Towards the Resistance of Neural Network Watermarking to Fine-tuning
This addresses the need for secure and resilient watermarking methods to protect intellectual property in neural networks, though it appears incremental as it builds on existing watermarking concepts with a focus on robustness to fine-tuning.
The paper tackles the problem of embedding ownership information into deep neural networks that is robust to fine-tuning, by proving that specific frequency components in convolutional filters remain unchanged during fine-tuning and designing a watermark module based on this property, with preliminary experiments showing effectiveness.
This paper proves a new watermarking method to embed the ownership information into a deep neural network (DNN), which is robust to fine-tuning. Specifically, we prove that when the input feature of a convolutional layer only contains low-frequency components, specific frequency components of the convolutional filter will not be changed by gradient descent during the fine-tuning process, where we propose a revised Fourier transform to extract frequency components from the convolutional filter. Additionally, we also prove that these frequency components are equivariant to weight scaling and weight permutations. In this way, we design a watermark module to encode the watermark information to specific frequency components in a convolutional filter. Preliminary experiments demonstrate the effectiveness of our method.