Knowledge-Free Black-Box Watermark and Ownership Proof for Image Classification Neural Networks
This addresses intellectual property protection for neural network owners in industrial applications, offering a more practical solution than existing methods.
The paper tackles the problem of ownership verification for image classification neural networks by proposing a knowledge-free black-box watermarking scheme that does not require access to the training dataset, and it demonstrates functionality-preserving capability and security in experiments.
Watermarking has become a plausible candidate for ownership verification and intellectual property protection of deep neural networks. Regarding image classification neural networks, current watermarking schemes uniformly resort to backdoor triggers. However, injecting a backdoor into a neural network requires knowledge of the training dataset, which is usually unavailable in the real-world commercialization. Meanwhile, established watermarking schemes oversight the potential damage of exposed evidence during ownership verification and the watermarking algorithms themselves. Those concerns decline current watermarking schemes from industrial applications. To confront these challenges, we propose a knowledge-free black-box watermarking scheme for image classification neural networks. The image generator obtained from a data-free distillation process is leveraged to stabilize the network's performance during the backdoor injection. A delicate encoding and verification protocol is designed to ensure the scheme's security against knowledgable adversaries. We also give a pioneering analysis of the capacity of the watermarking scheme. Experiment results proved the functionality-preserving capability and security of the proposed watermarking scheme.