Black Box Watermarking for DNN Model Integrity Detection Using Label Loss

Black Box Watermarking for DNN Model Integrity Detection Using Label Loss

After significant investments of time and resources, the accuracy of deep neural network (DNN) models has reached commercially viable levels, leading to their increasing deployment on cloud platforms for commercial services. However, ongoing research indicates that the challenges facing deep neural network models are continually evolving, particularly with various attacks emerging to compromise their integrity. Deep neural networks are susceptible to poisoning attacks and backdoor attacks, both of which involve malicious fine-tuning of the deep models. Malicious fine-tuning can lead to unpredictable outputs from deep neural network models. Although at-tempts have been made to address this issue, these solutions often increase model complexity or diminish model performance. We propose a black-box watermarking technique based on trigger image sets, which can effectively detect malicious fine-tuning while also enabling copyright authentication. This watermarking technique builds upon black-box watermarking methods, leveraging trig-ger image sets and utilizing a two-stage alternating training approach to fine-tune the model. During training, a novel loss function is employed to optimize the trigger images, thereby embedding the watermark while preserving the model’s original classification capabilities. The proposed watermarking model is highly sensitive to malicious fine-tuning, resulting in unstable classification outcomes for trigger images. Ultimately, by inputting trigger image sets and analyzing the output of the watermarking model, the integrity of the deep neural network model can be verified. Experimental results demonstrate the effectiveness of this approach in detecting the integrity of DNN models.