Computer Science

Computer Science ›› 2026, Vol. 53 ›› Issue (1): 423-429.doi: 10.11896/jsjkx.241200005

• Information Security • Previous Articles    

Deep Learning Model Protection Method Based on Robust Partitioned Watermarking

LYU Zhenghao1,2, XIAN Hequn1,3   

  1. 1 College of Computer Science and Technology, Qingdao University, Qingdao, Shandong 266071, China;
    2 Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100085, China;
    3 Cryphotography and Cyber Security Whampo Institute, Guangzhou 510700, China
  • Received:2024-12-02 Revised:2025-03-14 Published:2026-01-08
  • About author:LYU Zhenghao,born in 1999,postgra-duate.His main research interests include AI robustness and intellectual property protection.
    XIAN Hequn,born in 1979,Ph.D,professor,master’s supervisor.His main research interests include cryptography and network and information systems security.
  • Supported by:
    National Natural Science Foundation of China(62102212) and Open Fund Project of the Key Laboratory of Cyberspace Security Defense(2024-ZD-04).

PDF (PC)

6

Abstract: Machine learning often involves high costs related to data collection and model training,which raises concerns for mo-del owners about unauthorized replication or misuse,potentially infringing on their intellectual property(IP).Consequently,the protection of intellectual property in machine learning models has become a pressing issue.In response,researchers have introduced the concept of model watermarking.Similar to how digital watermarking embeds identifiable marks into images,model watermarking involves embedding unique identifiers into machine learning models to facilitate copyright verification.However,exis-ting watermarking techniques face several limitations in practical applications.Firstly,embedding watermarks inevitably affects model performance to some degree.Secondly,watermarks can be removed through techniques such as model fine-tuning.To address these challenges,this paper proposes a novel neural network watermarking scheme,employing a regional and staged embedding approach.This method not only aims to minimize the impact on model performance but also seeks to enhance the robustness of the watermark itself.Experiments conducted on the MNIST,CIFAR-10,and CIFAR-100 datasets validate the effectiveness of the proposed scheme.The results demonstrate that this watermarking approach maintains a high watermark retention rate while having minimal impact on model performance.Compared to existing baseline watermarking schemes,this method achieves performance improvements of up to 18 percentage points.Additionally,the proposed scheme exhibits strong robustness against attacks such as fine-tuning and remains unaffected by model pruning operations.Even if adversaries attempt to completely remove the watermark,they would have to significantly degrade the model’s performance as a trade-off.

Key words: Deep neural network, Model watermarking, Copyright verification, Artificial intelligence security, Watermark robustness, Model performance

CLC Number: 

