SlideShare a Scribd company logo

Survey on Deep Neural Network Watermarking techniques

Download as PPTX, PDF
P
Princy Joy

The document summarizes recent research on watermarking techniques for deep neural networks (DNNs). It discusses why DNN watermarking is needed to protect models from unauthorized use. Methods are categorized based on whether they embed watermarks in weights (static) or activations (dynamic), use white-box or black-box extraction, and transmit multi-bit or zero-bit messages. Requirements for watermarking algorithms like robustness, fidelity and a tradeoff triangle are presented. Several static and dynamic watermarking algorithms are described and compared in terms of methodology, robustness, and security against attacks like fine-tuning or overwriting. The conclusion states that while DNN watermarking faces challenges, it provides important protection for

Technology
Related topics:
Deep Learning
1 of 16
Download to read offline
1
2
3
Most read
4
5
6
7
8
9
10
11
12
13
Most read
14
Most read
15
16
A survey of deep neural network watermarking techniques Based on: https://arxiv.org/pdf/2103.09274.pdf Original Authors: Yue Lia, Hongxia Wangb, and Mauro Barnic Date Published: 16 Mar 2021
Introduction What is watermarking in general? In digital watermarking, a low-amplitude, potentially pseudorandom, signal is injected into the original document. Signals in this document are intended to exploit some sort of redundancy in the content of the document and that can be added easily without butchering the content of the document. Why watermark is needed? Watermarks serve to protect content and to claim ownership of an asset. Without watermarks, valuable digital assets are vulnerable to content theft or unauthorized use and distributions.
Why Deep Neural Network (DNN) watermarking ? - Deep learning models are becoming more popular because of its human like capabilities and for the same reason deployed and shared widely. - Training a deep learning model is a non-trivial task, requires huge amounts of proprietary data, and expends enormous computing, energy, and human expertise. - DNNs should be protected from unauthorised commercialization and monetization the models.
How is watermarking embedded in DNN - DNN has degree of freedom to encode additional information as they have a substantial number of parameters. - This doesn’t impede the primary task DNN is handling. - Embedding takes place in training phase by properly altering the loss function. - Impact is measurable from the performance achieved by the watermarked model.
Requirements for DNN watermarking Capacity: Refers to the number of bits encoded by the watermark. Despite the fact that a large payload is good for watermarking algorithms, it conflicts directly with robustness. Fidelity: Models containing watermarks should receive performance levels similar to those of models trained without watermarks. Robustness: Ability to extract the watermark correctly even when it has been modified. The two most common manipulations a DNN watermark must withstand are: ● Fine-tuning: re-training a model to solve a new task, alters weights ● Network pruning: To simplify a complex neural network model for deployment in low power or computationally weak devices. Trade-off triangle
Other requirements Security: There are two main kinds of intentional attacks: ● Watermark overwriting: This procedure involves adding an additional watermark to the model in order to render the original watermark unnoticeable. ● Surrogate model attack. With a surrogate model attack, an attacker trains a bogus network by feeding it a series of feedback and then uses that output to mimic the original network's functionality. Generality: DNN watermarking algorithms should be adaptable to a range of architectures carrying out a variety of tasks. Efficiency: It is the computational overhead to train the DNN on the task while simultaneously embedding the watermark.
DNN watermarking models - I Multi-bit vs. zero-bit watermarking techniques - Based on the exact content of the watermark message - When the watermark message is multi-bit, it corresponds to a sequence of N bits - When zero-bit is used, watermark extraction is carried out as a detection task, wherein the detector should determine the presence of a known watermark. Multibit (a) vs zero-bit (b) watermarking
