ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (5): 964-976.doi: 10.7544/issn1000-1239.2021.20200978

Special Issue: 2021人工智能安全与隐私保护技术专题

Previous Articles     Next Articles

Research Progress of Neural Networks Watermarking Technology

Zhang Yingjun1,4, Chen Kai2,3, Zhou Geng1,4, Lü Peizhuo2,3, Liu Yong2, Huang Liang5   

  1. 1(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190);2(State Key Laboratory of Information Security(Institute of Information Engineering, Chinese Academy of Sciences),Beijing 100195);3(School of Cyber Security, University of Chinese Academy of Science, Beijing 100049);4(College of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100049);5(Legendsec Information Technology(Beijing) Inc, Beijing 100015)
  • Online:2021-05-01
  • Supported by: 
    This work was supported by the Key Program of the National Natural Science Foundation of China (U1836211), the National Natural Science Foundation of China(62072448),the Beijing Natural Science Foundation (JQ18011), the Excellent Member of Youth Innovation Promotion Association, Chinese Academy of Sciences (Y202046), and the Open Project of National Engineering Laboratory of Big Data Collaborative Security.

Abstract: With the popularization and application of deep neural networks, the trained neural network model has become an important asset and has been provided as machine learning services (MLaaS) for users. However, as a special kind of user, attackers can extract the models when using the services. Considering the high value of the models and risks of being stolen, service providers start to pay more attention to the copyright protection of their models. The main technique is adopted from the digital watermark and applied to neural networks, called neural network watermarking. In this paper, we first analyze this kind of watermarking and show the basic requirements of the design. Then we introduce the related technologies involved in neural network watermarking. Typically, service providers embed watermarks in the neural networks. Once they suspect a model is stolen from them, they can verify the existence of the watermark in the model. Sometimes, the providers can obtain the suspected model and check the existence of watermarks from the model parameters (white-box). But sometimes, the providers cannot acquire the model. What they can only do is to check the input/output pairs of the suspected model (black-box). We discuss these watermarking methods and potential attacks against the watermarks from the viewpoint of robustness, stealthiness, and security. In the end, we discuss future directions and potential challenges.

Key words: digital watermark, deep neural network, neural network backdoor, neural network watermark, attacks on the watermarking

CLC Number: