Log In Sign Up

Adversarial Frontier Stitching for Remote Neural Network Watermarking

by   Erwan Le Merrer, et al.

The state of the art performance of deep learning models comes at a high cost for companies and institutions, due to the tedious data collection and the heavy processing requirements. Recently, Uchida et al. (2017) proposed to watermark convolutional neural networks by embedding information into their weights. While this is a clear progress towards model protection, this technique solely allows for extracting the watermark from a network that one accesses locally and entirely. This is a clear impediment, as leaked models can be re-used privately, and thus not released publicly for ownership inspection. Instead, we aim at allowing the extraction of the watermark from a neural network (or any other machine learning model) that is operated remotely, and available through a service API. To this end, we propose to operate on the model's action itself, tweaking slightly its decision frontiers so that a set of specific queries convey the desired information. In present paper, we formally introduce the problem and propose a novel zero-bit watermarking algorithm that makes use of adversarial model examples. While limiting the loss of performance of the protected model, this algorithm allows subsequent extraction of the watermark using only few remote queries. We experiment this approach on the MNIST dataset with three types of neural networks, demonstrating that e.g., watermarking with 100 images incurs a slight accuracy degradation, while being resilient to most removal attacks.


page 1

page 2

page 3

page 4


PRADA: Protecting against DNN Model Stealing Attacks

As machine learning (ML) applications become increasingly prevalent, pro...

DAWN: Dynamic Adversarial Watermarking of Neural Networks

Training machine learning (ML) models is expensive in terms of computati...

DeltaBound Attack: Efficient decision-based attack in low queries regime

Deep neural networks and other machine learning systems, despite being e...

Cryptanalytic Extraction of Neural Network Models

We argue that the machine learning problem of model extraction is actual...

First to Possess His Statistics: Data-Free Model Extraction Attack on Tabular Data

Model extraction attacks are a kind of attacks where an adversary obtain...

LOTS about Attacking Deep Features

Deep neural networks provide state-of-the-art performance on various tas...

Copycat CNN: Stealing Knowledge by Persuading Confession with Random Non-Labeled Data

In the past few years, Convolutional Neural Networks (CNNs) have been ac...

1 Introduction

Recent years have witnessed a fierce competition for the design and training of top notch deep neural networks. The industrial advantage from the possession of a state of the art model is now widely acknowledged, starting to motivate some attacks for stealing those models stealing; stealing2. Since it is now clear that machine learning models will play a central role in the IT development in the years to come, the necessity for protecting those models appears more salient.

In 1994, van1994digital proposed to covertly embed a marker into digital content (such as audio or video data) in order to identify its ownership: by revealing the presence of such marker a copyright owner could prove its rights over the content. The authors coined the term digital watermarking. The fact that neural networks are digital content naturally questions the transferability of such techniques to those models.

Uchida:2017; Nagai2018 published the first method for watermarking a neural network that might be publicly shared and thus for which traceability through ownership extraction is important. The marked object is here a neural network and its trained parameters. However, this method requires the ability to directly access the model weights: the model is considered as a white box. The watermark embedding is performed through the use of a regularizer at training time. This regularization introduces the desired statistical bias into the parameters, which will serve as the watermark. We are interested in a related though different problem, namely zero-bit watermarking of neural networks (or any machine learning models) that are only remotely accessible through an API. The extraction of a zero-bit watermark in a given model refers to detecting the presence or the absence of the mark in that model. This type of watermark, along with the required key to extract it, is sufficient for an entity that suspects a non legitimate usage of the marked model to confirm it or not.

In stark contrast to Uchida:2017; Nagai2018’s approach, we seek a black box watermarking approach that allows extraction to be conducted remotely, without access to the model itself. More precisely, the extraction test of the proposed watermark consists in a set of requests to the machine learning service, available through an API stealing. This allows the detection of (leaked) models when model’s parameters are directly accessible, but also when the model is only exposed through an online service. Second, we target the watermarking of models in general, i.e., our scheme is not restricted solely to neural networks, whether of a certain type or not.

Figure 1: Our goal: zero-bit watermarking a model locally (top-action), for remote assessment of a potential model leak (bottom-action).


