Delving in the loss landscape to embed robust watermarks into neural networks
- Resource Type
- Conference
- Authors
- Tartaglione, Enzo; Grangetto, Marco; Cavagnino, Davide; Botta, Marco
- Source
- 2020 25th International Conference on Pattern Recognition (ICPR) Pattern Recognition (ICPR), 2020 25th International Conference on. :1243-1250 Jan, 2021
- Subject
- Computing and Processing
Signal Processing and Analysis
Training
Adaptation models
Sensitivity
Shape
Redundancy
Watermarking
Artificial neural networks
- Language
In the last decade the use of artificial neural networks (ANNs) in many fields like image processing or speech recognition has become a common practice because of their effectiveness to solve complex tasks. However, in such a rush, very little attention has been paid to security aspects. In this work we explore the possibility to embed a watermark into the ANN parameters. We exploit model redundancy and adaptation capacity to lock a subset of its parameters to carry the watermark sequence. The watermark can be extracted in a simple way to claim copyright on models but can be very easily attacked with model fine-tuning. To tackle this culprit we devise a novel watermark aware training strategy. We aim at delving into the loss landscape to find an optimal configuration of the parameters such that we are robust to fine-tuning attacks towards the watermarked parameters. Our experimental results on classical ANN models trained on well-known MNIST and CIFAR-10 datasets show that the proposed approach makes the embedded watermark robust to fine-tuning and compression attacks.