Embedding Watermarks into Deep Neural Networks

Embedding Watermarks into Deep Neural Networks

Abstract

Significant progress has been made with deep neural networks recently. Sharing trained models of deep neural networks has been a very important in the rapid progress of research and development of these systems. At the same time, it is necessary to protect the rights to shared trained models. To this end, we propose to use digital watermarking technology to protect intellectual property and detect intellectual property infringement in the use of trained models. First, we formulate a new problem: embedding watermarks into deep neural networks. We also define requirements, embedding situations, and attack types on watermarking in deep neural networks. Second, we propose a general framework for embedding a watermark in model parameters, using a parameter regularizer. Our approach does not impair the performance of networks into which a watermark is placed because the watermark is embedded while training the host network. Finally, we perform comprehensive experiments to reveal the potential of watermarking deep neural networks as the basis of this new research effort. We show that our framework can embed a watermark during the training of a deep neural network from scratch, and during fine-tuning and distilling, without impairing its performance. The embedded watermark does not disappear even after fine-tuning or parameter pruning; the watermark remains complete even after 65% of parameters are pruned.

\cvprfinalcopy

1 Introduction

Deep neural networks have recently been significantly improved. In particular, deep convolutional neural networks (DCNN) such as LeNet [25], AlexNet [23], VGGNet [28], GoogLeNet [29], and ResNet [16] have become de facto standards for object recognition, image classification, and retrieval. In addition, many deep learning frameworks have been released that help engineers and researchers to develop systems based on deep learning or do research with less effort. Examples of these great deep learning frameworks are Caffe [19], Theano [3], Torch [7], Chainer [30], TensorFlow [26], and Keras [5].

Although these frameworks have made it easy to utilize deep neural networks in real applications, the training of deep neural network models is still a difficult task because it requires a large amount of data and time; several weeks are needed to train a very deep ResNet with the latest GPUs on the ImageNet dataset for instance [16]. Therefore, trained models are sometimes provided on web sites to make it easy to try a certain model or reproduce the results in research articles without training. For example, Model Zoo1 provides trained Caffe models for various tasks with useful utility tools. Fine-tuning or transfer learning [28] is a strategy to directly adapt such already trained models to another application with minimum re-training time. Thus, sharing trained models is very important in the rapid progress of both research and development of deep neural network systems. In the future, more systematic model-sharing platforms may appear, by analogy with video sharing sites. Furthermore, some digital distribution platforms for purchase and sale of the trained models or even artificial intelligence skills (e.g. Alexa Skills2) may appear, similar to Google Play or App Store. In these situations, it is necessary to protect the rights to shared trained models.

To this end, we propose to utilize digital watermarking technology, which is used to identify ownership of the copyright of digital content such as images, audio, and videos. In particular, we propose a general framework to embed a watermark in deep neural networks models to protect intellectual property and detect intellectual property infringement of trained models. To the best of our knowledge, this is first attempt to embed a watermark in a deep neural network. The contributions of this research are three-fold, as follows:

  1. We formulate a new problem: embedding watermarks in deep neural networks. We also define requirements, embedding situations, and attack types for watermarking deep neural networks.

  2. We propose a general framework to embed a watermark in model parameters, using a parameter regularizer. Our approach does not impair the performance of networks in which a watermark is embedded.

  3. We perform comprehensive experiments to reveal the potential of watermarking deep neural networks.

2 Problem Formulation

Given a model network with or without trained parameters, we define the task of watermark embedding as to embed -bit vector into the parameters of one or more layers of the neural network. We refer to a neural network in which a watermark is embedded as a host network, and refer to the task that the host network is originally trying to perform as the original task.

In the following, we formulate (1) requirements for an embedded watermark or an embedding method, (2) embedding situations, and (3) expected attack types against which embedded watermarks should be robust.

Image domain Neural networks domain
Fidelity The quality of the host image should not be degraded by embedding a watermark. The effectiveness of the host network should not be degraded by embedding a watermark.
Robustness The embedded watermark should be robust against common signal processing operations such as lossy compression, cropping, resizing, and so on. The embedded watermark should be robust against model modifications such as fine-tuning and model compression.
Capacity The effective watermarking system must have the ability to embed a large amount of information.
Security A watermark should in general be secret and should not be accessed, read, or modified by unauthorized parties.
Efficiency The watermark embedding and extraction processes should be fast.

