<-References Go to ToC General Setting ->
2 General watermarking procedure
2.1 Description of the watermarking procedure
2.2 Description of the roles the actors can play
3 General fingerprinting procedure
3.1 Description of the fingerprinting procedure
3.2 Description of the roles the actors can play
1 Introduction
This Chapter presents a general procedure to characterise Neural Network Traceability technologies that make it possible:
- To verify that the data provided by an Actor and received by another Actor is not compromised, i.e. it can be used for the intended scope.
- To identify the Actors providing and receiving the data.
Such procedure can be instantiated for watermarking and fingerprinting according to the synopsis in Figure 1 and Figure 2, respectively.
Figure 1. Synopsis of a general NN watermarking procedure
Figure 2. Synopsis of a general NN fingerprinting procedure
2 General watermarking procedure
2.1 Description of the watermarking procedure
Watermarking provides a family of methodological and applicative tools making it possible for some metadata (also referred to as mark or watermark) to be imperceptibly and persistently inserted into some original content [COX-07], according to a secret key. Hence, watermarking is an active traceability solution, in the sense that it modifies the original content.
Four main functional properties are generally considered for the watermarking applications:
- Data Payload: the quantity of information that can be inserted and reliably detected for serving the targeted application scope.
- Imperceptibility: the ability of a Method to not impact the performance of an NN before and after the watermark embedding insertion.
- Robustness: the ability of a Method to recover the same mark from Modified watermarked NN.
- Computational Cost: The cost of injecting, Detecting, or Decoding of a Method.
In practice, each watermarking technology searches for a specific trade-off among these 4 properties, so as to match the requirements of the specific application it was designed for. Regardless of the specific technology, watermarking can be modelled under the channel coding framework [7], as follows.
The watermark itself is a sample from the information source, and it is known to both encoder and decoder. The watermark insertion into the original content represents the channel encoding process. Modifications applied on the watermark model act as the channel noise source. The mark recovery (detection or decoding) stands for a channel decoding operation. Note that as the original content is not available during the detection/decoding, it stands for an additional noise source, known at the encoder.
Complementary with respect to this model, watermarking also considers cryptography tools for ensuring a higher level of protection against malicious behaviours some Actors can play. This is mainly done by encrypting the watermark, prior to its encryption, by a secret key. This operation represents the only secret information in the overall scheme and ensure the system security in the Kerckhoffs’s sense.
2.2 Description of the roles the actors can play
Irrespective of the watermarking procedure specificities, the 5 typologies of actors brought forth in Introduction are expected to act as follows:
- Architect: designs the architecture of the model and is mainly involved in the Insertion step. They knowledge can also be explicitly or implicitly leveraged when the Modification are applied, either by Distributor, Generic User or Attacker.
- Trainer: trains the model for a purpose, based on a dataset and on some training hyper-parameters. When the watermarking insertion is performed during the training process, the Trainer and the Tracker are expected to collaborate. The Trainer role is also be played when some types of Modifications are applied (e.g. fine tuning).
- Tracker: provides the tracking technology. Their role is performed on the Watermarked NN and on its versions obtained after applying Modifications.
- Distributor: distributes trained model with tracking technology.
- Attacker: The attacker role consists in applying Modifications to the watermarked NN. Such a role can be played either by Actors intended by the Distributor (Architect, Trainer, Tracker, Generic User) or by unintended users (generally behaving maliciously). The results of the Attacker role can be to
- remove the Source and/or Destination IDs,
- mislead the authentication procedure,
- create ambiguity in the usage of the recovered watermark information.
- Generic user: any user intended by the distributor. They intended behaviour is regulated by the conditions they agreed on with the Distributor, upon subscribing to the service.
3 General fingerprinting procedure
3.1 Description of the fingerprinting procedure
According to the fingerprinting principles, some salient information (referred to as fingerprint) is extracted from the to-be-tracked NN (note that this information is not previously inserted in the content, as in case of watermarking). By comparing (according to a similarity measure and a pre-established threshold) the query fingerprint to the database of fingerprints, a decision on the identity could be made. Hence, fingerprinting is a passive traceability solution, in the sense that it preserves the original content.
Three main properties are generally considered for the fingerprinting applications:
- Unicity: the ability of a method to different tracked NN result in different fingerprints
- Robustness: the ability of a method to obtain an (almost) identical fingerprint from Modified tracked NN.
- Search efficiency: the Computational Cost of extracting and matching an NN under query.
While the fingerprinting theoretical model is yet neither well-studied nor properly documented field, a channel encoding model will be also considered for fingerprinting; the coherency between the watermarking and fingerprinting presentations is thus ensured in this standard.
Consequently, the fingerprinting extraction stands for the channel encoding operation. The Modifications applied on the NN model subjected to the traceability technology represent the channel noise source. The fingerprint Extraction and Matcher represent the detection operation. Here again, the original content can be represented as a noise source known at the encoding.
As watermarking, fingerprinting also consider complementary encryption mechanisms, abstractly represented by the total amount of information that should be kept secret in order to ensure reliable traceability functioning despite possible malicious behaviours.
3.2 Description of the roles the actors can play
Irrespective of the fingerprinting procedure specificities, the 5 typologies of actors brought forth in Introduction are expected to act as follows:
- Architect: designs the architecture of the model and is mainly involved in the Extraction step. They knowledge can also be explicitly or implicitly leveraged when the Modification are applied, either by Distributor, Generic User or Attacker.
- Trainer: trains the model for a purpose, based on a dataset and on some training hyper-parameters. The Trainer role is also be played when some types of Modifications are applied (e.g. fine tuning).
- Tracker: provides the tracking technology. Their role is performed on the NN model to be tracked as well as on its versions obtained after applying Modifications.
- Distributor: distributes trained model with tracking technology.
- Attacker: The attacker role consists in applying Modifications to the NN model to be tracked. Such a role can be played either by Actors intended by the Distributor (Architect, Trainer, Tracker, Generic User) or by unintended users (generally behaving maliciously). The results of the Attacker role is to create ambiguity in the usage of the recovered watermark information.
- Generic user: any user intended by the distributor. They intended behaviour is regulated by the conditions they agreed on with the Distributor, upon subscribing to the service.
