skip to main content
10.1145/3531536.3532950acmconferencesArticle/Chapter ViewAbstractPublication Pagesih-n-mmsecConference Proceedingsconference-collections
research-article

BlindSpot: Watermarking Through Fairness

Published: 23 June 2022 Publication History

Abstract

With the increasing development of machine learning models in daily businesses, a strong need for intellectual property protection arised. For this purpose, current works suggest to leverage backdoor techniques to embed a watermark into the model, by overfitting to a set of particularly crafted and secret input-output pairs called triggers. By sending verification queries containing triggers, the model owner can analyse the behavior of any suspect model on the queries to claim its ownership. However, when it comes to scenarios where frequent monitoring is needed, the computational overhead of these verification queries in terms of volume demonstrates that backdoor-based watermarking appears to be too sensitive to outlier detection attacks and cannot guarantee the secrecy of the triggers.
To solve this issue, we introduce BlindSpot, to watermark machine learning models through fairness. Our trigger-less approach is compatible with a high number of verification queries while being robust to outlier detection attacks. We show on Fashion-MNIST and CIFAR-10 datasets that BlindSpot is efficiently watermarking models while robust to outlier detection attacks, at a performance cost on the accuracy of 2%.

References

[1]
Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In 27th USENIX Security Symposium.
[2]
Mauro Barni, Fernando Pérez-González, and Benedetta Tondi. 2021. DNN Watermarking: Four Challenges and a Funeral. In Proceedings of the 2021 ACMWorkshop on Information Hiding and Multimedia Security.
[3]
Marc Beunardeau, Aisling Connolly, Remi Geraud, and David Naccache. 2016. Fully homomorphic encryption: Computations with a blindfold. IEEE Security & Privacy (2016).
[4]
Franziska Boenisch. 2020. A Survey on Model Watermarking Neural Networks. arXiv preprint arXiv:2009.12153 (2020).
[5]
Simon Caton and Christian Haas. 2020. Fairness in machine learning: A survey. arXiv preprint arXiv:2010.04053 (2020).
[6]
D. Dua and C. Graff. 2017. UCI Machine Learning Repository. http://archive.ics.uci.edu/ml/index.php/.
[7]
Jia Guo and Miodrag Potkonjak. 2019. Evolutionary trigger set generation for dnn black-box watermarking. arXiv preprint arXiv:1906.04411 (2019).
[8]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition.
[9]
Dorjan Hitaj, Briland Hitaj, and Luigi V Mancini. 2019. Evasion attacks against watermarking techniques found in mlaas systems. In 2019 Sixth International Conference on Software Defined Systems (SDS).
[10]
Hengrui Jia, Christopher A Choquette-Choo, and Nicolas Papernot. 2020. Entangled Watermarks as a Defense against Model Extraction. arXiv preprint arXiv:2002.12200 (2020).
[11]
Mika Juuti, Sebastian Szyller, Samuel Marchal, and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P).
[12]
Katarzyna Kapusta, Vincent Thouvenot, Olivier Bettan, Hugo Beguinet, and Hugo Senet. 2021. A Protocol for Secure Verification of Watermarks Embedded into Machine Learning Models. In Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security.
[13]
Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images. Citeseer (2009).
[14]
Hanwen Liu, Zhenyu Weng, and Yuesheng Zhu. 2021. Watermarking Deep Neural Networks with Greedy Residuals. In International Conference on Machine Learning.
[15]
Sofiane Lounici, Mohamed Njeh, Orhan Ermis, Melek Onen, and Slim Trabelsi. 2021. Preventing Watermark Forging Attacks in a MLaaS Environment. 18th International Conference on Security and Cryptography (2021).
[16]
Nils Lukas, Edward Jiang, Xinda Li, and Florian Kerschbaum. 2021. SoK: How Robust is Image Classification Deep Neural Network Watermarking?(Extended Version). arXiv preprint arXiv:2108.04974 (2021).
[17]
Ninareh Mehrabi, Muhammad Naveed, Fred Morstatter, and Aram Galstyan. 2020. Exacerbating Algorithmic Bias through Fairness Attacks.
[18]
Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
[19]
Sivaramakrishnan Rajaraman, Sameer K Antani, Mahdieh Poostchi, Kamolrat Silamut, Md A Hossain, Richard J Maude, Stefan Jaeger, and George R Thoma. 2018. Pre-trained convolutional neural networks as feature extractors toward improved malaria parasite detection in thin blood smear images. PeerJ (2018).
[20]
Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, Alexander C. Berg, and Li Fei-Fei. 2015. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision (IJCV) (2015).
[21]
Karen Simonyan and AndrewZisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).
[22]
David Solans, Battista Biggio, and Carlos Castillo. 2020. Poisoning attacks on algorithmic fairness. arXiv preprint arXiv:2004.07401 (2020).
[23]
Sebastian Szyller, Buse Gul Atli, Samuel Marchal, and N Asokan. 2019. Dawn: Dynamic adversarial watermarking of neural networks. arXiv preprint arXiv:1906.00830 (2019).
[24]
Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction apis. In 25th USENIX Security Symposium.
[25]
Jean-Baptiste Truong, Pratyush Maini, Robert J Walls, and Nicolas Papernot. 2021. Data-free model extraction. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
[26]
Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2017. Embedding Watermarks into Deep Neural Networks. Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval (2017).
[27]
Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y Zhao. 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE Symposium on Security and Privacy (SP).
[28]
HaoqiWang, Mingfu Xue, Shichang Sun, Yushu Zhang, JianWang, andWeiqiang Liu. 2021. Detect and remove watermark in deep neural networks via generative adversarial networks. arXiv preprint arXiv:2106.08104 (2021).
[29]
Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms.
[30]
Renjie Zhu, Xinpeng Zhang, Mengte Shi, and Zhenjun Tang. 2020. Secure neural network watermarking protocol against forging attack. EURASIP Journal on Image and Video Processing (2020).

Cited By

View all
  • (2024)SoK: Unintended Interactions among Machine Learning Defenses and Risks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00243(2996-3014)Online publication date: 19-May-2024
  • (2023)When Federated Learning Meets Watermarking: A Comprehensive Overview of Techniques for Intellectual Property ProtectionMachine Learning and Knowledge Extraction10.3390/make50400705:4(1382-1406)Online publication date: 4-Oct-2023
  • (2023)Emerging challenges and perspectives in Deep Learning model security: A brief surveySystems and Soft Computing10.1016/j.sasc.2023.2000505(200050)Online publication date: Dec-2023

Index Terms

  1. BlindSpot: Watermarking Through Fairness

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      IH&MMSec '22: Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security
      June 2022
      177 pages
      ISBN:9781450393553
      DOI:10.1145/3531536
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 23 June 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. fairness
      2. machine learning
      3. security
      4. watermarking

      Qualifiers

      • Research-article

      Conference

      IH&MMSec '22
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 128 of 318 submissions, 40%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)21
      • Downloads (Last 6 weeks)3
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)SoK: Unintended Interactions among Machine Learning Defenses and Risks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00243(2996-3014)Online publication date: 19-May-2024
      • (2023)When Federated Learning Meets Watermarking: A Comprehensive Overview of Techniques for Intellectual Property ProtectionMachine Learning and Knowledge Extraction10.3390/make50400705:4(1382-1406)Online publication date: 4-Oct-2023
      • (2023)Emerging challenges and perspectives in Deep Learning model security: A brief surveySystems and Soft Computing10.1016/j.sasc.2023.2000505(200050)Online publication date: Dec-2023

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media