Table 1: Requirements for an effective watermarking algorithm in the image and neural network domains.

2.1 Requirements

Table 1 summarizes the requirements for an effective watermarking algorithm in an image domain [15, 8] and a neural network domain. While both domains share almost the same requirements, fidelity and robustness are different in image and neural network domains.

For fidelity in an image domain, it is essential to maintain the perceptual quality of the host image while embedding a watermark. However, in a neural network domain, the parameters themselves are not important. Instead, the performance of the original task is important. Therefore it is essential to maintain the performance of the trained host network, and not to hamper the training of a host network.

Regarding robustness, as images are subject to various signal processing operations, an embedded watermark should stay in the host image even after these operations. And the greatest possible modification to a neural network is fine-tuning or transfer learning [28]. An embedded watermark in a neural network should be detectable after fine-tuning or other possible modifications.

2.2 Embedding Situations

We classify the embedding situations into three types: train-to-embed, fine-tune-to-embed, and distill-to-embed, as summarized in Table 2.

Train-to-embed is the case in which the host network is trained from scratch while embedding a watermark where labels for training data are available.

Fine-tune-to-embed is the case in which a watermark is embedded while fine-tuning. In this case, model parameters are initialized with a pre-trained network. The network configuration near the output layer may be changed before fine-tuning.

Distill-to-embed is the case in which a watermark is embedded into a trained network without labels using the distilling approach [17]. Embedding is performed in fine-tuning where the predictions of the trained model are used as labels. In the standard distill framework, a large network (or multiple networks) is first trained and then a smaller network is trained using the predicted labels of the large network in order to compress the large network. In this paper, we use the distill framework simply to train a network without labels.

The first two situations assume that the copyright holder of the host network is expected to embed a watermark to the host network in training or fine-tuning. Fine-tune-to-embed is also useful when a model owner wants to embed individual watermarks to identify those to whom the model had been distributed. By doing so, individual instances can be tracked. The last situation assumes that a non-copyright holder (e.g., a platformer) is entrusted to embed a watermark on behalf of a copyright holder.

Fine-tune Label availability
Train-to-embed
Fine-tune-to-embed
Distill-to-embed

Table 2: Three embedding situations. Fine-tune indicates whether parameters are initialized in embedding using already trained models, or not. Label availability indicates whether or labels for training data are available in embedding.

2.3 Expected Attack Types

Related to the requirement for robustness in Section 2.1, we assume two types of attacks against which embedded watermarks should be robust: fine-tuning and model compression. These types of attack are very specific to deep neural networks, while one can easily imagine model compression by analogy with lossy image compression in the image domain.

Fine-tuning or transfer learning [28] seems to be the most feasible type of attack, because it reduces the burden of training deep neural networks. Many models have been constructed on top of existing state-of-the-art models. Fine-tuning alters the model parameters, and thus embedded watermarks should be robust against this alteration.

Model compression is very important in deploying deep neural networks to embedded systems or mobile devices as it can significantly reduce memory requirements and/or computational cost. Lossy compression distorts model parameters, so we should explore how it affects the detection rate.

3 Proposed Framework

In this section, we propose a framework for embedding a watermark into a host network. Although we focus on a DCNN [25] as the host, our framework is essentially applicable to other networks such as standard multilayer perceptron (MLP), recurrent neural network (RNN), and long short-term memory (LSTM) [18].

3.1 Embedding Targets

In this paper, a watermark is assumed to be embedded into one of the convolutional layers in a host DCNN3. Let , , and respectively denote the size of the convolution filter, the depth of input to the convolutional layer, and the number of filters in the convolutional layer. The parameters of this convolutional layer are characterized by the tensor . The bias term is ignored here. Let us think of embedding a -bit vector into . The tensor is a set of convolutional filters and the order of the filters does not affect the output of the network if the parameters of the subsequent layers are appropriately re-ordered. In order to remove this arbitrariness in the order of filters, we calculate the mean of over filters as . Letting () denote a flattened version of , our objective is now to embed -bit vector into .

