DAWN: Dynamic Adversarial Watermarking of Neural Networks

Sebastian Szyller; Buse Gul Atli; Samuel Marchal; N. Asokan

doi:10.1145/3474085.3475591

DAWN: Dynamic Adversarial Watermarking of Neural Networks

Sebastian Szyller, Buse Gul Atli, Samuel Marchal, N. Asokan

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

133 Citations (Scopus)

Abstract

Training machine learning (ML) models is expensive in terms of computational power, amounts of labeled data and human expertise. Thus, ML models constitute business value for their owners. Embedding digital watermarks during model training allows a model owner to later identify their models in case of theft or misuse. However, model functionality can also be stolen via model extraction, where an adversary trains a surrogate model using results returned from a prediction API of the original model. Recent work has shown that model extraction is a realistic threat. Existing watermarking schemes are ineffective against model extraction since it is the adversary who trains the surrogate model. In this paper, we introduce DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction theft. Unlike prior watermarking schemes, DAWN does not impose changes to the training process but operates at the prediction API of the protected model, by dynamically changing the responses for a small subset of queries (e.g., 0.5%) from API clients. This set is a watermark that will be embedded in case a client uses its queries to train a surrogate model. We show that DAWN is resilient against two state-of-the-art model extraction attacks, effectively watermarking all extracted surrogate models, allowing model owners to reliably demonstrate ownership (with confidence greater than 1-2-64), incurring negligible loss of prediction accuracy (0.03-0.5%).

Original language	English
Title of host publication	Proceedings of the 29th ACM International Conference on Multimedia, MM 2021
Publisher	ACM
Pages	4417-4425
Number of pages	9
ISBN (Electronic)	978-1-4503-8651-7
DOIs	https://doi.org/10.1145/3474085.3475591
Publication status	Published - 17 Oct 2021
MoE publication type	A4 Conference publication
Event	ACM International Conference on Multimedia - Virtual, Online, China Duration: 20 Oct 2021 → 24 Oct 2021 Conference number: 29 https://2021.acmmm.org/

Conference

Conference	ACM International Conference on Multimedia
Abbreviated title	MM
Country/Territory	China
City	Virtual, Online
Period	20/10/2021 → 24/10/2021
Internet address	https://2021.acmmm.org/

Funding

Prior defenses to model extraction protect only simple models [16, 30] or prevent only specific extraction attacks [20, 42]. DAWN is a novel a approach where we assume a surrogate model can be extracted, and propose a way to identify any surrogate DNN models that have been extracted from any victim model using any extraction attack. Acknowledgements. This work was supported in part by Intel (in the context of the Private-AI Institute).

Keywords

deep neural network
ip protection
model extraction
model stealing
watermarking

Access to Document

10.1145/3474085.3475591

https://arxiv.org/abs/1906.00830

Cite this

@inproceedings{88b93c41b3ec46d2af34654b4fb86f07,

title = "DAWN: Dynamic Adversarial Watermarking of Neural Networks",

abstract = "Training machine learning (ML) models is expensive in terms of computational power, amounts of labeled data and human expertise. Thus, ML models constitute business value for their owners. Embedding digital watermarks during model training allows a model owner to later identify their models in case of theft or misuse. However, model functionality can also be stolen via model extraction, where an adversary trains a surrogate model using results returned from a prediction API of the original model. Recent work has shown that model extraction is a realistic threat. Existing watermarking schemes are ineffective against model extraction since it is the adversary who trains the surrogate model. In this paper, we introduce DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction theft. Unlike prior watermarking schemes, DAWN does not impose changes to the training process but operates at the prediction API of the protected model, by dynamically changing the responses for a small subset of queries (e.g., 0.5\%) from API clients. This set is a watermark that will be embedded in case a client uses its queries to train a surrogate model. We show that DAWN is resilient against two state-of-the-art model extraction attacks, effectively watermarking all extracted surrogate models, allowing model owners to reliably demonstrate ownership (with confidence greater than 1-2-64), incurring negligible loss of prediction accuracy (0.03-0.5\%).",

