Research, personnel, training and processing can bring the development costs of a neural network anywhere from a few thousand to a few hundreds of thousand dollars. Therefore, the AI industry needs a technology to ensure traceability and integrity not only of a neural network, but also of the content generated by it (so-called inference). The content industry facing a similar problem, has used watermarking to imperceptibly and persistently insert a payload carrying, e.g., owner ID, timestamp, etc. to signal the ownership of a content item. Watermarking can also be used by the AI industry.
The general requirements for using watermarking in neural networks are:
- The techniques shall not affect the performance of the neural network.
- The payload shall be recoverable even if the content was modified.
MPAI has classified the cases of watermarking use as follows:
- Identification of actors (i.e., neural network owner, customer, and end-user).
- Identification of the neural network model.
- Detecting the modification of a neural network.
This classification is depicted in Figure 1 and concerns the use of watermarking technologies in neural networks and is independent of the intended use.
Figure 1 – Classification of neural network watermarking uses
MPAI has identified the need for a standard – code name MPAI-NNW – enabling users to measure the performance of the following component of a watermarking technology:
- The ability of a watermark inserter to inject a payload without deteriorating the performance of the Neural Network.
- The ability of a watermark detector to ascertain the presence and of a watermark decoder to retrieve the payload of the inserted watermark when applied to:
- A modified watermarked network (e.g., by transfer learning or pruning).
- An inference of the modified model.
- The computational cost (e.g., execution time) of a watermark inserter to inject a payload, a watermark detector/decoder to detect/decode a payload from a watermarked model or from any of its inferences.
Figure 2 depicts the three watermarking components covered by MPAI-NNW.
Figure 2 – The three areas to be covered by MPAI-NNW
MPAI has issued a Call to acquire the technologies for use in the standard. The list below is a subset of the requests contained in the call:
- Use cases
- Comments on use cases.
- Impact of the watermark on the performance
- List of Tasks to be performed by the Neural Network (g. classification task, speech generation, video encoding, …).
- Methods to measure the quality of the inference produced (g. precision, recall, subjective quality evaluation, PSNR, …).
- Detection/Decoding capability
- List of potential modifications that a watermark shall be robust against (g. pruning, fine-tuning, …).
- Parameters and ranges of proposed modifications.
- Methods to evaluate the differences between the original and retrieved watermarks (g., Symbol Error Rate).
- Processing cost
- Specification of the testing environments.
- Specification of the values characterizing the processing of Neural Networks.
Below are a few useful links for those wishing to know more about the MPAI-NNW Call for Technologies and how to respond to it:
- 1 min 30 sec video (YouTube and non YouTube) illustrating functional requirements of MPAI-NNW V1.
- slides presented at the online meeting on 2022/07/12.
- video recording of the online presentation (Youtube, non-YouTube) made at that 12 July presentation
- Call for Technologies, Use Cases and Functional Requirements, Framework Licence and MPAI-NNW Template for responses.
The MPAI secretariat shall receive the responses to the MPAI-NNW Call for Technologies by 2022 October