3.2 Embedding Regularizer

It is possible to embed a watermark in a host network by directly modifying of a trained network, as is usually done in the image domain. However, this approach degrades the performance of the host network in the original task as shown later in Section 4.2.6. Instead, we propose embedding a watermark while a host network for the original task so that the existence of the watermark does not impair the performance of the host network in its original task. To this end, we utilize a parameter regularizer, which is an additional term in the original cost function for the original task. The cost function with a regularizer is defined as:

(1)

where is the original cost function, is a regularization term that imposes a certain restriction on parameters , and is an adjustable parameter. A regularizer is usually used to prevent the parameters from growing too large. regularization (or weight decay [24]), regularization, and their combination are often used to reduce over-fitting of parameters for complex neural networks. For instance, in the regularization.

In contrast to these standard regularizers, our regularizer imposes parameter to have a certain statistical bias, as a watermark in a training process. We refer to this regularizer as an embedding regularizer. Before defining the embedding regularizer, we explain how to extract a watermark from . Given a (mean) parameter vector and an embedding parameter , the watermark extraction is simply done by projecting using , followed by thresholding at 0. More precisely, the -th bit is extracted as:

(2)

where is a step function:

(3)

This process can be considered to be a binary classification problem with a single-layer perceptron (without bias)4. Therefore, it is straightforward to define the loss function for the embedding regularizer by using binary cross entropy:

(4)

where and is the sigmoid function:

(5)

We call this loss function an embedding loss function. It may be confusing that an embedding loss function is used to update , not , in our framework. In a standard perceptron, is an input and is a parameter to be learned. In our case, is an embedding target and is a fixed parameter. The design of is discussed in the following section.

This approach does not impair the performance of the host network in the original task as confirmed in experiments, because deep neural networks are typically over-parameterized. It is well-known that deep neural networks have many local minima, and that all local minima are likely to have an error very close to that of the global minimum [9, 6]. Therefore, the embedding regularizer only needs to guide model parameters to one of a number of good local minima so that the final model parameters have an arbitrary watermark.

3.3 Regularizer Parameters

In this section we discuss the design of the embedding parameter , which can be considered as a secret key [15] in detecting and embedding watermarks. While can be an arbitrary matrix, it will affect the performance of an embedded watermark because it is used in both embedding and extraction of watermarks. In this paper, we consider three types of : , , and .

is constructed so that one element in each row of is ’1’ and the others are ’0’. In this case, the -th bit is directly embedded in a certain parameter s.t. .

is created so that each row has one ’1’ element and one ’-1’ element, and the others are ’0’. Using , the -th bit is embedded into the difference between and where and .

Each element of is independently drawn from the standard normal distribution . Using , each bit is embedded into all instances of the parameter with random weights. These three types of embedding parameters are compared in experiments.

Our implementation of the embedding regularizer is publicly available from https://github.com/yu4u/dnn-watermark.

4 Experiments

In this section, we demonstrate that our embedding regularizer can embed a watermark without impairing the performance of the host network, and the embedded watermark is robust against various types of attack.

4.1 Evaluation Settings

Datasets. For experiments, we used the well-known CIFAR-10 and Caltech-101 datasets. The CIFAR-10 dataset [22] consists of 60,000 color images in 10 classes, with 6,000 images per class. These images were separated into 50,000 training images and 10,000 test images. The Caltech-101 dataset [10] includes pictures of objects belonging to 101 categories; it contains about 40 to 800 images per category. The size of each image is roughly pixels but we resized them in for fine-tuning. For each category, we used 30 images for training and at most 40 of the remaining images for testing.

Host network and training settings. We used the wide residual network [33] as the host network. The wide residual network is an efficient variant of the residual network [16]. Table 3 shows the structure of the wide residual network with a depth parameter and a width parameter . In all our experiments, we set and , and used SGD with Nesterov momentum and cross-entropy loss in training. The initial learning rate was set at 0.1, weight decay to , momentum to 0.9 and minibatch size to 64. The learning rate was dropped by a factor of 0.2 at 60, 120 and 160 epochs, and we trained for a total of 200 epochs, following the settings used in [33].

We embedded a watermark into one of the following convolution layers: the second convolution layer in the conv 2, conv 3, and conv 4 groups. In the following, we mention the location of the host layer by simply describing the conv 2, conv 3, or conv 4 group. In Table 3, the number of parameter is also shown for these layers. The parameter in Eq. (1) is set to . As a watermark, we embedded in the following experiments.

