This paper proposes a new robust scheme to provide copy protection services to Deep Nural Network (DNN) models using digital watermarks. The rationale of the proposed technique is that robustness can be achieved by embedding a large watermark that can span the whole watermark. If an adversary attempts to destroy the watermark, he will end up destroying the DNN model. However, maximizing the embedding capacity will strongly degrade the performance of the DNN model. To control the performance-capacity-robustness trade-of, the proposed scheme utilizes the Discrete Cosine Transform (DCT) due to its strong compaction property, which becomes even stronger when applied to correlated segments of data. Therefore, the proposed technique extracts the DNN weights and groups them within correlated segments before applying the DCT. The experimental results have proven the effectiveness of the proposed DNN watermarking scheme as it was able to embed 1.73 Mb of data with only a 1.4% drop in the classification accuracy of a standard Residual Neural Network with 21 Convolutional layers.
Read full abstract