keywords = "deep neural network, ip protection, model extraction, model stealing, watermarking",

author = "Sebastian Szyller and Atli, \{Buse Gul\} and Samuel Marchal and N. Asokan",

note = "Funding Information: Prior defenses to model extraction protect only simple models [16, 30] or prevent only specific extraction attacks [20, 42]. DAWN is a novel a approach where we assume a surrogate model can be extracted, and propose a way to identify any surrogate DNN models that have been extracted from any victim model using any extraction attack. Acknowledgements. This work was supported in part by Intel (in the context of the Private-AI Institute). Publisher Copyright: {\textcopyright} 2021 ACM.; ACM International Conference on Multimedia, MM ; Conference date: 20-10-2021 Through 24-10-2021",

year = "2021",

month = oct,

day = "17",

doi = "10.1145/3474085.3475591",

language = "English",

pages = "4417--4425",

booktitle = "Proceedings of the 29th ACM International Conference on Multimedia, MM 2021",

publisher = "ACM",

address = "United States",

url = "https://2021.acmmm.org/",

}

TY - GEN

T1 - DAWN

T2 - ACM International Conference on Multimedia

AU - Szyller, Sebastian

AU - Atli, Buse Gul

AU - Marchal, Samuel

AU - Asokan, N.

N1 - Conference code: 29

PY - 2021/10/17

Y1 - 2021/10/17

N2 - Training machine learning (ML) models is expensive in terms of computational power, amounts of labeled data and human expertise. Thus, ML models constitute business value for their owners. Embedding digital watermarks during model training allows a model owner to later identify their models in case of theft or misuse. However, model functionality can also be stolen via model extraction, where an adversary trains a surrogate model using results returned from a prediction API of the original model. Recent work has shown that model extraction is a realistic threat. Existing watermarking schemes are ineffective against model extraction since it is the adversary who trains the surrogate model. In this paper, we introduce DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction theft. Unlike prior watermarking schemes, DAWN does not impose changes to the training process but operates at the prediction API of the protected model, by dynamically changing the responses for a small subset of queries (e.g., 0.5%) from API clients. This set is a watermark that will be embedded in case a client uses its queries to train a surrogate model. We show that DAWN is resilient against two state-of-the-art model extraction attacks, effectively watermarking all extracted surrogate models, allowing model owners to reliably demonstrate ownership (with confidence greater than 1-2-64), incurring negligible loss of prediction accuracy (0.03-0.5%).

AB - Training machine learning (ML) models is expensive in terms of computational power, amounts of labeled data and human expertise. Thus, ML models constitute business value for their owners. Embedding digital watermarks during model training allows a model owner to later identify their models in case of theft or misuse. However, model functionality can also be stolen via model extraction, where an adversary trains a surrogate model using results returned from a prediction API of the original model. Recent work has shown that model extraction is a realistic threat. Existing watermarking schemes are ineffective against model extraction since it is the adversary who trains the surrogate model. In this paper, we introduce DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction theft. Unlike prior watermarking schemes, DAWN does not impose changes to the training process but operates at the prediction API of the protected model, by dynamically changing the responses for a small subset of queries (e.g., 0.5%) from API clients. This set is a watermark that will be embedded in case a client uses its queries to train a surrogate model. We show that DAWN is resilient against two state-of-the-art model extraction attacks, effectively watermarking all extracted surrogate models, allowing model owners to reliably demonstrate ownership (with confidence greater than 1-2-64), incurring negligible loss of prediction accuracy (0.03-0.5%).

KW - deep neural network

KW - ip protection

KW - model extraction

KW - model stealing

KW - watermarking

UR - https://www.scopus.com/pages/publications/85119324630

U2 - 10.1145/3474085.3475591

DO - 10.1145/3474085.3475591

M3 - Conference article in proceedings

AN - SCOPUS:85119324630

SP - 4417

EP - 4425

BT - Proceedings of the 29th ACM International Conference on Multimedia, MM 2021

PB - ACM

Y2 - 20 October 2021 through 24 October 2021

ER -

DAWN: Dynamic Adversarial Watermarking of Neural Networks

Abstract

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this