DNN watermarking models - II Static vs. dynamic DNN watermarking - Based on where the watermark can be read from. Static watermarking: The watermark can be read directly from the network weights, which can be considered similar to conventional multimedia watermarking techniques. Dynamic watermarking: When fed with some crafted inputs, a dynamic watermark can alter the behavior of the network, which makes the watermark message visible in the model output
Static vs. dynamic DNN watermarking Static (a) vs Dynamic (b) DNN watermarking
DNN watermarking models - III White-box vs. black-box DNN extraction - Based on the data accessible to the watermark extractor White-Box: When internal parameters/weights of the DNN models are available, watermark recovery is undertaken in a white-box mode. This can be static or dynamic watermarking. Black-box: When using black-box watermarking, only the final output of the DNN is accessible. ● A watermark can be recovered by querying the model and comparing the model output to a set of correctly chosen inputs. ● During the entire decoding or detection process, both the model architecture and internal parameters are completely invisible to the decoder. ● It means this can only be achieved only by dynamic watermarking.
White-box vs. black-box DNN extraction White-box (a) vs black-box (b) DNN watermark recovery
Static Watermarking algorithms Algorithm White/ Black box Multi/ Zero bit Methodology Robustness and Security Uchida et al. White Multi In the loss function, a regularization term is added so the watermark is embedded into the model weights. Moderate against fine-tuning and pruning. Li et al White Multi As Uchida’s scheme with ST-DM-like regularization term. Moderate against fine-tuning and pruning. DeepMarks White Multi As Uchida’s scheme with anti-collusion codebooks. Moderate against fine-tuning and pruning, Collusion attack. Tartaglione et al. White Zero Weights with watermarks remain frozen during training. In the loss function, the sensitivity of the network is maximized to changes in watermarked weights. Good robustness against fine- tuning and weights quantization.
Dynamic watermarking algorithms Algorithm White/ Black box Multi/ Zero bit Methodology Robustness and Security DeepSigns (Activation map) White Multi Adds arbitrary N-bit string to the probability density function of activation maps. Moderate against fine-tuning and pruning. DeepSigns (Output layer) Black Zero Build key image-label pairs from random selected images. Moderate against fine-tuning, pruning and overwriting. Yossi et al Black Zero Inject a backdoor by selecting random images into the target model. Moderate against fine-tuning Szyller et al. Black Zero Installed at the input and output of the target model's API, embeds dynamic watermarks in responses to queries made by the client. Regular surrogate model attack Merrer et al. Black Zero Adversarial attacks can be used to adjust the decision boundary of the target model. Parameter pruning, Overwriting via adversarial fine-tuning. Zhang et al. Black Zero Visible triggering patterns with backdoor-like mechanisms. Model fine-tuning, Parameter pruning, Model inversion attack. Guo et al. Black Zero Invisible triggering patterns with backdoor-like mechanisms. Model fine-tuning
Attacks on DNN Watermarking ● The attackers can take advantage of the observation that watermark embedding increases the variance of the weights, making it possible to distinguish a watermarked model from a non-watermarked one. ● Also the standard deviation of the weight increases linearly with the watermark dimension, allowing the attacker to estimate the length of the watermark or tell if it is present. ● This information is then used to replace the existing watermark with a new one, making the original watermark unreadable.
Conclusion - DNN watermarking is immune to vulnerabilities in the same way that any other watermarking solution is. - Challenge in providing robustness against: ● Fine-tuning ● Model-pruning ● Transfer learning. - DNNs are becoming increasingly popular with its human-like capabilities and considering the resources invested in its making, it is important that these advancements be protected, and from our reading we can be quite confident that watermarking is one of the reliable ways to achieve this goal.
Thank you!