We thus aim at embedding zero-bit watermarks into models, that can be extracted remotely. In this setup, we can only rely on interactions with the model through the remote API, e.g., on object recognition queries in case of an image classification model. The input, e.g., images, must thus convey a means to embed identification information into the model (zero-bit watermarking step) and to extract, or not, the identification information from the remote model (watermark extraction step), see Fig. 1. Our algorithm’s rationale is that the embedded watermark is a slight modification of the original model’s decision frontiers around a set of specific inputs that form the hidden key

. Answers of the remote model to these inputs are compared to those of the marked model. A strong match (despite the possible manipulation of the leaked model) must indicate the presence of the watermark in the remote model with a high probability.

The inputs in the key must be crafted in a way that watermarking the model of interest does not degrade significantly its performance. To this end, we leverage adversarial perturbations of training examples Goodfellow:2015 that produce new examples (the “adversaries”) very close the model’s decision frontiers. As such adversaries tend to generalize across models, notably across different neural network architectures for visual recognition, see e.g., Rozsa:2016, this frontier tweaking should resist model manipulation and yield only few false positives (wrong identification of non marked models).


The contributions of this article are: 1) A formalization of the problem of zero-bit watermarking a model for remote identification, and associated requirements (Section 2); 2) A practical algorithm, the frontier stitching algorithm based on adversaries that “clamp” the model frontiers, to address this problem. We also introduce a statistical framework for reasoning about the uncertainty regarding the remote model; we leverage a null hypothesis, for measuring the success of the watermark extraction (Section 3); 3) Experiments with three different types of neural networks on the MNIST dataset, validating the approach with regards to the specified requirements (Section 4).

2 Watermarking for Remote Extraction

Considered scenario.

The scenario that motivates our work is as follows: An entity, having designed and trained a machine learning model, notably a neural network, wants to zero-bit watermark it (top-action on Fig. 1). This model could then be placed in production for applications and services. In case of the suspicion of a security breach in that application (model has leaked by being copied at a bit-level), the entity suspecting a given online service to re-use that leaked model can query that remote service for answering its doubts (bottom-action).

Like for classic media watermarking methods (771066; van1994digital), our approach includes operations of embedding (the entity inserts the zero-bit watermark in its model), and extraction (the entity verifies the presence or not of its watermark in the suspected model), and a study of possible attacks (actions performed by others in order to remove the watermark from the model).

Modeling Requirements.

Following works in the multimedia domain 771066, and by Uchida:2017; Nagai2018, we adapt the requirements for a watermarking method to the specific capability of remote watermark extraction (black box set-up). We choose those requirements to structure the remaining of this article.

We consider the problem of zero-bit watermarking a generic classifier, for remote watermark extraction. Let

be the dimension of the input space (raw signal space for neural nets or hand-crafted feature space for linear and non-linear SVMs), and the finite set of target labels. Let be the perfect classifier for the problem (i.e., is always the correct answer). Let be the trained classifier to be watermarked, and be the space of possible such classifiers. Our aim is to find a zero-bit watermarked version of (hereafter denoted ) along with a set of specific inputs, named the key, and their labels . The purpose is to query with the key a remote model that can be either or another unmarked model . The key, which is thus composed of “objects” to be classified, is used to embed the watermark into .

Here are listed the requirements of an ideal watermarked model and key couple, :


The watermark embedding does not hinder the performance of the original classifier:


The key is as short as possible, as accessing the watermark requires requests.


The embedding allows unique identification of using (zero-bit watermarking):


Attacks (such as fine-tuning or compression) to do not remove the watermark111” stands for a small modification of the parameters of that preserves the value of the model, i.e., that does not deteriorate significantly its performance.:


No efficient algorithm exists to detect the presence of the watermark in a model by an unauthorized party.

Note that effectiveness is a new requirement as compared to the list of Uchida et al. Also, their capacity requirement, i.e., the amount of information that can be embedded by a method, is not part of ours as our goal is to decide whether watermarked model is used or not (zero-bit watermark extraction).

