Search Results (7)

Deep neural networks (DNNs) have become important intellectual assets, and ownership verification for misappropriated DNNs is increasingly important in Machine Learning as a Service (MLaaS) settings. Among existing DNN watermarking methods, backdoor watermarking is a typical approach for deployed ownership verification. However, existing methods still face two limitations. When verification relies on a finite trigger set, forged ownership evidence becomes difficult to rule out once the trigger samples are leaked or closely imitated. In addition, when watermark embedding modifies the service backbone, the predictor used for routine service is directly altered rather than kept unchanged. To address these limitations, we propose a backdoor DNN watermarking framework that combines secret-key-driven trigger group construction with a plug-and-play LoRA component. The proposed method regenerates the trigger groups used for verification from benign image pairs under a valid key whenever ownership needs to be checked, so ownership verification no longer depends on a finite stored trigger set. Meanwhile, watermark embedding is carried by an external LoRA component rather than by modifying the service backbone. In addition, we further optimize the LoRA configuration through a genetic search. Experiments on five benchmark datasets show that under the intended deployment protocol, the proposed method keeps the service predictor unchanged, enables effective ownership verification, and makes it difficult for attackers without the valid key to reproduce the verification behavior of the legitimate watermark under a large number of repeated attack trials. Full article

With the rapid development of the Internet, open-source graph datasets are increasingly shared and reused in intelligent networked services, making robust infringement verification increasingly important. Backdoor-based watermarking for graph neural networks (GNNs) can be used to check whether a suspicious model has been trained on protected data without authorization. However, existing dataset infringement verification methods have limited applicability and are mainly designed for private datasets. Directly applying them to open-source datasets would cause models trained by legitimate users to learn backdoor behavior, which would expose them to security risks. In this paper, we propose a new infringement verification method for open-source graph datasets, which reduces backdoor-related security risks in models trained by legitimate users. The core idea is to introduce an additional expansion-class and re-label watermarked samples as belonging to this class. This design completely separates the learning of watermark patterns from the original feature-label mappings during training. As a result, only trigger-bearing samples are directly involved in infringement verification, which helps prevent watermark patterns from being associated with existing classes in the original task. The proposed method provides a practical solution for trustworthy graph data sharing and infringement verification in Internet environments. Extensive experiments on benchmark datasets demonstrate that the proposed method achieves a high verification success rate while largely preserving the model’s clean accuracy. Full article

The integration of artificial intelligence (AI) and edge computing gives rise to edge intelligence (EI), which offers effective solutions to the limitations of traditional cloud-based AI; however, deploying models across distributed edge platforms raises concerns regarding authenticity, thereby necessitating robust mechanisms for ownership verification. Currently, backdoor-based model watermarking techniques represent a state-of-the-art approach for ownership verification; however, their reliance on model poisoning introduces potential security risks and unintended behaviors. To solve this challenge, we propose BIMW, a blockchain-enabled innocuous model watermarking framework that ensures secure and trustworthy AI model deployment and sharing in distributed edge computing environments. Unlike widely applied backdoor-based watermarking methods, BIMW adopts a novel innocuous model watermarking method called interpretable watermarking (IW), which embeds ownership information without compromising model integrity or functionality. In addition, BIMW integrates a blockchain security fabric to ensure the integrity and auditability of watermarked data during storage and sharing. Extensive experiments were conducted on a Jetson Orin Nano board, which simulates edge computing environments. The numerical results show that our framework outperforms baselines in terms of predicate accuracy, p-value, watermark success rate (WSR), and harmlessness H. Our framework demonstrates resilience against watermarking removal attacks, and it introduces limited latency through the blockchain fabric. Full article

Remote sensing object detection (RSOD) models are widely deployed on edge devices for critical applications. Their security and integrity have become urgent concerns. This work proposes a fragile model watermarking method that enables black-box integrity verification for RSOD models. Specifically, for a given RSOD model, we construct class-specific sensitive object triggers and corresponding fragile watermark samples for each target category. During the trigger generation process, a trained surrogate model is first employed to construct the initial sensitive object trigger, where real objects are utilized to guide the trigger to acquire weak semantic features of the target class. This trigger is then jointly optimized using both the original model and a tampered version. The original model ensures that the trigger remains recognizable, while the tampered model encourages sensitivity to parameter changes. During integrity verification, the model is queried with all the fragile watermark samples. The model is considered intact only if all predictions match the expected results. Extensive experiments demonstrate that the proposed method is effective across multiple RSOD models. It exhibits high sensitivity to various model modifications, including backdoor injection, fine-tuning, pruning, random parameter perturbation, and model compression. Full article

Pre-trained language models such as BERT, GPT-3, and T5 have made significant advancements in natural language processing (NLP). However, their widespread adoption raises concerns about intellectual property (IP) protection, as unauthorized use can undermine innovation. Watermarking has emerged as a promising solution for model ownership verification, but its application to NLP models presents unique challenges, particularly in ensuring robustness against fine-tuning and preventing interference with downstream tasks. This paper presents a novel watermarking scheme, TIBW (Task-Independent Backdoor Watermarking), that embeds robust, task-independent backdoor watermarks into pre-trained language models. By implementing a Trigger–Target Word Pair Search Algorithm that selects trigger–target word pairs with maximal semantic dissimilarity, our approach ensures that the watermark remains effective even after extensive fine-tuning. Additionally, we introduce Parameter Relationship Embedding (PRE) to subtly modify the model’s embedding layer, reinforcing the association between trigger and target words without degrading the model performance. We also design a comprehensive watermark verification process that evaluates task behavior consistency, quantified by the Watermark Embedding Success Rate (WESR). Our experiments across five benchmark NLP tasks demonstrate that the proposed watermarking method maintains a near-baseline performance on clean inputs while achieving a high WESR, outperforming existing baselines in both robustness and stealthiness. Furthermore, the watermark persists reliably even after additional fine-tuning, highlighting its resilience against potential watermark removal attempts. This work provides a secure and reliable IP protection mechanism for NLP models, ensuring watermark integrity across diverse applications. Full article

The tasks assigned to neural network (NN) models are increasingly challenging due to the growing demand for their applicability across domains. Advanced machine learning programming skills, development time, and expensive assets are required to achieve accurate models, and they represent important assets, particularly for small and medium enterprises. Whether they are deployed in the Cloud or on Edge devices, i.e., resource-constrained devices that require the design of tiny NNs, it is of paramount importance to protect the associated intellectual properties (IP). Neural networks watermarking (NNW) can help the owner to claim the origin of an NN model that is suspected to have been attacked or copied, thus illegally infringing the IP. Adapting two state-of-the-art NNW methods, this paper aims to define watermarking procedures to securely protect tiny NNs’ IP in order to prevent unauthorized copies of these networks; specifically, embedded applications running on low-power devices, such as the image classification use cases developed for MLCommons benchmarks. These methodologies inject into a model a unique and secret parameter pattern or force an incoherent behavior when trigger inputs are used, helping the owner to prove the origin of the tested NN model. The obtained results demonstrate the effectiveness of these techniques using AI frameworks both on computers and MCUs, showing that the watermark was successfully recognized in both cases, even if adversarial attacks were simulated, and, in the second case, if accuracy values, required resources, and inference times remained unchanged. Full article

High-quality datasets are essential for training high-performance models, while the process of collection, cleaning, and labeling is costly. As a result, datasets are considered valuable intellectual property. However, when security mechanisms are symmetry-breaking, creating exploitable vulnerabilities, unauthorized use or data leakage can infringe on the copyright of dataset owners. In this study, we design a method to mount clean-label dataset watermarking based on trigger optimization, aiming to protect the copyright of the dataset from infringement. We first perform iterative optimization of the trigger based on a surrogate model, with targets class samples guiding the updates. The process ensures that the optimized triggers contain robust feature representations of the watermark target class. A watermarked dataset is obtained by embedding optimized triggers into randomly selected samples from the watermark target class. If an adversary trains a model with the watermarked dataset, our watermark will manipulate the model’s output. By observing the output of the suspect model on samples with triggers, it can be determined whether the model was trained on the watermarked dataset. The experimental results demonstrate that the proposed method exhibits high imperceptibility and strong robustness against pruning and fine-tuning attacks. Compared to existing methods, the proposed method significantly improves effectiveness at very low watermarking rates. Full article