Elevating Defenses: Bridging Adversarial Training and Watermarking for Model Resilience
This work addresses the problem of securing machine learning models in critical applications by providing a combined defense against attacks and theft, though it appears incremental as it builds on existing adversarial training and watermarking techniques.
The paper tackles the conflicting interaction between adversarial training and watermarking by introducing a framework that integrates both to enhance model resilience against evasion attacks and enable confident verification for intellectual property theft, achieving consistent outperformance over existing baselines in robustness on MNIST and Fashion-MNIST datasets.
Machine learning models are being used in an increasing number of critical applications; thus, securing their integrity and ownership is critical. Recent studies observed that adversarial training and watermarking have a conflicting interaction. This work introduces a novel framework to integrate adversarial training with watermarking techniques to fortify against evasion attacks and provide confident model verification in case of intellectual property theft. We use adversarial training together with adversarial watermarks to train a robust watermarked model. The key intuition is to use a higher perturbation budget to generate adversarial watermarks compared to the budget used for adversarial training, thus avoiding conflict. We use the MNIST and Fashion-MNIST datasets to evaluate our proposed technique on various model stealing attacks. The results obtained consistently outperform the existing baseline in terms of robustness performance and further prove the resilience of this defense against pruning and fine-tuning removal attacks.