One can observe the conflicting nature of effectiveness and robustness: If, for instance, then this function violates one of the two. In order to allow for a practical setup for the problem, we rely on a measure of the matching between two classifiers :


where is the Kronecker delta. One can observe that

is simply the Hamming distance between the vectors

and , thus based on elements in . With this focus on distance, our two requirements can now be recast in a non-conflicting way:

  • Robustness:

  • Effectiveness:

3 The Frontier Stitching Algorithm

We now present a practical zero-bit model watermarking algorithm that permits remote extraction through requests to an API, following the previously introduced requirements. Our aim is to output a watermarked model , which can for instance be placed into production for use by consumers, together with a watermark key to be used in case of model leak suspicion. For the security requirement to hold, we obviously discard any form of visible watermark insertion visible. Fig. 2 illustrates the approach in the setting of a binary classifier (without loss of generality).

Figure 2: Illustration of proposed approach for a binary classifier. (a) The proposed algorithm first computes “true adversaries” ( and ) and “false” ones ( and ) for both classes from training examples. They all lie close the decision frontier. (b) It then fine-tunes the classifier such that these inputs are now all well classified, i.e.,  the 8 true adversaries are now correctly classified in this example while the 4 false ones remain so. This results in a loyal watermarked model (very similar to original one) and a key size of here. This process resembles “stitching” around data points.

As we use input points for watermarking the owned model and subsequently to query a suspected remote model, the choice of those inputs is crucial. A non watermarking-based solution based simply on choosing arbitrarily training examples (along with their correct labels), is very unlikely to succeed in the identification of a specific valuable model: Classifying those points correctly should be easy for highly accurate classifiers, which will then provide similar results, ruining the effectiveness. On the other hand, the opposite strategy of selecting arbitrary examples and fine-tuning so that it changes the way they are classified (e.g.,  ) is an option to modify the model’s behavior in an identifiable way. However, fine-tuning on even few examples that are possibly far from decision frontiers will significantly alter the performance of : The produced solution will not be loyal.

Together, those observations lead to the conclusion that the selected points should be close to the original model’s decision frontier, that is, their classification is not trivial and depends heavily on the model (Fig. 2(a)). Finding and manipulating such inputs is the purpose of adversarial perturbations Goodfellow:2015; Moosavi-Dezfooli:2017. Given a trained model, any well classified example can be modified in a very slight way such that it is now misclassified. Such modified samples are called “adversarial examples”, or adversaries in short.

The proposed frontier stitching algorithm, presented in Algorithm 1, makes use of such adversaries, selected to “clamp” the frontier in a unique, yet harmless way (Fig. 2(a)). It proceeds in two steps to mark the model. The first step is to select a small key set of specific input points, which is composed of two types of adversaries. It first contains classic adversaries, we call true adversaries, that are misclassified by although being each very close to a well classified example. It also contains false adversaries, each obtained by applying an adversarial perturbation to a well classified example without ruining its classification. In practice, the “fast gradient sign method” proposed in Goodfellow:2015 is used with a suitable gradient step to create potential adversaries of both types from training examples, these adversaries are inputs that will be closer to a decision frontier than their base inputs. This modification in the direction of other classes is the purpose of adversarial attacks. (Other methods include for instance the “Jacobian-based saliency map approach” jsma).

These frontier clamping inputs are then used to mark the model (Fig. 2(b)). The model is fine-tuned into such that all points in are now well classified:


In other words, the true adversaries of in become false adversaries of the marked model, and false adversaries remain as such. The role of the false adversaries is to limit strongly the amount of changes that the decision frontiers will undergo when getting true adversaries back to the right classes. False adversaries also have the role of characterizing the shapes of the model frontiers, for adding robustness to the statistical watermark extraction process we now present.

Statistical watermark extraction.

The marking step is thus the embedding of such a crafted key in the original model, while the watermark extraction consists in asking the remote model to classify the inputs in key , to assess the presence or not of the zero-bit watermark (Algorithm 2). We now analyze statistically this extraction problem.

As discussed in Section 2, the key quantity at extraction time is the Hamming distance (Eq. 4) between remote model’s answers to the key and expected answers. The stitching algorithm produces deterministic results with respect to the imprinting of the key: A marked model perfectly matches the key, i.e., the distance between and query results in equals zero. However, as the leaked model may undergo arbitrary attacks (e.g., for watermark removal), transforming into a model , one should expect some deviation in answers to watermark extraction (). On the other hand, other unmarked models might also partly match key labels, and thus have a positive non-maximum distance too. As an extreme example, even a strawman model that answers a label uniformly at random produces matches in expectation, when classifying over classes. Consequently, two questions are central to the frontier stitching approach: How large is the deviation one should tolerate from the original watermark in order to state about successful zero-bit watermark? And, dependently, how large should the key be, so that the tolerance is increased?

