Probabilistic Approach for Robust Watermarking of Neural Networks

To enhance the integrity guarantees of the proposed watermarking approach, it is essential to refine the verification procedure to distinguish between stolen models and independent models effectively. One potential extension involves implementing a dual verification mechanism that not only checks for agreement among the proxy models but also incorporates a rejection criterion for models that do not belong to the parametric set of proxy models ( B_{\delta, \tau}(f) ). This can be achieved by defining a complementary set ( \overline{B_{\delta, \tau}(f)} ) that includes models with significantly different parameters or architectures. The verification process can be modified to require that, in addition to the agreement among the proxy models, the predicted class label from the source model must differ from the predictions of models in ( \overline{B_{\delta, \tau}(f)} ). This dual-check mechanism would reduce the likelihood of falsely identifying independent models as stolen, as it ensures that only models closely resembling the source model are flagged. Moreover, incorporating a statistical analysis of the prediction distributions from both the proxy and independent models can provide additional insights into their similarities. By employing techniques such as hypothesis testing or confidence intervals, the method can quantify the likelihood that a model is indeed a stolen version rather than an independent one, thus bolstering the integrity guarantees of the watermarking approach.

The theoretical limits of the transferability of the trigger set to stolen models can be characterized by examining the underlying properties of the model architectures, the nature of the training data, and the specific stealing attack employed. Transferability is fundamentally influenced by the degree of similarity between the source model and the surrogate models, which can be quantified using metrics such as the ( L_2 )-norm of the weight differences between the models. One way to formalize these limits is through the concept of a common decision boundary. If the surrogate model's decision boundary is significantly different from that of the source model, the likelihood of successful transferability of the trigger set diminishes. This can be mathematically expressed by defining a threshold for the weight differences ( \delta ) and performance discrepancies ( \tau ) that delineate the boundaries of the parametric set ( B_{\delta, \tau}(f) ). Additionally, the transferability can be influenced by the complexity of the input space and the distribution of the training data. For instance, if the trigger set is constructed from samples that lie near the decision boundary of the source model, the transferability to a surrogate model that has been fine-tuned or altered through knowledge distillation may be compromised. Thus, the theoretical limits can be characterized by establishing conditions under which the trigger set remains effective, such as ensuring that the samples are sufficiently distant from the decision boundary of both the source and surrogate models.

To adapt the proposed watermarking approach for resilience against more complex model stealing attacks, such as those involving adversarial examples or model fine-tuning, several strategies can be employed. Firstly, the trigger set generation process can be enhanced by incorporating adversarial training techniques. By generating trigger samples that are not only convex combinations of benign data points but also adversarially perturbed versions of these points, the watermarking method can ensure that the trigger set remains effective even when the surrogate model is subjected to adversarial attacks. This can be achieved by utilizing adversarial training algorithms, such as Projected Gradient Descent (PGD), to create robust trigger samples that are less likely to be misclassified by both the source and surrogate models. Secondly, the verification process can be modified to account for model fine-tuning. This can involve dynamically adjusting the parameters ( \delta ) and ( \tau ) based on the observed performance of the surrogate models during the fine-tuning process. By continuously monitoring the accuracy of the surrogate models on the trigger set, the approach can adaptively refine the criteria for verifying ownership, ensuring that even fine-tuned models that may have diverged from the original architecture can still be accurately assessed. Lastly, incorporating ensemble methods into the verification process can enhance robustness against various stealing strategies. By utilizing multiple proxy models with diverse architectures or training regimes, the method can create a more comprehensive assessment of the trigger set's transferability. This ensemble approach can help mitigate the risks posed by sophisticated stealing attacks, as it leverages the collective knowledge of multiple models to validate the ownership of the original model more effectively.