Group Output size Building block
conv 1 N/A
conv 2
conv 3
conv 4
avg-pool, fc, soft-max N/A

Table 3: Structure of the host network.
Figure 1: Training curves for the host network on CIFAR-10 as a function of epochs. Solid lines denote test error (y-axis on the left) and dashed lines denote training loss (y-axis on the right).
Test error
Not embedded 8.04 N/A
direct 8.21
diff 8.37
random 7.97

Table 4: Test error () and embedding loss with and without embedding.

4.2 Embedding Results

First, we confirm that a watermark was successfully embedded in the host network by the proposed embedding regularizer. We trained the host network from scratch (train-to-embed) on the CIFAR-10 dataset with and without embedding a watermark. In the embedding case, a 256-bit watermark () was embedded into the conv 2 group.

Test Error and Training Loss

Figure 1 shows the training curves for the host network in CIFAR-10 as a function of epochs. Not embedded is the case that the host network is trained without the embedding regularizer. Embedded (direct), Embedded (diff), and Embedded (random) respectively represent training curves with embedding regularizers whose parameters are , , and . We can see that the training loss with a watermark becomes larger than the not-embedded case if the parameters and are used. This large training loss is dominated by the embedding loss , which indicates that it is difficult to embed a watermark directly into a parameter or even into the difference of two parameters. On the other hand, the training loss of Embedded (random) is very close to that of Not embedded.

Table 4 shows the best test errors and embedding losses of the host networks with and without embedding. We can see that the test errors of Not embedded and random are almost the same while those of direct and diff are slightly larger. The embedding loss of random is extremely low compared with those of direct and diff. These results indicate that the random approach can effectively embed a watermark without impairing the performance in the original task.

(a) direct

(b) diff

(c) random

Figure 2: Histogram of the embedded watermark (before thresholding) with and without watermarks.

Detecting Watermarks

Figure 2 shows the histogram of the embedded watermark (before thresholding) with and without watermarks where (a) direct, (b) diff, and (c) random parameters are used in embedding and detection. If we binarize at a threshold of 0.5, all watermarks are correctly detected because () for all embedded cases. Please note that we embedded as a watermark as mentioned before. Although random watermarks will be detected for the non-embedded cases, it can be easily judged that the watermark is not embedded because the distribution of is quite different from those for embedded cases.

(a) Not embedded

(b) direct

(c) diff

(d) random

Figure 3: Distribution of model parameters with and without watermarks.

Distribution of Model Parameters

We explore how trained model parameters are affected by the embedded watermarks. Figure 3 shows the distribution of model parameters (not ) with and without watermarks. These parameters are taken only from the layer in which a watermark was embedded. Note that is the parameter before taking the mean over filters, and thus the number of parameters is . We can see that direct and diff significantly alter the distribution of parameters while random does not. In direct, many parameters became large and a peak appears near 2 so that their mean over filters becomes a large positive value to reduce the embedding loss. In diff, most parameters were pushed in both positive and negative directions so that the differences between these parameters became large. In random, a watermark is diffused over all parameters with random weights and thus does not significantly alter the distribution. This is one of the desirable properties of watermarking related the security requirement; one may be aware of the existence of the embedded watermarks for the direct and diff cases.

The results so far indicated that the random approach seemed to be the best choice among the three, with low embedding loss, low test error in the original task, and not altering the parameter distribution. Therefore, in the following experiments, we used the random approach in embedding watermarks without explicitly indicating it.

Figure 4: Training curves for fine-tuning the host network. The first and second halves of epochs correspond to the first and second training. Solid lines denote test error (y-axis on the left) and dashed lines denote training loss (y-axis on the right).

Fine-tune-to-embed and Distill-to-embed

In the above experiments, a watermark was embedded by training the host network from scratch (train-to-embed). Here, we evaluated the other two situations introduced in Section 2.2: fine-tune-to-embed and distill-to-embed. For fine-tune-to-embed, two experiments were performed. In the first experiment, the host network was trained on the CIFAR-10 dataset without embedding, and then fine-tuned on the same CIFAR-10 dataset with embedding and without embedding (for comparison). In the second experiment, the host network is trained on the Caltech-101 dataset, and then fine-tuned on the CIFAR-10 dataset with and without embedding.