0:  Labelled sample set ; Trained model ; Key length ; Step size for adversary generation;
0:   is watermarked with key {Assumes is large enough and is balanced to generate true & false adversaries} {Key construction}
2:  while  or  do
3:     pick random adversary candidate , associated to with label
4:     if  and and  then { is a true adversary}
6:     else if  and  then { is a false adversary}
8:     end if
9:  end while
10:   {Force embedding of key adversaries in their original class}
11:   TRAIN(, , )
12:  return  , ,
Algorithm 1 Zero-bit watermarking a model
0:   and , the key and labels used to watermark the neural network
2:  for each  do
3:     if QUERY_REMOTE()  then
4:         {remote model answer differs from recorded answer}
5:     end if
6:  end for{Having such that  (null-model)}
7:  return  {True successful extraction}
Algorithm 2 Zero-bit watermark extraction from a remote model

We propose to rely on a probabilistic approach by estimating the probability of an unmarked model

to produce correct answers to requests from inputs in the key. While providing an analysis that would both be precise and cover all model behaviors is unrealistic, we rely on a null-model assuming that inputs in the key are so close to the frontier that, at this “resolution”, the frontier only delimits two classes (the other classes being too far from the considered key inputs), and that the probability of each of the two classes is each. This is all the more plausible since we leverage adversaries especially designed to cause misclassification.

More formally, let be the null-model: . Having such a null-model allows applying a -value approach to the decision criteria. Indeed, let

be the random variable representing the number of mismatching labels for key inputs

. Assuming that the remote model is the null-model, the probability of having exactly errors in the key is , that is

follows the binomial distribution

. Let be the maximum number of errors tolerated on ’s answers to decide whether or not the watermark extraction is successful. To safely (-value ) reject the hypothesis that is a model behaving like our null-model, we need . That is . In particular, for key sizes of and a -value of , the maximum number of tolerated errors are and , respectively. We thus consider the zero-bit watermark extraction from the remote model successful if the number of errors is below that threshold , as presented in Algorithm 2. Next Section includes an experimental study of false positives related to this probabilistic approach.

4 Experiments

We now conduct experiments to evaluate the proposed approach in the light of the requirements stated in Section 2. In particular, we evaluate the fidelity, the effectiveness and the robustness of our algorithm.

We perform our experiments on the MNIST dataset lecun1998mnist

, using the Keras backend


to the TensorFlow platform

222Code will be open-sourced on GitHub, upon article acceptance. tensorflow2015-whitepaper. As neural network architectures, we use three off-the-shelf implementations, available publicly on the Keras website, namely mnist_mlp

(0.984% accuracy at 10 epochs, we denote as MLP),

mnist_cnn (0.993% at 10, denoted as CNN) and mnist_irnn

(0.9918% at 900, denoted as IRNN). Their characteristics are as follows. The MLP is composed of two fully connected hidden layers of 512 neurons each, for a total of

parameters to train. The CNN is composed by two convolutional layers (of size 32 and 64), with kernel sizes of , followed by a fully connected layer of 128 neurons (for a total of parameters). Finally, the IRNN refer to settings by Le et al. DBLP:journals/corr/LeJH15 and uses a fully connected recurrent layer (for a total of

parameters). All three architectures use a softmax layer as output.

All experiments are run on networks trained with the standard parametrization setup: MNIST training set of images, test set of size , SGD with mini-batches of size and a learning rate of .

4.1 Generating adversaries for the watermark key.

We use the Cleverhans Python library by papernot2017cleverhans to generate the adversaries (function GEN_ADVERSARIES() in Algorithm 1). It implements the “fast gradient sign method” by Goodfellow:2015, we recall here for completeness. With the parameters of the attacked model, the cost function used to train the model and the gradient of that cost function with respect to input , the adversarial image is obtained from the input image by applying the following perturbation:

thus controls the intensity of the adversarial perturbation; we use a default setting of .

