthcare, public transportation, etc., reforming our lives in a unprecedentedly profound manner. On the other hand, the wide applicability of these machine learning models calls for appropriate managements of these models to ensure their use comply with legislation rules and ethics concerning privacy, fairness, and well-being, etc.

To protect deep neural networks as intellectual properties, it is necessary to accurately identify their author or registered owner. Numerous techniques, spearheaded by the watermark, have been proposed to establish the connection between a deep neural network and its owner; however, it is until that such connection is provably unambiguous and unforgeable that it can be leveraged for copyright protection. The ownership proof is feasible only after multiple parties, including the owner, the adversary, and the third party to whom the owner wants to present a proof operate under deliberate protocols. The design of these ownership verification protocols requires more careful insight into the knowledge and privacy concerns of participants, during which process several extra security risks emerge. This chapter briefly reviews ordinary security requirements in deep neural network watermarking schemes, formulates several additional requirements regarding ownership proof under elementary protocols, and puts forward the necessity of analyzing and regulating the ownership verification procedure.

Recently, there is an increasing interest in applying deep learning to image recovery, an important problem in low-level vision. Publishing pre-trained DNN models of image recovery has become popular in the society. As a result, how to protect the intellectual property of the owners of those models has been a serious concern. To address it, this chapter introduces a framework developed in our recent work for watermarking the DNN models of image recovery. The DNNs of image recovery differ much from those of image classification in various aspects. Such differences pose additional challenges to the model watermarking, but meanwhile they also bring chances for improvement. Using image denoising and image super-resolution as case studies, we present a black-box watermarking approach for pre-trained models, which exploits the over-parameterization property of an image recovery DNN. Moreover, a watermark visualization method is introduced for additional subjective verification.

Obtaining well-performed deep neural networks usually requires expensive data collection and training procedures. Accordingly, they are valuable intellectual properties of their owners. However, recent literature revealed that the adversaries can easily “steal” models by acquiring their function-similar copy, even when they have no training samples and information about the victim models. In this chapter, we introduce a robust and harmless model watermark, based on which we design a model ownership verification via hypothesis test. In particular, our model watermark is persistent during complicated stealing processes and does not introduce additional security risks. Specifically, our defense consists of three main stages. First, we watermark the model by embedding external features, based on modifying some training samples via style transfer. After that, we train a meta-classifier to determine whether a suspicious model is stolen from the victim, based on model gradients. The final ownership verification is judged by hypothesis test. Extensive experiments on CIFAR-10 and ImageNet datasets verify the effectiveness of our defense under both centralized training and federated learning.

Machine learning models are considered as the model owners’ intellectual property (IP). An attacker may steal and abuse others’ machine learning models such that it does not need to train its own model, which requires a large amount of resources. Therefore, it becomes an urgent problem how to distinguish such compromise of IP. Watermarking has been widely adopted as a solution in the literature. However, watermarking requires modification of the training process, which leads to utility loss and is not applicable to legacy models. In this chapter, we introduce another path toward protecting IP of machine learning models via fingerprinting the classification boundary. This is based on the observation that a machine learning model can be uniquely represented by its classification boundary. For instance, the model owner extracts some data points near the classification boundary of its model, which are used to fingerprint the model. Another model is likely to be a pirated version of the owner’s model if they have the same predictions for most fingerprinting data points. The key difference between fingerprinting and watermarking is that fingerprinting extracts fingerprint that characterizes the classification boundary of the model, while watermarking embeds watermarks into the model via modifying the training or fine-tuning process. In this chapter, we illustrate that we can robustly protect the model owners’ IP with the fingerprint of the model’s classification boundary.

Deep learning has achieved tremendous success in low-level computer vision tasks such as image processing tasks. To protect the intellectual property (IP) of such valuable image processing networks, the model vendor can sell the service in the manner of the application program interface (API). However, even if the attacker can only query the API, he is still able to conduct model extraction attacks, which can steal the functionality of the target networks. In this chapter, we propose a new model watermarking framework for image processing networks. Under the framework, two strategies are further developed, namely, the model-agnostic strategy and the model-specific strategy. The proposed watermarking method performs well in terms of fidelity, capacity, and robustness.

In this chapter, we introduce a new watermarking scheme for deep reinforcement learning protection. To protect the intellectual property of deep learning models, various watermarking approaches have been proposed. However, considering the complexity and stochasticity of reinforcement learning tasks, we cannot apply existing watermarking techniques for deep learning models to the deep reinforcement learning scenario directly. Existing watermarking approaches for deep learning models adopt backdoor methods to embed special sample–label pairs into protected models and query suspicious models with these designed samples to claim and identify ownership. Challenges arise when applying existing solutions to deep reinforcement learning models. Different from conventional deep learning models, which give single output for each discrete input at one time instant, the current predicted outputs of reinforcement learning can affect subsequent states. Therefore, if we apply discrete watermark methods to deep reinforcement learning models, the temporal decision characteristics and the high randomness in deep reinforcement learning strategies may decrease the verification accuracy. Besides, existing discrete watermarking approaches may affect the performance of the target deep reinforcement learning model. In this chapter, motivated by the above limitation, we introduce a novel watermark concept, temporal watermarks, which can preserve the performance of the protected models, while achieving high fidelity ownership verification. The proposed temporal watermarking method can be applied to both deterministic and stochastic reinforcement learning algorithms.

The development of digital watermarking on machine learning models focuses solely on classification tasks, and other tasks are forgotten. In this chapter, we demonstrate that image captioning tasks cannot be adequately protected by the present digital watermarking architecture, which are generally considered as one of the most difficult AI challenges. To safeguard the image captioning model, we propose two distinct embedding strategies in the recurrent neural network’s hidden memory state. We demonstrate through empirical evidence that a forged key will result in an unusable image captioning model, negating the intent of infringement. This is the first attempt, as far as we are aware, to propose ownership protection for the image captioning model. The effectiveness of our proposed approach to withstand different attacks without compromising the original image captioning performance has been demonstrated by the experiments on the MS-COCO and Flickr30k datasets.

In federated learning, multiple clients collaboratively develop models upon their private data. However, IP risks including illegal copying, re-distribution, and free-riding threat the collaboratively built models in federated learning. To address IP infringement issues, in this chapter, we introduce a novel deep neural network ownership verification framework for secure federated learning that allows each client to embed and extract private watermarks in federated learning models for legitimate IPR. In the proposed FedIPR scheme, each client independently extracts the watermarks and claims ownership on the federated learning model while keep training data and watermark private.

Deep neural network models are built upon a tremendous amount of labeled training data, whereas the data ownership must be correctly determined because the model developer may illegally misuse or steal other party’s private data for training. To determine the data ownership from a trained deep neural network model, in this chapter, we propose a deep neural network auditing scheme that allows the auditor to trace illegal data usage from a trained model. Specifically, we propose a rigorous definition of meaningful model auditing, and we point out that any model auditing method must be robust to removal attack and ambiguity attack. We provide an empirical study for existing model auditing methods, which shows that existing methods can enable data tracing under different model modification settings, but those methods fail if the model developer adopts the training data for the use case the data owner cannot manage and thus cannot provide meaningful data ownership resolution. In this chapter, we rigorously present the model auditing problem for data ownership and open a new revenue in this area of research.