TADW: Traceable and Anti-detection Dynamic Watermarking of Deep Neural Networks
Table 1
Requirements for watermarking techniques.
Requirements
Explanation
Feasibility
The model owner is usually unable to access the suspicious model parameters. Compared with white-box watermarking, black-box watermarking has better feasibility in the real environment.
Fidelity
Prediction accuracy of the original task in the watermarked model should not significantly degrade.
Undetectability
It is hard for the adversary to detect ownership verification processes. For black-box watermarking, the trigger set samples are indistinguishable from the clean samples.
Uniqueness
Each watermarked model should be unique; that is, the model owner can track and identify a unique infringing model when many infringing models are using the same IP.
Robustness
The embedded watermark must be resistant to model modification attacks to prevent the watermark from being invalid.
Scalability
The watermarking scheme should support commercial operation and can serve numerous users.
