Carl De Sousa Trias, Mihai Mitrea, Attilio Fiandrotti, Marco Cagnazzo, Sumanta Chaudhuri, Enzo Tartaglione
{"title":"WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking","authors":"Carl De Sousa Trias, Mihai Mitrea, Attilio Fiandrotti, Marco Cagnazzo, Sumanta Chaudhuri, Enzo Tartaglione","doi":"arxiv-2409.03902","DOIUrl":null,"url":null,"abstract":"Nowadays, deep neural networks are used for solving complex tasks in several\ncritical applications and protecting both their integrity and intellectual\nproperty rights (IPR) has become of utmost importance. To this end, we advance\nWaterMAS, a substitutive, white-box neural network watermarking method that\nimproves the trade-off among robustness, imperceptibility, and computational\ncomplexity, while making provisions for increased data payload and security.\nWasterMAS insertion keeps unchanged the watermarked weights while sharpening\ntheir underlying gradient space. The robustness is thus ensured by limiting the\nattack's strength: even small alterations of the watermarked weights would\nimpact the model's performance. The imperceptibility is ensured by inserting\nthe watermark during the training process. The relationship among the WaterMAS\ndata payload, imperceptibility, and robustness properties is discussed. The\nsecret key is represented by the positions of the weights conveying the\nwatermark, randomly chosen through multiple layers of the model. The security\nis evaluated by investigating the case in which an attacker would intercept the\nkey. The experimental validations consider 5 models and 2 tasks (VGG16,\nResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3\nfor Cityscapes image segmentation) as well as 4 types of attacks (Gaussian\nnoise addition, pruning, fine-tuning, and quantization). The code will be\nreleased open-source upon acceptance of the article.","PeriodicalId":501480,"journal":{"name":"arXiv - CS - Multimedia","volume":"56 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Multimedia","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.03902","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Nowadays, deep neural networks are used for solving complex tasks in several
critical applications and protecting both their integrity and intellectual
property rights (IPR) has become of utmost importance. To this end, we advance
WaterMAS, a substitutive, white-box neural network watermarking method that
improves the trade-off among robustness, imperceptibility, and computational
complexity, while making provisions for increased data payload and security.
WasterMAS insertion keeps unchanged the watermarked weights while sharpening
their underlying gradient space. The robustness is thus ensured by limiting the
attack's strength: even small alterations of the watermarked weights would
impact the model's performance. The imperceptibility is ensured by inserting
the watermark during the training process. The relationship among the WaterMAS
data payload, imperceptibility, and robustness properties is discussed. The
secret key is represented by the positions of the weights conveying the
watermark, randomly chosen through multiple layers of the model. The security
is evaluated by investigating the case in which an attacker would intercept the
key. The experimental validations consider 5 models and 2 tasks (VGG16,
ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3
for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian
noise addition, pruning, fine-tuning, and quantization). The code will be
released open-source upon acceptance of the article.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