More Related Content

PPT
Watermarking
Pushkar Dutt
 
PPTX
Digital watermarking
Ankush Kr
 
PDF
Report on Digital Watermarking Technology
vijay rastogi
 
PPTX
Steganography and watermarking
sudip nandi
 
PDF
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
PPTX
Adversarial machine learning
Rama Chetan
 
PPTX
Digital Watermarking using DWT-SVD
Surit Datta
 
PDF
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
VaralakshmiKC
 
Watermarking
Pushkar Dutt
 
Digital watermarking
Ankush Kr
 
Report on Digital Watermarking Technology
vijay rastogi
 
Steganography and watermarking
sudip nandi
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
Adversarial machine learning
Rama Chetan
 
Digital Watermarking using DWT-SVD
Surit Datta
 
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
VaralakshmiKC
 

What's hot (20)

PPT
Watermark
Anju Tom
 
PDF
PR-284: End-to-End Object Detection with Transformers(DETR)
Jinwon Lee
 
PPT
Digital Watermarking
Agrani Rastogi
 
PPT
Digital watermarking
nafees321
 
PPTX
Digitalwatermarking
Sej Visawadia
 
PPTX
Data Mining: clustering and analysis
DataminingTools Inc
 
PPTX
Trusted systems
ahmad abdelhafeez
 
PPTX
PPT steganography
parvez Sharaf
 
PPT
Digital watermarking
Govind Raj
 
PPTX
Steganography
Neha Sharma
 
PPTX
Data mining: Classification and prediction
DataminingTools Inc
 
PDF
Data Mining: Association Rules Basics
Benazir Income Support Program (BISP)
 
PDF
Offline Signature Verification and Recognition using Neural Network
International Journal of Science and Research (IJSR)
 
PDF
Lecture13 - Association Rules
Albert Orriols-Puig
 
PDF
Introduction to Deep learning
Massimiliano Ruocco
 
PPTX
Steganography
Uttam Jain
 
PPT
Elgamal Digital Signature
Sou Jana
 
PPTX
Iris segmentation analysis using integro differential operator and hough tran...
Nadeer Abu Jraerr
 
PPTX
Loss Function.pptx
funnyworld18
 
PDF
Anomaly Detection using Deep Auto-Encoders
Gianmario Spacagna
 
Watermark
Anju Tom
 
PR-284: End-to-End Object Detection with Transformers(DETR)
Jinwon Lee
 
Digital Watermarking
Agrani Rastogi
 
Digital watermarking
nafees321
 
Digitalwatermarking
Sej Visawadia
 
Data Mining: clustering and analysis
DataminingTools Inc
 
Trusted systems
ahmad abdelhafeez
 
PPT steganography
parvez Sharaf
 
Digital watermarking
Govind Raj
 
Steganography
Neha Sharma
 
Data mining: Classification and prediction
DataminingTools Inc
 
Data Mining: Association Rules Basics
Benazir Income Support Program (BISP)
 
Offline Signature Verification and Recognition using Neural Network
International Journal of Science and Research (IJSR)
 
Lecture13 - Association Rules
Albert Orriols-Puig
 
Introduction to Deep learning
Massimiliano Ruocco
 
Steganography
Uttam Jain
 
Elgamal Digital Signature
Sou Jana
 
Iris segmentation analysis using integro differential operator and hough tran...
Nadeer Abu Jraerr
 
Loss Function.pptx
funnyworld18
 
Anomaly Detection using Deep Auto-Encoders
Gianmario Spacagna
 
Ad

Similar to Survey on Deep Neural Network Watermarking techniques (20)

PDF
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
PDF
Self Attested Images for Secured Transactions using Superior SOM
IDES Editor
 
PPT
DigitalWatermarking.ppt
VinodSaini85
 
PPT
Digital Watermarking
Parag Agarwal
 
DOCX
Digital watermarking
prdpgpt
 
PDF
Ah04605234238
IJERA Editor
 
PDF
10.1007@978 3-319-29504-657
Manish Gupta
 
PPTX
CSE digital Watermarking report
divya sri
 
PDF
Robustness of compressed CNNs
Kaushalya Madhawa
 
PDF
IRJET- Survey of Digital Watermarking Techniques and its Application
IRJET Journal
 
PDF
IRJET-Security Based Data Transfer and Privacy Storage through Watermark Dete...
IRJET Journal
 
PDF
Machine Duping 101: Pwning Deep Learning Systems
Clarence Chio
 
PDF
Paper Explained: One Pixel Attack for Fooling Deep Neural Networks
Devansh16
 
PPT
Intro Watermarking
erry wardhana
 
DOCX
NetFense Adversarial Defenses Against Privacy Attacks on Neural Networks for ...
Shakas Technologies
 
PDF
Digital Image Security using Digital Watermarking
IRJET Journal
 
PDF
Review on Quantum Watermarking Techniques
IRJET Journal
 
PPTX
Digital watermarking techniques for security applications
Kannekanti Utthej
 
PPTX
Group 10 - DNN Presentation for UOM.pptx
DanNiles4
 
PDF
Black-Box attacks against Neural Networks - technical project report
Roberto Falconi
 