Alternative methods, such as the “Jacobian-based saliency map” (2015arXiv151107528P), or other attacks for generating adversaries may also be used (please refer to adv-survey for a list of existing approaches). Adversaries are crafted from some test set images that are then removed from the test set to avoid biased results.

Figure 3: An example of a key of size four (generated with the “fast gradient sign method” and ), for the CNN classifier and the MNIST task: Key inputs (a) and (b) are true adversaries (2 and 1 digits, classified as 9 and 8 respectively), while (c) and (d) are false adversaries (9 and 8 digits that are correctly classified but knowingly close to a decision frontier).

As explained in Section 3, our key set is composed by of true adversaries, and by of false adversaries (adversarial perturbations that are not causing misclassification). In the fast gradient sign method, the value of controls the intensity of the perturbations that are applied to the attacked images. With a large value, most of the adversaries are true adversaries and, conversely, a small produces mostly false adversaries. As a consequence, must be chosen so that Algorithm 1 as enough inputs () of each kind, in order to build the key. Altogether, the adversaries in the key are close to the decision frontiers, so that they “clamp” these boundaries. An example of a key is displayed in Fig. 3.

4.2 Impact of watermarking (fidelity requirement).

This experiment considers the impact on fidelity of the watermark embedding, of sizes and , in the three networks. We generated multiple keys for this experiment and the following ones (see Algorithm 1), and kept those which required fewer that epochs for embedding in the models (resp. for IRNN), using a fine tuning rate of th of the original training rate. The following results are averaged over independent markings per network.

The cumulative distribution function (CDF) in Fig.

4 shows the accuracy for the 3 networks after embedding keys of the two sizes. IRNN exhibits nearly no degradation, while embedding in the MLP causes on average and loss for respectively key sizes and .

We remarked no significant degradation difference when marking (, 10 independent runs) a model with adversaries generated under , and norms. For instance, we marked the CNN model with (, fooling of MNIST test set), (, fooling ) and (, fooling ); This has resulted in accuracy drops of respectively , and . We use in the sequel.

Figure 4: Distribution of the degradation caused by watermarking models (resulting accuracy), with multiple keys of size and (). Black vertical dot-dash lines indicate pre-watermarking accuracies.

4.3 False positives in remote watermark extraction (effectiveness requirement).

We now experiment the effectiveness of the watermark extraction (Algorithm 2). When querying the remote model returns True, it is important to get a low false positive rate. To measure this, we ran on non watermarked and retrained networks of each type the extraction Algorithm 2, with keys used to watermark the three original networks. Ideally, the output should always be negative. We use , and various values of . We observe on Fig. 6 that the false positives are occurring for lower values and on some scenarios. False positives disappear for .

This last experiment indicates that the model owner has to select a high value, depending on her dataset, as the generated adversaries are powerful enough to prevent accurate classification by the remote inspected model. We could not assess a significant trend for a higher degradation of the marked model when using a higher as depicted in Fig. 5, where the CNN model is marked with keys of and for (10 runs per value). The value is to be observed on Fig. 4. We note that this relates to adversarial training, a form of specialized data augmentation that can be used as generic regularization Goodfellow:2015 or to improve model resilience to adversarial attacks papernot2017cleverhans. Models are thus trained with adversarial examples, which is in relation to our watermarking technique that incorporates adversarial examples in a fine-tuning step, without ruining model accuracy.

Figure 5: Distribution of the degradation caused by watermarking the CNN model (resulting accuracy), with multiple keys of size 20, and for various in the norm. The black vertical dot-dash line indicates the pre-watermarking accuracy.
Figure 6: Distribution of (normalized) Hamming distance when extracting the watermark (generated on networks listed on right axis) from remote unmarked models (w. names on the top), for and four values of . Vertical solid bars indicate the decision threshold corresponding to criteria. False positives (i.e.,  unmarked model at distance less than the threshold) happen when the CDF is on the left of the bar. Algorithm 1’s value (purple solid curve) prevents the issue of false positives in all cases.

4.4 Attacking the watermarks of a leaked model (robustness requirement).

We now address the robustness of the stitching algorithm. Two types of attacks are presented: Model compression (via both pruning and singular value decomposition) and overwriting via fine-tuning.

