ROSE: A RObust and SEcure DNN Watermarking
This addresses the need for secure and robust DNN watermarking to protect model ownership, though it appears incremental as it builds on existing watermarking concepts with specific enhancements.
The paper tackles the problem of protecting intellectual property rights for DNN models by proposing a lightweight, robust, and secure black-box watermarking protocol that uses cryptographic one-way functions and in-task key image-label pairs during training, with experiments showing it provides protection while maintaining security and robustness across various datasets and attacks.
Protecting the Intellectual Property rights of DNN models is of primary importance prior to their deployment. So far, the proposed methods either necessitate changes to internal model parameters or the machine learning pipeline, or they fail to meet both the security and robustness requirements. This paper proposes a lightweight, robust, and secure black-box DNN watermarking protocol that takes advantage of cryptographic one-way functions as well as the injection of in-task key image-label pairs during the training process. These pairs are later used to prove DNN model ownership during testing. The main feature is that the value of the proof and its security are measurable. The extensive experiments watermarking image classification models for various datasets as well as exposing them to a variety of attacks, show that it provides protection while maintaining an adequate level of security and robustness.