Customized and Robust Deep Neural Network Watermarking

As the excellent performance of deep neural networks (DNNs) enhances a wide spectrum of applications, the protection of intellectual property (IP) of DNNs receives increasing attention recently, and DNN watermarking approaches are thus proposed for ownership verification to avoid potential misuses or thefts of DNN models. However, we observe that existing DNN watermark methods suffer from two major weaknesses: i) Incomplete protection to advanced watermark removal attacks, such as fine-tune attack with large learning rates, re-train after pruning, and most importantly, the distillation attack; ii) Limited customization ability, where multiple watermarked models cannot be uniquely identified, especially after removal attacks. To address these critical issues, we propose two new DNN watermarking approaches, Unified Soft-label Perturbation (USP), which provides robust watermark to detect model thefts, and Customized Soft-label Perturbation (CSP), which is able to embed a different watermark in each copy of the DNN model to enable customized watermarking. Experimental results show that our proposed USP and CSP resist all the watermark removal attacks, especially for the distillation attack, and the proposed CSP achieves very promising watermark customization ability, significantly outperforming the other state-of-the-art baselines.