Table 5 (a) shows the result of the first experiment. Not embedded 1st corresponds to the first training without embedding. Not embedded 2nd corresponds to the second training without embedding and Embedded corresponds to the second training with embedding. Figure 4 shows the training curves of these fine-tunings5. We can see that Embedded achieved almost the same test error as Not embedded 2nd and a very low .

Table 5 (b) shows the results of the second experiment. Not embedded 2nd corresponds to the second training without embedding and Embedded corresponds to the second training with embedding. The test error and training loss of the first training are not shown because they are not compatible between these two different training datasets. From these results, it was also confirmed that Embedded achieved almost the same test error as Not embedded 2nd and very low . Thus, we can say that the proposed method is effective even in the fine-tune-to-embed situation (in the same and different domains).

Finally, embedding a watermark in the distill-to-embed situation was evaluated. The host network is first trained on the CIFAR-10 dataset without embedding. Then, the trained network was further fine-tuned on the same CIFAR-10 dataset with and without embedding. In this second training, the training labels of the CIFAR-10 dataset were not used. Instead, the predicted values of the trained network were used as soft targets [17]. In other words, no label was used in the second training. Table 5 (c) shows the results for the distill-to-embed situation. Not embedded 1st corresponds to the first training and Embedded (Not embedded 2nd) corresponds to the second distilling training with embedding (without embedding). It was found that the proposed method also achieved low test error and in the distill-to-embed situation.

(a) Fine-tune-to-embed (CIFAR-10 CIFAR-10)
Test error Not embedded 1st 8.04 N/A Not embedded 2nd 7.66 N/A Embedded 7.70
(b) Fine-tune-to-embed (Caltech-101 CIFAR-10)
Test error Not embedded 2nd 7.93 N/A Embedded 7.94
(c) Distill-to-embed (CIFAR-10 CIFAR-10)
Test error Not embedded 1st 8.04 N/A Not embedded 2nd 7.86 N/A Embedded 7.75

Table 5: Test error () and embedding loss with and without embedding in fine-tuning and distilling.

Capacity of Watermark.

In this section, the capacity of the embedded watermark is explored by embedding different sizes of watermarks into different groups in the train-to-embed manner. Please note that the number of parameters of conv 2, conv 3, and conv 4 groups were 576, 1152, and 2304, respectively. Table 6 shows test error () and embedding loss for combinations of different embedded blocks and different number of embedded bits. We can see that embedded loss or test error becomes high if the number of embedded bits becomes larger than the number of parameters (e.g. 2,048 bits in conv 3) because the embedding problem becomes overdetermined in such cases. Thus, the number of embedded bits should be smaller than the number of parameters , which is a limitation of the embedding method using a single-layer perceptron. This limitation would be resolved by using a multi-layer perceptron in the embedding regularizer.

(a) Test error ()
Embedded bits Embedded group conv 2 conv 3 conv 4 256 7.97 7.98 7.92 512 8.47 8.22 7.84 1,024 8.43 8.12 7.84 2,048 8.17 8.93 7.75
(b) Embedding loss
Embedded bits Embedded group conv 2 conv 3 conv 4 256 512 1,024 2,048

Table 6: Test error () and embedding loss for the combinations of embedded groups and sizes of embedded bits.

Embedding without Training

As mentioned in Section 3.2, it is possible to embed a watermark to a host network by directly modifying the trained parameter as usually done in image domain. Here we try to do this by minimizing the following loss function instead of Eq. (1):

(6)

where the embedding loss is minimized while minimizing the difference between the modified parameter and the original parameter . Table 7 summarizes the embedding results after Eq. (6) against the host network trained on the CIFAR-10 dataset. We can see that embedding fails for as bit error rate (BER) is larger than zero while the test error of the original task becomes too large for . Thus, it is not effective to directly embed a watermark without considering the original task.

Test error BER
0 0.000 1.066 8.04 0.531
1 0.184 0.609 8.52 0.324
10 1.652 0.171 10.57 0.000
100 7.989 0.029 13.00 0.000

Table 7: Losses, test error, and bit error rate (BER) after embedding a watermark with different .

4.3 Robustness of Embedded Watermarks

In this section, the robustness of a proposed watermark is evaluated for the three attack types explained in Section 2.3: fine-tuning and model compression.

Robustness against Fine-tuning

Fine-tuning or transfer learning [28] seems to be the most likely type of (unintentional) attack because it is frequently performed on trained models to apply them to other but similar tasks with less effort than training a network from scratch or to avoid over-fitting when sufficient training data is not available.

In this experiment, two trainings we performed; in the first training, a 256-bit watermark was embedded in the conv 2 group in the train-to-embed manner, and then the host network was further fine-tuned in the second training without embedding, to determine whether the watermark embedded in the first training stayed in the host network or not, even after the second training (fine-tuning).

Table 8 shows the embedding loss before fine-tuning () and after fine-tuning (), and the best test error after fine-tuning. We evaluated fine-tuning in the same domain (CIFAR-10 CIFAR-10) and in different domains (Caltech-101 CIFAR-10). We can see that, in both cases, the embedding loss was slightly increased by fine-tuning but was still low. In addition, the bit error rate of the detected watermark was equal to zero in both cases. The reason why the embedding loss in fine-tuning in the different domains is higher than that in the same domain is that the Caltech-101 dataset is significantly more difficult than the CIFAR-10 dataset in our settings; all images in the Caltech-101 dataset were resized to 6 for compatibility with the CIFAR-10 dataset.

Test error
CIFAR-10 CIFAR-10 7.69
Caltech-101 CIFAR-10 7.88

Table 8: Embedding loss before fine-tuning () and after fine-tuning (), and the best test error () after fine-tuning.

Robustness against Model Compression

It is sometimes difficult to deploy deep neural networks to embedded systems or mobile devices because they are both computationally intensive and memory intensive. In order to solve this problem, the model parameters are often compressed [14, 12, 13]. The compression of model parameters can intentionally or unintentionally act as an attack against watermarks. In this section, we evaluate the robustness of our watermarks against model compression, in particular, against parameter pruning [14]. In parameter pruning, parameters whose absolute values are very small are cut-off to zero. In [13], quantization of weights and the Huffman coding of quantized values are further applied. Because quantization has less impact than parameter pruning and the Huffman coding is lossless compression, we focus on parameter pruning.

In order to evaluate the robustness against parameter pruning, we embedded a 256-bit watermark in the conv 2 group while training the host network on the CIFAR-10 dataset. We removed % of the parameters of the embedded layer and calculated embedding loss and bit error rate. Figure 5 (a) shows embedding loss as a function of pruning rate . Ascending (Descending) represents embedding loss when the top % parameters are cut-off according to their absolute values in ascending (descending) order. Random represents embedding loss where % of parameters are randomly removed. Ascending corresponds to parameter pruning and the others were evaluated for comparison. We can see that the embedding loss of Ascending increases more slowly than those of Descending and Random as increases. It is reasonable that model parameters with small absolute values have less impact on a detected watermark because the watermark is extracted from the dot product of the model parameter and the constant embedding parameter (weight) .

Figure 5 (b) shows the bit error rate as a function of pruning rate . Surprisingly, the bit error rate was still zero after removing 65% of the parameters and even after 80% of the parameters were pruned (Ascending). We can say that the embedded watermark is sufficiently robust against parameter pruning because, in [13], the resulting pruning rate of convolutional layers ranged from to 16% to 65% for the AlexNet [23], and from 42% to 78% for VGGNet [28]. Furthermore, this degree of bit error can be easily corrected by an error correction code (e.g. the BCH code). Figure 6 shows the histogram of the detected watermark after pruning for and . For , the histogram of the detected watermark is also shown for the host network into which no watermark is embedded. We can see that many of are still close to one for the embedded case, which might be used as a confidence score in judging the existence of a watermark (zero-bit watermarking).

(a) Embedding loss.

(b) Bit error rate.

Figure 5: Embedding loss and bit error rate after pruning as a function of pruning rate.
Figure 6: Histogram of the detected watermark after pruning.

