论文标题
纹身:基于传谱通道编码的强大深度神经网络水印方案
TATTOOED: A Robust Deep Neural Network Watermarking Scheme based on Spread-Spectrum Channel Coding
论文作者
论文摘要
近年来,深层神经网络(DNN)的水印已获得了大量的吸引力,并提出了许多(水印)策略作为机制,可以在未经所有者许可的情况下获得这些模型的情况下有助于验证DNN的所有权。但是,越来越多的工作表明,现有的水印机制极易受到去除技术的影响,例如微调,参数修剪或改组。在本文中,我们以秘密(军事)交流的大量先前工作为基础,并提出了纹身,这是一种新颖的DNN水印技术,对现有威胁非常强大。我们证明,使用纹身作为其水印机制,DNN所有者即使在更改模型参数的99%的情况下,也可以成功获得水印并验证模型所有权。此外,我们表明纹身易于在训练管道中使用,并且对模型性能的影响微不足道。
Watermarking of deep neural networks (DNNs) has gained significant traction in recent years, with numerous (watermarking) strategies being proposed as mechanisms that can help verify the ownership of a DNN in scenarios where these models are obtained without the permission of the owner. However, a growing body of work has demonstrated that existing watermarking mechanisms are highly susceptible to removal techniques, such as fine-tuning, parameter pruning, or shuffling. In this paper, we build upon extensive prior work on covert (military) communication and propose TATTOOED, a novel DNN watermarking technique that is robust to existing threats. We demonstrate that using TATTOOED as their watermarking mechanisms, the DNN owner can successfully obtain the watermark and verify model ownership even in scenarios where 99% of model parameters are altered. Furthermore, we show that TATTOOED is easy to employ in training pipelines, and has negligible impact on model performance.