We consider plausible attacks over the leaked model, i.e.,  attacks that do not degrade the model beyond a certain accuracy, which we set to in the sequel333This about accuracy drop is also the one tolerated by a recent work on trojaning neural networks trojaning. (the three networks in our experiments have accuracy above ).

In our set-up, re-using a leaked model that has been significantly degraded in the hope to remove a possible watermark does not make sense; the attacker would rather use a less precise, yet legitimate model.

We remark that due to the nature of our watermarking method, an attacker (who does not possess the watermark key) will not know whether or not her attacks removed the watermark from the leaked model.

Compression attack via pruning As done by Uchida:2017, we study the effect of compression through parameter pruning, where to of model weights with lowest absolute values are set to zero. Results are presented on Tab. 1. Among all plausible attacks, none but one ( pruning of IRNN parameters) prevents successful and accurate extraction of the watermarks. We note that the MLP is prone to important degradation of accuracy when pruned, while at the same time the average number of erased key elements from the model is way below the decision threshold of . Regarding the CNN, even of pruned parameters are not enough to reach that same threshold.

Pruning rate elts removed Stdev Extraction rate Acc. after
CNN 0.25 0.053/100 0.229 1.000 0.983
- 0.50 0.263/100 0.562 1.000 0.984
- 0.75 3.579/100 2.479 1.000 0.983
- 0.85 34.000/100 9.298 0.789 0.936
IRNN 0.25 14.038/100 3.873 1.000 0.991
- 0.50 59.920/100 6.782 0.000 0.987
- 0.75 84.400/100 4.093 0.000 0.148
MLP 0.25 0.360/100 0.700 1.000 0.951
- 0.50 0.704/100 0.724 1.000 0.947
- 0.75 9.615/100 4.392 1.000 0.915
- 0.80 24.438/100 5.501 1.000 0.877
Table 1: Robustness to compression attack (pruning-based): Watermark extraction success rates (), after a pruning attack on watermarked models. Different pruning rates are tested to check if watermarks get erased while accuracy remains acceptable. Results in gray rows are to be ignored (not plausible attacks).

Compression attack via Singular Value Decomposition

Pruning rate elts removed Stdev Extraction rate Acc. after
CNN 0.25 1.867/100 1.457 1.000 0.987
- 0.50 20.143/100 4.721 1.000 0.885
- 0.75 69.643/100 3.296 0.000 0.426
- 0.90 83.714/100 3.989 0.000 0.255
MLP 0.25 0.385/100 0.898 1.000 0.973
- 0.50 5.760/100 2.697 1.000 0.966
- 0.75 48.423/100 5.742 0.077 0.953
- 0.90 83.760/100 6.346 0.000 0.157
Table 2: Robustness to compression from library keras_compressor (SVD-based), compatible with CNN and MLP.

We experimented with a second compression attack: we used a compression library available on GitHub (keras compressor444 which leverages singular value decomposition (SVD) on model weights, to compress them. We tested it to be compatible with MLP and CNN. Tab. 2 shows that the key extraction on CNN is not affected by this new attack, as accuracy drops at for weights compression and with an average of 20 elements removed (over tolerated). The extraction from MLP starts to be affected with high compression of of the weights, with elements removed.

Overwriting attack via adversarial fine-tuning Since we leverage adversaries in the key to embed the watermark in the model, a plausible attack is to try overwriting this watermark via adversarial fine-tuning of the leaked model. As explained in Section 4.3, this action also relates to adversarial training that originally aims to improve model resilience to adversarial attacks papernot2017cleverhans. In this experiment, we turn images from the MNIST test set into adversaries and use them to fine-tune the model (the test set being the remaining images). The results of the overwriting attacks is presented on Tab. 3. An adversarial fine-tuning of size uses times more adversaries than the watermarking key (as , with true adversaries). We see perfect watermark extractions (no false negatives) for CNN and MLP, while there are few extraction failures from the attacked IRNN architecture. This experiment is thus consistent with recent arguments about the general difficulty to defend against adversaries ensemble; DBLP:journals/corr/abs-1809-02104.

elts removed Stdev Extraction rate Acc. after
CNN 17.842 3.594 1.000 0.983
IRNN 37.423 3.931 0.884 0.989
MLP 27.741 5.749 1.000 0.972
Table 3: Robustness to overwriting attacks: Rate of remaining zero-bit watermarks in the three attacked models, after model fine-tuning with new adversaries.