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
Self Attested Images for Secured Transactions using Superior SOM
IDES Editor
 
DigitalWatermarking.ppt
VinodSaini85
 
Digital Watermarking
Parag Agarwal
 
Digital watermarking
prdpgpt
 
Ah04605234238
IJERA Editor
 
10.1007@978 3-319-29504-657
Manish Gupta
 
CSE digital Watermarking report
divya sri
 
Robustness of compressed CNNs
Kaushalya Madhawa
 
IRJET- Survey of Digital Watermarking Techniques and its Application
IRJET Journal
 
IRJET-Security Based Data Transfer and Privacy Storage through Watermark Dete...
IRJET Journal
 
Machine Duping 101: Pwning Deep Learning Systems
Clarence Chio
 
Paper Explained: One Pixel Attack for Fooling Deep Neural Networks
Devansh16
 
Intro Watermarking
erry wardhana
 
NetFense Adversarial Defenses Against Privacy Attacks on Neural Networks for ...
Shakas Technologies
 
Digital Image Security using Digital Watermarking
IRJET Journal
 
Review on Quantum Watermarking Techniques
IRJET Journal
 
Digital watermarking techniques for security applications
Kannekanti Utthej
 
Group 10 - DNN Presentation for UOM.pptx
DanNiles4
 
Black-Box attacks against Neural Networks - technical project report
Roberto Falconi
 
