The training cost of deep learning model is high;however,the stealing cost is low.This model is easy to copy and spread.The copyright owner of a model can embed a watermark in the model using a backdoor or another method.The copyright of the model is proven by verifying the embedded watermark.Watermark embedding strategies can be classified into forward and backward watermarking models.Forward model watermarking embeds watermarks from scratch,whereas backward model watermarking occurs after the original model training.Backward model watermarking requires fewer computations and is more flexible.However,unlike forward model watermarking,existing backward watermarking methods can be easily erased by fine-tuning,pruning,and other attacks.This study analyzes the reason for a weaker backward model watermarking compared to forward model watermarking.Based on this,a general method is proposed to enhance the robustness of backward model watermarking.This method introduces constraints on the middle-layer features and outputs of the model during the watermark embedding process.Experiments on CIFAR-10,CALTECH-101,GTSRB,and other datasets demonstrate that the proposed method can effectively improve the robustness of backward model watermarking against fine-tuning attacks,particularly on the CIFAR-10 dataset,improving the watermark success rate by an average of 24.2 percentage points compared to the baseline method.It also improves the robustness of backward model watermarking under pruning attacks.
deep learning modelcopyright protection of the modelmodel watermarkingbackdoorrobustness
国家科技期刊平台
NSTL
维普
万方数据