Conclusion on the attacks of watermarks

We highlight that in all but two tries, the watermark is robust to considered attacks. In addition, since the attacker cannot know whether her attack is successful or not (as the key is unknown to her), each new attack trial is bound to degrade the model even further, without removal guarantee. This uncertainty will probably considerably discourage trials of this kind.

4.5 About the efficiency and security requirements.

The efficiency requirement deals with the computational cost of querying a suspected remote service with the queries from the watermarking key. Given typical pricing of current online machine learning services (Amazon’s Machine Learning, for instance, charges per classification requests as per Jan. 2018), keys in the order of hundreds of objects as in our experiments incur financial costs that are negligible, an indication of negligible computational cost as well. It is to be noted that if the suspected model is running on an embedded device 8587745, there is no cost in querying that model; if we target such an application, keys can then be of arbitrary length as far as their embedding preserve the accuracy of the model to be watermarked. As for the watermarking step (key embedding), it is as complex as fine-tuning a network using set . Since the size of is negligible compared to the original training set size, the computational overhead of embedding a key is considered low.

The frontier stitching algorithm deforms slightly and locally the decision frontiers, based on the labelled samples in key . To ensure security, this key must be kept secret by the entity that watermarked the model (otherwise, one might devise a simple overwriting procedure that reverts these deformations). Decision frontier deformation through fine-tuning is a complex process (see work by DBLP:journals/corr/Berg16) which seems very difficult to revert in the absence of information on the key (this absence also prevents the use of recent statistical defense techniques DBLP:journals/corr/GrosseMP0M17). Could a method detect specific local frontier configurations that are due to the embedded watermark? The existence of such an algorithm, related to steganalysis in the domain of multimedia, would indeed be a challenge for neural network watermarking at large, but seems unlikely.

Our watermarking method relies on algorithms for finding adversarial examples, in order to get inputs nearby decision frontiers. Last few years have witnessed an arms race between attacks (algorithms for producing adversarial examples) and defenses to make neural networks more robust to those attacks; the problem is still open DBLP:journals/corr/abs-1809-02104 (please refer to adv-survey for a survey). We argue that our method will remain functional regardless of this arms race, as the purpose of machine learning for classification is to create decision frontiers for separating target classes; there will always be means to cross those frontiers, and then to create the inputs we require in order to create our watermark keys. Authors in DBLP:journals/corr/abs-1809-02104 precisely characterize classes of problems for which adversarial examples cannot be avoided, and that depend on properties of the data distribution as well as the space dimensionality of the dataset.

5 Related Work

Watermarking aims at embedding information into “objects” that one can manipulate locally. One can consider the insertion of visible watermarks in those objects visible; we consider in this work and related work the insertion of invisible watermarks. Watermarking multimedia content especially is a rich and active research field, yet showing a two decades old interest 771066. Neural networks are commonly used to insert watermarks into multimedia content NN-wat.

After extension to surprising domains such as network science Zhao:2015:TGW:2817946.2817956, the extension to watermarking neural networks as objects themselves is new, following the need to protect the valuable assets of today’s state of the art machine learning techniques. Uchida et al. Uchida:2017; Nagai2018 thus propose the watermarking of neural networks, by embedding information in the learned weights. Authors show in the case of convolutional architectures that this embedding does not significantly change the distribution of parameters in the model. Mandatory to the use of this approach is a local copy of the neural network to inspect, as the extraction of the watermark requires reading the weights of convolution kernels. This approach is motivated by the voluntary sharing of already trained models, in case of transfer learning, such as in transfer’s work for instance.

