Do You Sign Your Model?

by · Jul 17, 2020 · 47 views ·

ICML 2020

Engineering a top-notch deep neural network (DNN) is an expensive procedure which involves collecting data, hiring human resources with expertise in machine learning, and providing high computational resources. For that reason, DNNs are considered as valuable Intellectual Properties (IPs) of the model vendors. To ensure a reliable commercialization of these products, it is crucial to develop techniques to protect model vendors against IP infringements. One of such techniques that recently has shown great promise is digital watermarking. In this paper, we present GradSigns, a novel watermarking framework for DNNs. GradSigns embeds owner's signature into gradient of cross-entropy cost function with respect to inputs to the model. Our approach has negligible impact on the performance of the protected model, and can verify ownership of remotely deployed models through prediction APIs. We evaluate GradSigns on DNNs trained for different image classification tasks using CIFAR-10, SVHN and YTF datasets, and experimentally show that unlike existing methods, GradSigns is robust against counter-watermark attacks, and can embed large amount of information into DNNs.