TY - GEN
T1 - Turning your weakness into a strength
T2 - 27th USENIX Security Symposium
AU - Adi, Yossi
AU - Baum, Carsten
AU - Cisse, Moustapha
AU - Pinkas, Benny
AU - Keshet, Joseph
N1 - Publisher Copyright: © 2018 Proceedings of the 27th USENIX Security Symposium. All rights reserved.
PY - 2018
Y1 - 2018
N2 - Deep Neural Networks have recently gained lots of success after enabling several breakthroughs in notoriously challenging problems. Training these networks is computationally expensive and requires vast amounts of training data. Selling such pre-trained models can, therefore, be a lucrative business model. Unfortunately, once the models are sold they can be easily copied and redistributed. To avoid this, a tracking mechanism to identify models as the intellectual property of a particular vendor is necessary. In this work, we present an approach for watermarking Deep Neural Networks in a black-box way. Our scheme works for general classification tasks and can easily be combined with current learning algorithms. We show experimentally that such a watermark has no noticeable impact on the primary task that the model is designed for and evaluate the robustness of our proposal against a multitude of practical attacks. Moreover, we provide a theoretical analysis, relating our approach to previous work on backdooring.
AB - Deep Neural Networks have recently gained lots of success after enabling several breakthroughs in notoriously challenging problems. Training these networks is computationally expensive and requires vast amounts of training data. Selling such pre-trained models can, therefore, be a lucrative business model. Unfortunately, once the models are sold they can be easily copied and redistributed. To avoid this, a tracking mechanism to identify models as the intellectual property of a particular vendor is necessary. In this work, we present an approach for watermarking Deep Neural Networks in a black-box way. Our scheme works for general classification tasks and can easily be combined with current learning algorithms. We show experimentally that such a watermark has no noticeable impact on the primary task that the model is designed for and evaluate the robustness of our proposal against a multitude of practical attacks. Moreover, we provide a theoretical analysis, relating our approach to previous work on backdooring.
UR - http://www.scopus.com/inward/record.url?scp=85069962667&partnerID=8YFLogxK
M3 - منشور من مؤتمر
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 1615
EP - 1631
BT - Proceedings of the 27th USENIX Security Symposium
Y2 - 15 August 2018 through 17 August 2018
ER -