Fostering the Robustness of White-Box Deep Neural Network Watermarks by Neuron Alignment
This addresses a critical problem for model owners and regulators in protecting intellectual property of DNNs, though it is incremental as it builds on existing watermarking schemes.
The paper tackles the vulnerability of white-box deep neural network watermarks to neuron permutation attacks, which can invalidate ownership proofs, and presents a neuron alignment procedure that enhances robustness by allowing watermarks to be correctly recognized.
The wide application of deep learning techniques is boosting the regulation of deep learning models, especially deep neural networks (DNN), as commercial products. A necessary prerequisite for such regulations is identifying the owner of deep neural networks, which is usually done through the watermark. Current DNN watermarking schemes, particularly white-box ones, are uniformly fragile against a family of functionality equivalence attacks, especially the neuron permutation. This operation can effortlessly invalidate the ownership proof and escape copyright regulations. To enhance the robustness of white-box DNN watermarking schemes, this paper presents a procedure that aligns neurons into the same order as when the watermark is embedded, so the watermark can be correctly recognized. This neuron alignment process significantly facilitates the functionality of established deep neural network watermarking schemes.