Abstract
In order to protect the intellectual property of neural network, an owner may select a set of trigger samples and their corresponding labels to train a network, and prove the ownership by the trigger set without revealing the inner mechanism and parameters of the network. However, if an attacker is allowed to access the neural network, he can forge a matching relationship between fake trigger samples and fake labels to confuse the ownership. In this paper, we propose a novel neural network watermarking protocol against the forging attack. By introducing one-way hash function, the trigger samples used to prove ownership must form a one-way chain, and their labels are also assigned. By this way, an attacker without the right of network training is impossible to construct a chain of trigger samples or the matching relationship between the trigger samples and the assigned labels. Our experiments show that the proposed protocol can resist the watermark forgery without sacrificing the network performance.
Highlights
1 Introduction The increasing application of neural network in daily life demonstrates that its intellectual property protection is an important issue, and that watermarking is an effective manner of ownership authentication
Two samples in trigger set are added into each training batch by turns, batch size of 100, for 60-epoch training, which ensures the watermark is embedded in the initial training phase of the network function establishment
The strong fitting ability of the neural network can support it to learn the classification of the trigger set
Summary
The increasing application of neural network in daily life demonstrates that its intellectual property protection is an important issue, and that watermarking is an effective manner of ownership authentication. The techniques of watermarking neural networks can be generally classified into two categories: weight-parameter-based methods and trigger-set-based methods. The first kind of neural network watermarking methods usually embed watermarks by slightly modifying weight parameters, and a matrix production between the watermarked parameters and a key-derived matrix is used to extract the embedded watermark. The owner may train the neural network by employing a loss function including an additional watermark extraction item for protection. Due to the large number of weight parameters of the neural network, the embedding positions and forms of specific watermarking scheme are different.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