Neural network watermarking techniques that allow verification in a remote black-box context were recently proposed. These works relate to our black box system model (as introduced in the technical report nous). They indeed leverage the model’s outputs to carefully chosen inputs to retrieve the watermark. zhang2018protecting proposes to train the model to be protected with a set of specifically crafted inputs in order to trigger the assignment of a specific target label by the model on those inputs. In other words, their approach is very similar to trojaning trojaning: the triggering of a specific label facing a crafted input constitutes for the authors a proof of ownership. Similarly, adi2018turning explicitly exploits the possibility of neural network trojaning (i.e., , backdooring) for the same purpose. Finally, deepsigns

directly embeds the watermark into the layer weights using specific loss functions. However, contrary to

Uchida:2017 for instance where the weights directly contain the watermark (which is therefore not accessible in a black box context), weights in deepsigns are modified in order to produce desired activations at runtime given specific inputs. Surprisingly, the authors also show that watermarking mechanisms designed in a black box context can also be used in a white box context. In a more restricted setup, Guo et al. propose the adaptation to embedded devices of a black box capable watermark extraction 8587745.

Since more and more models and algorithms might only be accessed through API operations (as being run as a component of a remote online service), there is a growing body of research which is interested in leveraging the restricted set of operations offered by those APIs to gain knowledge about the remote system internals. stealing demonstrates that it is possible to extract an indistinguishable copy of a remotely executed model from some online machine learning APIs.

Depth of neural models may also be infered using timing side channel attacks DBLP:journals/corr/abs-1812-11720. Papernot:2017:PBA:3052973.3053009 have shown attacks on remote models to be feasible, yielding erroneous model outputs. Authors in SETHI2018129

target attacks such as evading a CAPTCHA test, by the reverse engineering of a remote classifier models. Other attacks focus on the stealing of model hyperparameters, from APIs

DBLP:journals/corr/abs-1802-05351; joon2018towards; joon2018towards aims at infering inner hyperparameters (e.g., number of layers, non-linear activation type) of a remote neural network model by analysing its response patterns to certain inputs. Finally, algorithms in tampernn propose to detect the tampering with a deployed model, also through simple queries to the API; tested attacks are trojaning, compression, fine-tuning and the watermarking method proposed in this paper. In present work, we propose a watermarking algorithm that is compliant with APIs, since it solely relies on the basic classification query to the remote service.

6 Conclusion and perspectives

This article introduces the frontier stitching algorithm, to extract previously embedded zero-bit watermarks from leaked models that might be used as part of remote online services. We demonstrated this technique on image classifiers; sound DBLP:journals/corr/abs-1801-01944 and video classifiers DBLP:journals/corr/abs-1807-00458 were also recently found to be prone to adversarial attacks. We believe that a demonstration of existing watermarking techniques in those domains would be of a great practical interest.

We focused on classification problems, which account for many if not most ML-based services. Extensions to other problems (like regressions or semantic segmentation of images) are a next step for future work, since adversarial examples also affect those domains.

Regarding the model architecture aspect, we have seen that the IRNN model is prone to compression attacks (pruning rate of of parameters). This underlines the specific behavior of architectures facing attacks and marking; in depth characterization is an interesting future work.

We challenged the robustness of our watermarking scheme facing compression and overwriting attacks. Other more advanced types of attacks might be of interest for an attacker that wants to remove the inserted watermark. In particular, another attack may be the transfer learning of the watermarked model to another task. Recent work transferl provides a first empirical evidence that the adversaries that were integrated in the model through learning (defense) might not survive the transfer, leading to a potentially successful watermark removal. A full characterization of the resilience of adversaries facing transfer learning attacks is of great importance for future work.

As another future work, we stress that the watermark information is currently extracted using the binary answers to the query made on each object in the key: Whether or not this object is classified by the remote model as expected in the key label. Leveraging not only those binary answers, but also the actual classification issued by the remote model (or even the classification scores), may allow one to embed more information with the same watermark size. Another possible improvement may come from the use of the recent concept of universal adversarial perturbations (Moosavi-Dezfooli:2017): they might be leveraged to build efficient and robust watermarking algorithms. Indeed, this method generates adversaries that can fool multiple classifiers at once. Relying on such adversaries in an extension of our framework might give rise to new, improved watermarking algorithms for neural networks that are queried in a black box setup.

Finally, we recall that the watermarking technique we proposed, as well as the ones from the related work zhang2018protecting; adi2018turning; 8587745; deepsigns, make the assumption that the watermarked model leaked as a bit-level copy. Recent attacks on stealing models yet shown the possibility to leak a model by approximating it stealing through tailored queries. A crucial perspective is thus to investigate watermark techniques that can resist this alternative type of attacks.

The authors would like to thank the reviewers for their constructive comments.