Introduction
During the last decade, Neural Networks have been deployed in an increasing variety of domains and the production of Neural Networks became costly, in terms of both resources (GPUs, CPUs, memory) and time. Moreover, users of Neural Network-based services more and more express a needs for service quality certification.
Neural Network (NN) Traceability offers solutions to satisfy both needs, ensuring that a deployed Neural Network is traceable and untampered.
Inherited from the multimedia realm, watermarking regroups a family of methodological and application-oriented tools allowing imperceptibly and persistently to insert some metadata (payload) into an original NN model. Subsequently, detecting/decoding this metadata from the model itself or from any of its inferences provides the means to trace the source and to verify the authenticity.
An additional traceability technology is fingerprinting that relates to a family of methodological and application tools allowing to extract some salient information from the original NN model (a fingerprint) and to subsequently identify that model based on the extracted information.
Therefore, MPAI has found the application area called “Neural Network Watermarking” to be relevant for MPAI standardisation as there is a need for both Neural Network Traceability technologies and for assessing the performances such technologies.
MPAI standards for Neural Networks Traceability
In response to these needs, MPAI has established NNW-DC. The Development Committee Specifies methods to evaluate the following aspects of Active (Watermarking) and Passive (Fingerprinting) Neural Network Traceability Methods:
- The ability of a Neural Network Traceability Detector/Decoder to detect/decode/match Traceability Data when the traced Neural Network has been modified,
- The computational cost of injecting, extracting, detecting, decoding, or matching Traceability Data,
- Specifically for active tracing methods, the impact of inserted Traceability Data on the performance of a neural network and on its inference.
A New MPAI Standard Neural Networks Traceability
During its 65th GA held on February 18th, MPAI released a new standard for community comments: Technical Specification – Neural Network Watermarking (MPAI-NNW) – Technologies (NNW-TEC), available here.
Scope of the New Standard
The new standard:
- Specifies a general procedure to characterise Neural Network Traceability technologies that make it possible:
- To verify that the data provided by an Actor and transported to another Actor is not compromised, i.e. if modified, the modifications allow data to be used for the intended scope.
- To identify the Actors providing and receiving the data.
- Uses the MPAI-NNT Technical Specification to evaluate the properties of Neural Network Traceability technologies that were developed based on the general procedure and applied for specific NNs or used in specific application domains.
NNW-TEC Technical Specification Versions are snapshots capturing the evolution of the general procedure and of performance of implementations.
Practical benefits
NN Traceability Technologies enable tracking of identities of some Actors and the Modifications to the NN effected by them. Typically, a Neural Network service involves the following Actors:
- Architect: designs the architecture of the model
- Trainer: trains the model for a purpose
- Tracker: provides the tracking technology
- Distributor: distributes trained model with tracking technology
- Generic user: any user intended by the Distributor
- Attacker: any user, be they intended or not by the Distributor, that can apply a modification on the Neural Network subjected to the Traceability Technology.
Examples of typical Modifications applied to Neural Networks are finetuning, pruning, or quantisation.
