Watermarking has been used for a long time. One of its uses in the physical world is paper money where a hard to imitate watermark assures users that a banknote is authentic.
In the digital domain, watermarking can be used to carry information about ownership in a file or stream. The Secure Digital Music Initiative (SDMI) selected a strong (i.e., hard to remove) digital watermark to identify an MP3 soundtrack that had been released “after” and attempted to define a weak (i.e., easy to remove) watermark.
Neural networks are a high-priority topic in MPAI. Is there a reason why MPAI should be concerned with watermarking? The answer is yes, and the reason is that developing neural networks may be a very costly undertaking, e.g., several tens of thousand USD and developers may indeed want to identify that a neural network is theirs.
MPAI has begun to investigate two related but distinct issues: watermarking for neural networks and watermarking for the data produced by a neural network fed with data and generating inference.
By using a specific watermarking technology, the neural network creator can claim that a particular neural network instance:
- Has been produced by the them.
- Is a derivative of their network.
- Has been modified in a particular part of the network.
A related story applies to the inferences. The inference of a neural network can also be watermarked. The purpose is not necessarily that of protecting the creator or a licensee of a neural network. The end user of a neural network may need to be assured that an inference has been produced by the intended network.
So, what is MPAI actually doing in this field? The MPAI Neural Network Watermarking (NNW) project is developing requirements for a future MPAI standard with the goal to measure, for a given size of the watermarking payload:
- The impact on the performance of the neural network caused by adding a watermark to a neural network.
- The resistance of the watermark to modifications, e.g., caused by transfer learning, pruning of the weights etc.
- The cost of watermark injection because a neural network may be very large and adding a watermark costs time and processing.
Read The MPAI Neural Network Watermarking (NNW) project for more details.
If you wish to participate in this work you have the following options: