Secure Neural Network Watermarking Protocol Against Evidence Exposure Attack

Trigger-based backdoor watermarking is an extensively utilized and effective method to safeguard the copyright of deep neural networks (DNNs), in which the trigger set could be taken as the key of the watermark. However, during the verification stage, there is a risk that the trigger set could be leaked and exposed to adversaries. If this occurs, the adversaries might apply this leaked trigger set to claim ownership of the model, posing significant copyright issues for the watermarked DNN. To address such an evidence exposure problem, a secure neural network watermarking protocol is put forward in this paper. In the proposed protocol, the trigger set is not fixed, once the trigger is utilized for verification, it is invalid and cannot be used for verification in the future. As a result, even if the trigger set is leaked during the verification process and obtained by the attacker, they cannot use it for copyright verification since it is invalid. To assist the protocol, a trigger set generation method is designed, in which the auxiliary classifier generative adversarial network (ACGAN) and the target classification model are trained together. The special logits distribution and the labels of the generated trigger samples can be ensured and verified effectively in this way. The performance of the trigger generation methods regarding effectiveness, fidelity, and robustness is verified by experiments, and the security analysis of the designed watermarking protocol is conducted.