Certified Neural Network Watermarks with Randomized Smoothing

July 16, 2022 · Entered Twilight · 🏛 International Conference on Machine Learning

Repo contents: .idea, Attacks, Nets, README.md, cifar10.py, cifar100.py, cifar100_attack.py, cifar100_certify.py, cifar10_attack.py, cifar10_certify.py, mnist.py, mnist_attack.py, mnist_certify.py, verdana.ttf, watermarks

Authors Arpit Bansal, Ping-yeh Chiang, Michael Curry, Rajiv Jain, Curtis Wigington, Varun Manjunatha, John P Dickerson, Tom Goldstein arXiv ID 2207.07972 Category cs.LG: Machine Learning Cross-listed cs.CR Citations 59 Venue International Conference on Machine Learning Repository https://github.com/arpitbansal297/Certified_Watermarks ⭐ 16 Last Checked 1 month ago

Abstract

Watermarking is a commonly used strategy to protect creators' rights to digital images, videos and audio. Recently, watermarking methods have been extended to deep learning models -- in principle, the watermark should be preserved when an adversary tries to copy the model. However, in practice, watermarks can often be removed by an intelligent adversary. Several papers have proposed watermarking methods that claim to be empirically resistant to different types of removal attacks, but these new techniques often fail in the face of new or better-tuned adversaries. In this paper, we propose a certifiable watermarking method. Using the randomized smoothing technique proposed in Chiang et al., we show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold. In addition to being certifiable, our watermark is also empirically more robust compared to previous watermarking methods. Our experiments can be reproduced with code at https://github.com/arpitbansal297/Certified_Watermarks