Ad

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 

Survey on Deep Neural Network Watermarking techniques

  • 1. A survey of deep neural network watermarking techniques Based on: https://arxiv.org/pdf/2103.09274.pdf Original Authors: Yue Lia, Hongxia Wangb, and Mauro Barnic Date Published: 16 Mar 2021
  • 2. Introduction What is watermarking in general? In digital watermarking, a low-amplitude, potentially pseudorandom, signal is injected into the original document. Signals in this document are intended to exploit some sort of redundancy in the content of the document and that can be added easily without butchering the content of the document. Why watermark is needed? Watermarks serve to protect content and to claim ownership of an asset. Without watermarks, valuable digital assets are vulnerable to content theft or unauthorized use and distributions.
  • 3. Why Deep Neural Network (DNN) watermarking ? - Deep learning models are becoming more popular because of its human like capabilities and for the same reason deployed and shared widely. - Training a deep learning model is a non-trivial task, requires huge amounts of proprietary data, and expends enormous computing, energy, and human expertise. - DNNs should be protected from unauthorised commercialization and monetization the models.
  • 4. How is watermarking embedded in DNN - DNN has degree of freedom to encode additional information as they have a substantial number of parameters. - This doesn’t impede the primary task DNN is handling. - Embedding takes place in training phase by properly altering the loss function. - Impact is measurable from the performance achieved by the watermarked model.
  • 5. Requirements for DNN watermarking Capacity: Refers to the number of bits encoded by the watermark. Despite the fact that a large payload is good for watermarking algorithms, it conflicts directly with robustness. Fidelity: Models containing watermarks should receive performance levels similar to those of models trained without watermarks. Robustness: Ability to extract the watermark correctly even when it has been modified. The two most common manipulations a DNN watermark must withstand are: ● Fine-tuning: re-training a model to solve a new task, alters weights ● Network pruning: To simplify a complex neural network model for deployment in low power or computationally weak devices. Trade-off triangle
  • 6. Other requirements Security: There are two main kinds of intentional attacks: ● Watermark overwriting: This procedure involves adding an additional watermark to the model in order to render the original watermark unnoticeable. ● Surrogate model attack. With a surrogate model attack, an attacker trains a bogus network by feeding it a series of feedback and then uses that output to mimic the original network's functionality. Generality: DNN watermarking algorithms should be adaptable to a range of architectures carrying out a variety of tasks. Efficiency: It is the computational overhead to train the DNN on the task while simultaneously embedding the watermark.
  • 7. DNN watermarking models - I Multi-bit vs. zero-bit watermarking techniques - Based on the exact content of the watermark message - When the watermark message is multi-bit, it corresponds to a sequence of N bits - When zero-bit is used, watermark extraction is carried out as a detection task, wherein the detector should determine the presence of a known watermark. Multibit (a) vs zero-bit (b) watermarking
  • 8. DNN watermarking models - II Static vs. dynamic DNN watermarking - Based on where the watermark can be read from. Static watermarking: The watermark can be read directly from the network weights, which can be considered similar to conventional multimedia watermarking techniques. Dynamic watermarking: When fed with some crafted inputs, a dynamic watermark can alter the behavior of the network, which makes the watermark message visible in the model output
  • 9. Static vs. dynamic DNN watermarking Static (a) vs Dynamic (b) DNN watermarking
  • 10. DNN watermarking models - III White-box vs. black-box DNN extraction - Based on the data accessible to the watermark extractor White-Box: When internal parameters/weights of the DNN models are available, watermark recovery is undertaken in a white-box mode. This can be static or dynamic watermarking. Black-box: When using black-box watermarking, only the final output of the DNN is accessible. ● A watermark can be recovered by querying the model and comparing the model output to a set of correctly chosen inputs. ● During the entire decoding or detection process, both the model architecture and internal parameters are completely invisible to the decoder. ● It means this can only be achieved only by dynamic watermarking.
  • 11. White-box vs. black-box DNN extraction White-box (a) vs black-box (b) DNN watermark recovery
  • 12. Static Watermarking algorithms Algorithm White/ Black box Multi/ Zero bit Methodology Robustness and Security Uchida et al. White Multi In the loss function, a regularization term is added so the watermark is embedded into the model weights. Moderate against fine-tuning and pruning. Li et al White Multi As Uchida’s scheme with ST-DM-like regularization term. Moderate against fine-tuning and pruning. DeepMarks White Multi As Uchida’s scheme with anti-collusion codebooks. Moderate against fine-tuning and pruning, Collusion attack. Tartaglione et al. White Zero Weights with watermarks remain frozen during training. In the loss function, the sensitivity of the network is maximized to changes in watermarked weights. Good robustness against fine- tuning and weights quantization.
  • 13. Dynamic watermarking algorithms Algorithm White/ Black box Multi/ Zero bit Methodology Robustness and Security DeepSigns (Activation map) White Multi Adds arbitrary N-bit string to the probability density function of activation maps. Moderate against fine-tuning and pruning. DeepSigns (Output layer) Black Zero Build key image-label pairs from random selected images. Moderate against fine-tuning, pruning and overwriting. Yossi et al Black Zero Inject a backdoor by selecting random images into the target model. Moderate against fine-tuning Szyller et al. Black Zero Installed at the input and output of the target model's API, embeds dynamic watermarks in responses to queries made by the client. Regular surrogate model attack Merrer et al. Black Zero Adversarial attacks can be used to adjust the decision boundary of the target model. Parameter pruning, Overwriting via adversarial fine-tuning. Zhang et al. Black Zero Visible triggering patterns with backdoor-like mechanisms. Model fine-tuning, Parameter pruning, Model inversion attack. Guo et al. Black Zero Invisible triggering patterns with backdoor-like mechanisms. Model fine-tuning
  • 14. Attacks on DNN Watermarking ● The attackers can take advantage of the observation that watermark embedding increases the variance of the weights, making it possible to distinguish a watermarked model from a non-watermarked one. ● Also the standard deviation of the weight increases linearly with the watermark dimension, allowing the attacker to estimate the length of the watermark or tell if it is present. ● This information is then used to replace the existing watermark with a new one, making the original watermark unreadable.
  • 15. Conclusion - DNN watermarking is immune to vulnerabilities in the same way that any other watermarking solution is. - Challenge in providing robustness against: ● Fine-tuning ● Model-pruning ● Transfer learning. - DNNs are becoming increasingly popular with its human-like capabilities and considering the resources invested in its making, it is important that these advancements be protected, and from our reading we can be quite confident that watermarking is one of the reliable ways to achieve this goal.