Understanding Neural Network Watermarking Technologies

Neural networks are being deployed in various domains like autonomous systems, but protecting their integrity is crucial due to the costly nature of machine learning. Watermarking provides a solution to ensure traceability, integrity, and functionality of neural networks by allowing imperceptible data insertion. The complexity of watermark insertion in neural networks presents new challenges compared to traditional media.

• Neural Networks
• Watermarking Technologies
• Machine Learning
• Traceability
• Data Integrity

alad Follow

Uploaded on Oct 06, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Neural Network Watermarking 2023/03/31 T08:40UTC&20:00UTC http://nnw.mpai.community . 6-Oct-24

2. Neural Networks today Deployed in an increasing variety of domains Continuously renewed (industry & academia) At the heart of various autonomous systems: Autonomous robots Unmanned vehicles Deployed in more and more critical domains: Medical decisions Autonomous vehicles with passengers 2 6-Oct-24

3. Why watermarking is useful for Neural Networks Machine learning is a costly field: Buying AI solution ranges from $ 6000 to $300.000 Renting a pre-built module costs around $ 40.000/year An AI solution could: use multiple alternative Neural Networks to provide an inference -> identifying the one that actually produced the inference is important be shared among multiple users -> keeping track of this process is useful be altered or maliciously attacked -> identifying such modifications avoid faulty functioning Ensuring traceability and integrity of Neural Networks becomes mandatory 3 6-Oct-24

4. Neural Network Watermarking synopsis Watermarking provides tools allowing to imperceptibly and persistently insert some data into original content Imperceptibility Watermarking Robustness Data payload Watermarking Neural Network is a new challenge: Watermark insertion is not static (as it was for media) but dynamic, as the watermark can also be: inserted during training detected from inference Evaluation of watermark impact on inference is much more complex than on multimedia quality 4 6-Oct-24

5. Neural Network Watermarking use cases Identify an NN NN - 007 The retrieved data conveys information about the NN itself. output input Detector Identify the actors of an NN MPAI propert y The retrieved data conveys information about some or all the actors. Verify the integrity of an NN The retrieved data conveys information about NN integrity. modification 5 6-Oct-24

6. Scope of the MPAI-NNW Standard MPAI-NNW specifies methodologies to evaluate the following aspects of a neural network watermarking technology: 1. The impact on the performance of a watermarked neural network and/or on its inference. 2. How well a neural network watermarking detector/decoder can detect/decode a payload when the watermarked neural network has been modified. 3. The computational cost of injecting, detecting or decoding a payload in the watermarked neural network. NNW - Evaluate performances of watermarking NN Modification of performance induced by the watermarking process 0 1 0 0 0 1 1 injector Processing cost of the insertion Watermarked NN Trained NN injector detect or detector decoder Yes Performance criteria for the detector/decoder decod er detector 4. s MPAI Tester No Watermark provider Processing cost of the detection/decoding phase 0 1 0 0 0 1 1 decoder 6 6-Oct-24

7. 0 1 0 0 0 1 1 1 injector MPAI-NNW standard Imperceptibility evaluation Watermarked NN Trained NN Define a pair of training and testing datasets, with a size at least 10 times larger than the number of trainable parameters. Apply the watermark to a set of unwatermarked NNs trained on the task. Feed the unwatermarked and watermarked NNs on the test dataset. Measure the task-dependent quality of the produced inference. 7 6-Oct-24

8. Yes detector No MPAI-NNW standard: Robustness evaluation decoder 0 1 0 0 0 1 1 1 Define a pair of training and testing datasets, with a size at least 10 times larger than the number of trainable parameters. Apply the watermark to a set of unwatermarked NNs trained on the task Select and apply one modification (attack): Gaussian noise addition, L1 pruning, random pruning, quantization, fine-tuning, knowledge distillation or watermark overwriting Evaluate the Robustness of the detector or decoder 8 6-Oct-24

9. Processing cost of the insertion Processing cost of the detection/decoding phase MPAI-NNW standard: Computational cost evaluation Four elements shall be used to characterize the injection process: The memory footprint The time to execute the operation required by one epoch normalized according to the number of batches processed in one epoch In case injection is done concurrently with network training, the number of epochs required to insert the watermark The time for the watermarked neural network to compute an inference Two elements shall be used to characterize the detection/decoding process: The memory footprint The total duration 9 6-Oct-24

10. MPAI-NNW Reference software The purpose of MPAI-NNW Reference software is to provide an instance of MPAI-NNW Software for the image classification task The current implantation serves as a guideline for other NN tasks Two key software components injector decoder Inputs Property Evaluation end start MPAI User 10 6-Oct-24

11. 0 1 0 0 0 1 1 1 injector MPAI-NNW Reference software: Imperceptibility evaluation Watermarked NN Trained NN start Injector Uchida et al. method 0 type CIFAR 10 training dataset Training dataset Embedder Imperceptibility Evaluation Testing dataset CIFAR 10 testing dataset end 11 6-Oct-24

12. Yes detector No MPAI-NNW Reference software: Robustness evaluation decoder 0 1 0 0 0 1 1 1 Decoder Uchida et al. method 4 type start Modification ID Parameters Modifications Quantizing Detector/ Decoder Test dataset ? = [16,8,4] Robustness Evaluation end 12 6-Oct-24

13. Processing cost of the insertion Processing cost of the detection/decoding phase MPAI-NNW Reference software: Computational cost evaluation start Memory_footprint Time_module end 13 6-Oct-24

14. Next steps Develop a set of API to facilitate the usage of MPAI-NNW Reference Software adds-on injectors and detectors/decoders (N.B. no constraints on injectors, detectors/decoders) versatile configuration tools for MPAI-NNW evaluation Embed the MPAI-NNW reference Software in MPAI AI Framework Promote the MPAI-NNW Standard as an IEEE Standard (P3304) 14 6-Oct-24

15. Join the fun, build the future! https://mpai.community/how-to-join/ https://www.mpai.community/ more about NNW at http://nnw.mpai.community/ 15 6-Oct-24