340 — Protecting Intellectual Property of Deep Neural Networks with Watermarking
Zhang et al (10.1145/3196494.3196550)
Read on 26 July 2018One of the great things about machine learning is the community: The open-source community shares enormous amounts of code and other intellectual property, and it’s conventional for a new publication to also list its source code alongside the paper.
But there are cases where you don’t necessarily want to share code — or cases where you want to clearly mark ownership over a certain algorithm or neural network.
Today’s paper proposes a technique for ‘watermarking’ a neural network without affecting its normal function. This is important, because watermarks shouldn’t detract from the actual function of the product. (Audio file DRM is an example of the ownership information staying out of the way; image watermarks are a case where the watermark itself gets in the way of the product, since it sits in front of the image itself. That is, of course, the whole purpose of image watermarks, but I digress.)
The authors propose three watermark generators: All three use variations on the same theme of using training data to “mark” the net. Some out-of-domain input is provided — for example, a handwritten digit is provided to a dog classifier — and trained so that it reliably outputs a consistent class label. Then, this can be fed back into the network to generate the image. Or perhaps very specific noise or structure is provided, which also induces a specific label output.
Because neither the input nor the “mark” label are clear to the end-user, it is not possible to remove the watermark from the trained network model; nor does the mark affect the accuracy of the model on all in-domain inputs.