5 Conclusions and Future Work

In this paper, we have proposed a general framework for embedding a watermark in deep neural network models to protect the rights to the trained models. First, we formulated a new problem: embedding watermarks into deep neural networks. We also defined requirements, embedding situations, and attack types for watermarking deep neural networks. Second, we proposed a general framework for embedding a watermark in model parameters using a parameter regularizer. Our approach does not impair the performance of networks into which a watermark is embedded. Finally, we performed comprehensive experiments to reveal the potential of watermarking deep neural networks as the basis of this new problem. We showed that our framework could embed a watermark without impairing the performance of a deep neural network. The embedded watermark did not disappear even after fine-tuning or parameter pruning; the entire watermark remained even after 65% of the parameters were pruned.

5.1 Future Work

Although we have obtained first insight into the new problem of embedding a watermark in deep neural networks, many things remain as future work.

Watermark overwriting. A third-party user may embed a different watermark in order to overwrite the original watermark. In our preliminary experiments, this watermark overwriting caused 30.9%, 8.6%, and 0.4% bit errors against watermarks in the conv 2, conv 3, and conv 4 groups when 256-bit watermarks were additionally embedded. More robust watermarking against overwriting should be explored (e.g. non-linear embedding).

Compression as embedding. Compressing deep neural networks is a very important and active research topic. While we confirmed that our watermark is very robust against parameter pruning in this paper, a watermark might be embedded in conjunction with compressing models. For example, in [13], after parameter pruning, the network is re-trained to learn the final weights for the remaining sparse parameters. Our embedding regularizer can be used in this re-training to embed a watermark.

Network morphism. In [4, 32], a systematic study has been done on how to morph a well-trained neural network into a new one so that its network function can be completely preserved for further training. This network morphism can constitute a severe attack against our watermark because it may be impossible to detect the embedded watermark if the topology of the host network is severely modified. We left the investigation how the embedded watermark is affected by this network morphism for future work.

Steganalysis. Steganalysis [27, 21] is a method for detecting the presence of secretly hidden data (e.g. steganography or watermarks) in digital media files such as images, video, audio, and, in our case, deep neural networks. Watermarks ideally are robust against steganalysis. While, in this paper, we confirmed that embedding watermarks does not significantly change the distribution of model parameters, more exploration is needed to evaluate robustness against steganalysis. Conversely, developing effective steganalysis against watermarks for deep neural networks can be an interesting research topic.

Fingerprinting. Digital fingerprinting is an alternative to the watermarking approach for persistent identification of images [2], video [20, 31], and audio clips [1, 11]. In this paper, we focused on one of these two important approaches. Robust fingerprinting of deep neural networks is another and complementary direction to protect deep neural network models.

Footnotes

  1. https://github.com/BVLC/caffe/wiki/Model-Zoo
  2. https://www.alexaskillstore.com/
  3. Fully-connected layers can also be used but we focus on convolutional layers here, because fully-connected layers are often discarded in fine-tuning.
  4. Although this single-layer perceptron can be deepened into multi-layer perceptron, we focus on the simplest one in this paper.
  5. Note that the learning rate was also initialized to 0.1 at the beginning of the second training, while the learning rate was reduced to ) at the end of the first training.
  6. This size is extremely small compared with their original sizes (roughly ).

