Research Article

TADW: Traceable and Anti-detection Dynamic Watermarking of Deep Neural Networks

Table 1

Requirements for watermarking techniques.

RequirementsExplanation

FeasibilityThe model owner is usually unable to access the suspicious model parameters. Compared with white-box watermarking, black-box watermarking has better feasibility in the real environment.
FidelityPrediction accuracy of the original task in the watermarked model should not significantly degrade.
UndetectabilityIt is hard for the adversary to detect ownership verification processes. For black-box watermarking, the trigger set samples are indistinguishable from the clean samples.
UniquenessEach watermarked model should be unique; that is, the model owner can track and identify a unique infringing model when many infringing models are using the same IP.
RobustnessThe embedded watermark must be resistant to model modification attacks to prevent the watermark from being invalid.
ScalabilityThe watermarking scheme should support commercial operation and can serve numerous users.