Extending Null Embedding for Deep Neural Network (DNN) Watermarking
Improving the accuracy of the original classification task in piracy-resistant DNN watermarking
K. ALTINAY (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Z Erkin – Mentor (TU Delft - Cyber Security)
Devris Isler – Mentor (IMDEA Networks Institute)
A Katsifodimos – Graduation committee member (TU Delft - Data-Intensive Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The advancement of Machine Learning (ML) in the last decade has created new business prospects for developers working on ML models. Models that are expensive and time-consuming to design and train can now be outsourced from others to reduce costs using Machine Learning as a service (MLaaS). \textbf{Deep Neural Networks (DNNs)} are particularly expensive to train, therefore many who need a DNN utilize the services of an MLaaS provider. This creates the \textbf{possibility of piracy} of this valuable asset, and the need to prevent piracy to assure a fair market. To address this need, research has been conducted on protecting DNNs using various watermarking techniques. A work by \textit{Li et al.} has proposed null-embedding, a technique that renders the DNN useless if it is subject to a piracy attack. Despite being effective, this method was shown to reduce classification performance when embedding a watermark into the model. This paper suggests modifications to the null-embedding technique that reduce this impact and keep the classification accuracy close to that of a non-watermarked model.