References

  1. X. Anguera, A. Garzon, and T. Adamek. Mask: Robust local features for audio fingerprinting. In Proc. of ICME, 2012.
  2. J. Barr, B. Bradley, and B. T. Hannigan. Using digital watermarks with image signatures to mitigate the threat of the copy attack. In Proc. of ICASSP, pages 69–72, 2003.
  3. J. Bergstra, O. Breuleux, F. Bastien, P. Lamblin, R. Pascanu, G. Desjardins, J. Turian, D. Warde-Farley, and Y. Bengio. Theano: a CPU and GPU math expression compiler. In Proc. of the Python for Scientific Computing Conference (SciPy), 2010.
  4. T. Chen, I. Goodfellow, and J. Shlens. Net2net: Accelerating learning via knowledge transfer. In Proc. of ICLR, 2016.
  5. F. Chollet. Keras. GitHub repository, 2015.
  6. A. Choromanska, M. Henaff, M. Mathieu, G. Arous, and Y. LeCun. The loss surfaces of multilayer networks. In Proc. of AISTATS, 2015.
  7. R. Collobert, K. Kavukcuoglu, and C. Farabet. Torch7: A matlab-like environment for machine learning. In Proc. of NIPS Workshop on BigLearn, 2011.
  8. I. Cox, M. Miller, J. Bloom, J. Fridrich, and T. Kalker. Digital Watermarking and Steganography. Morgan Kaufmann Publishers Inc., 2 edition, 2008.
  9. Y. Dauphin, R. Pascanu, C. Gulcehre, K. Cho, S. Ganguli, and Y. Bengio. Identifying and attacking the saddle point problem in high-dimensional non-convex optimization. In Proc. of NIPS, 2014.
  10. L. Fei-Fei, R. Fergus, and P. Perona. Learning generative visual models from few training examples: an incremental bayesian approach tested on 101 object categories. In Proc. of CVPR Workshop on Generative-Model Based Vision, 2004.
  11. J. Haitsma and T. Kalker. A highly robust audio fingerprinting system. In Proc. of ISMIR, pages 107–115, 2002.
  12. S. Han, X. Liu, H. Mao, J. Pu, A. Pedram, M. A. Horowitz, and W. J. Dally. Eie: Efficient inference engine on compressed deep neural network. In Proc. of ISCA, 2016.
  13. S. Han, H. Mao, and W. J. Dally. Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. In Proc. of ICLR, 2016.
  14. S. Han, J. Pool, J. Tran, and W. J. Dally. Learning both weights and connections for efficient neural networks. In Proc. of NIPS, 2015.
  15. F. Hartung and M. Kutter. Multimedia watermarking techniques. Proceedings of the IEEE, 87(7):1079–1107, 1999.
  16. K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learning for image recognition. In Proc. of CVPR, 2016.
  17. G. Hinton, O. Vinyals, and J. Dean. Distilling the knowledge in a neural network. In Proc. of NIPS Workshop on Deep Learning and Representation Learning, 2014.
  18. S. Hochreiter and J. Schmidhuber. Long short-term memory. Neural Computation, 9(8):1735–1780, 1997.
  19. Y. Jia, E. Shelhamer, J. Donahue, S. Karayev, J. Long, R. Girshick, S. Guadarrama, and T. Darrell. Caffe: Convolutional architecture for fast feature embedding. In Proc. of MM, 2014.
  20. A. Joly, C. Frelicot, and O. Buisson. Content-based video copy detection in large databases: a local fingerprints statistical similarity search approach. In Proc. of ICIP, pages 505–508, 2005.
  21. J. Kodovsky, J. Fridrich, and V. Holub. Ensemble classifiers for steganalysis of digital media. IEEE Trans. on Information Forensics and Security, 7(2):432–444, 2012.
  22. A. Krizhevsky. Learning multiple layers of features from tiny images. Tech Report, 2009.
  23. A. Krizhevsky, I. Sutskever, and G. E. Hinton. Imagenet classification with deep convolutional neural networks. In Proc. of NIPS, 2012.
  24. A. Krogh and J. A. Hertz. A simple weight decay can improve generalization. In Proc. of NIPS, 1992.
  25. Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
  26. M. Abadi, et al. Tensorflow: Large-scale machine learning on heterogeneous distributed systems. arXiv:1603.04467, 2016.
  27. L. Shaohui, Y. Hongxun, and G. Wen. Neural network based steganalysis in still images. In Proc. of ICME, 2003.
  28. K. Simonyan and A. Zisserman. Very deep convolutional networks for large-scale image recognition. In Proc. of ICLR, 2015.
  29. C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V. Vanhoucke, and A. Rabinovich. Going deeper with convolutions. In Proc. of CVPR, 2015.
  30. S. Tokui, K. Oono, S. Hido, and J. Clayton. Chainer: a next-generation open source framework for deep learning. In Proc. of NIPS Workshop on Machine Learning Systems, 2015.
  31. Y. Uchida, M. Agrawal, and S. Sakazawa. Accurate content-based video copy detection with efficient feature indexing. In Proc. of ICMR, 2011.
  32. T. Wei, C. Wang, Y. Rui, and C. W. Chen. Network morphism. In Proc. of ICML, 2016.
  33. S. Zagoruyko and N. Komodakis. Wide residual networks. In Proc. of ECCV, 2016.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
100415
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description