Staining and locking computer vision models without retraining
This addresses the need for model owners to secure their intellectual property in computer vision, though it is incremental as it builds on existing watermarking and locking concepts.
The authors tackled the problem of protecting intellectual property in computer vision models by introducing staining and locking methods that can be applied to pre-trained models without retraining, with provable guarantees on false positive rates and minimal performance impact.
We introduce new methods of staining and locking computer vision models, to protect their owners' intellectual property. Staining, also known as watermarking, embeds secret behaviour into a model which can later be used to identify it, while locking aims to make a model unusable unless a secret trigger is inserted into input images. Unlike existing methods, our algorithms can be used to stain and lock pre-trained models without requiring fine-tuning or retraining, and come with provable, computable guarantees bounding their worst-case false positive rates. The stain and lock are implemented by directly modifying a small number of the model's weights and have minimal impact on the (unlocked) model's performance. Locked models are unlocked by inserting a small `trigger patch' into the corner of the input image. We present experimental results showing the efficacy of our methods and demonstrating their practical performance on a variety of computer vision models.