  • TP309
[1]BALCZEWSKI E A,CAO J,SINGH K.Risk prediction and machine learning:a case-based overview[J].Clinical Journal of the American Society of Nephrology,2023,18(4):524-526.
[2]NALISNICK E,SMYTH P,TRAN D.A brief tour of deeplearning from a statistical perspective[J].Annual Review of Statistics and Its Application,2023,10(1):219-246.
[3]ZHANG H,SHAO H.Exploring the Latest Applications ofOpenAI and ChatGPT:An In-Depth Survey[J].CMES-Compu-ter Modeling in Engineering & Sciences,2024,138(3):2061-2102.
[4]XU P,JI X,LI M,et al.Small data machine learning in materials science[J].NPJ Computational Materials,2023,9(1):42.
[5]DAIDONE M,FERRANTELLI S,TUTTOLOMONDO A.Machine learning applications in stroke medicine:Advancements,challenges,and future prospectives[J].Neural Regeneration Research,2024,19(4):769-773.
[6]LAI Q,YANG L,HU G,et al.Constructing multiscroll memristive neural network with local activity memristor and application in image encryption[J].IEEE Transactions on Cybernetics,2024,54(7):4039-4048.
[7]GOLDBERG Y.A primer on neural network models for natural language processing[J].Journal of Artificial Intelligence Research,2016,57:345-420.
[8]MEHRISH A,MAJUMDER N,BHARADWAJ R,et al.A review of deep learning techniques for speech processing[J].Information Fusion,2023,99:101869.
[9]CHIB P S,SINGH P.Recent Advancements in End-to-End Autonomous Driving Using Deep Learning:A Survey[J].IEEE Transactions on Intelligent Vehicles,2024,9(1):103-118.
[10]KIM J,KIM J,KIM H,et al.CNN-based network intrusion detection against denial-of-service attacks[J].Electronics,2020,9(6):916.
[11]LI Y,YAN H,HUANG T,et al.Model architecture level privacy leakage in neural networks[J].Science China Information Sciences,2024,67(3):132101.
[12]AKHTAR N,MIAN A.Threat of adversarial attacks on deep learning in computer vision:A survey[J].IEEE Access,2018,6:14410-14430.
[13]PENG S,CHEN Y,XU J,et al.Intellectual property protection of DNN models[J].World Wide Web,2023,26(4):1877-1911.
[14]OREKONDY T,SCHIELE B,FRITZ M.Knockoff Nets:Stea-ling functionality of black-box models[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2019:4954-4963.
[15]WU H,ZHANG J,LI Y,et al.Overview of artificial intelligence model watermarking[J].Journal of Image Graphics,2023,28(6):1792-1810.
[16]KAHNG A B,LACH J,MANGIONE-SMITH W H,et al.Watermarking techniques for intellectual property protection[C]//Proceedings of the 35th Annual Design Automation Conference.1998:776-781.
[17]KUMAR J,KUMAR M.Comparison of image compressionmethods on various images[C]//2015 International Conference on Advances in Computer Engineering and Applications.IEEE,2015:114-118.
[18]HE Y,XIAO L.Structured pruning for deep convolutional neural networks:A survey[J].IEEE Transactions on Pattern Ana-lysis and Machine Intelligence,2023,46(5):2900-2919.
[19]CHURCH K W,CHEN Z,MA Y.Emerging trends:A gentle introduction to fine-tuning[J].Natural Language Engineering,2021,27(6):763-778.
[20]UCHIDA Y,NAGAI Y,SAKAZAWA S,et al.Embedding watermarks into deep neural networks[C]//Proceedings of the 2017 ACM on International Conference on Multimedia Retrie-val.2017:269-277.
[21]ADI Y,BAUM C,CISSE M,et al.Turning your weakness intoa strength:Watermarking deep neural networks by backdooring[C]//27th USENIX Security Symposium(USENIX Security 18).2018:1615-1631.
[22]LEE S,SONG W,JANA S,et al.Evaluating the robustness of trigger set-based watermarks embedded in deep neural networks[J].IEEE Transactions on Dependable and Secure Computing,2022,20(4):3434-3448.
[23]YOSINSKI J,CLUNE J,BENGIO Y,et al.How transferableare features in deep neural networks?[C]//Proceedings of the 28th International Conference on Neural Information Processing Systems.2014:3320-3328.
[24]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-basedlearning applied to document recognition[C]//Proceedings of the IEEE.1998:2278-2324.
[25]KRIZHEVSKY A,HINTON G.Learning multiple layers of features from tiny images[EB/OL].https://www.cs.utoronto.ca/~kriz/learning-features-2009-TR.pdf.
[26]LIAN D,ZHOU D,FENG J,et al.Scaling & shifting your features:A new baseline for efficient model tuning[J].Advances in Neural Information ProcessingSystems,2022,35:109-123.
[27]ZHANG Y,WU H,LIN F,et al.Deep learning model pruning technology in image recognition[J].Journal of Nanjing University of Science and Technology,2023,47:699-707.
[28]FAN L,NG K W,CHAN C S.Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks[C]//Proceedings of the 33rd International Conference on Neural Information Processing Systems.2019:4714-4723.
[29]CHEN H,ROUHANI B D,KOUSHANFAR F.Blackmarks:Blackbox multibit watermarking for deep neural networks[J].arXiv:1904.00344,2019.
[30]LYU P,MA H,CHEN K,et al.MEA-Defender:A Robust Watermark against Model Extraction Attack[J].arXiv:2401.15239,2024.
[31]LYU P,LI P,ZHU S,et al.Ssl-wm:A black-box watermarking approach for encoders pre-trained by self-supervised learning[J].arXiv:2209.03563,2022.
[32]LIU H,WU Y H,LI X D,et al.Deep neural network modelcopyright protection framework based on external samples[J].Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2025,37(3):405-416.
[33]PENG W P,LIU J B,PING Y,et al.Model protection scheme for fusion of internal and external feature watermarks[J].Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2024,36(4):765-774.
[34]PODILCHUK C I,DELP E J.Digital watermarking:algorithms and applications[J].IEEE Signal Processing Magazine,2001,18(4):33-46.
[35]JIA H,CHOQUETTE-CHOO C A,CHANDRASEKARAN V,et al.Entangled watermarks as a defense against model extraction[C]//30th USENIX Security Symposium(USENIX Security 21).2021:1937-1954.
[36]ZHANG J,GU Z,JANG J,et al.Protecting intellectual propertyof deep neural networks with watermarking[C]//Proceedings of the 2018 on Asia Conference on Computer and Communications Security.2018:159-172.
[1] WEN Zerui, JIANG Tian, HUANG Zijian, CUI Xiaohui. Section Sparse Attack:A More Powerful Sparse Attack Method [J]. Computer Science, 2026, 53(1): 323-330.
[2] XIA Zhuoqun, ZHOU Zihao, DENG Bin, KANG Chen. Security Situation Assessment Method for Intelligent Water Resources Network Based on ImprovedD-S Evidence [J]. Computer Science, 2025, 52(6A): 240600051-6.
[3] LI Zhoucheng, ZHANG Yi, SUN Jin. Stochastic Optimization Method for Multi-exit Deep Neural Networks for Edge Intelligence Applications [J]. Computer Science, 2025, 52(4): 85-93.
[4] LIN Zheng, LIU Sicong, GUO Bin, DING Yasan, YU Zhiwen. Adaptive Operator Parallel Partitioning Method for Heterogeneous Embedded Chips in AIoT [J]. Computer Science, 2025, 52(2): 299-309.
[5] CHEN Xianyi, ZHANG Chengjuan, QIAN Jiangfeng, GUO Qianbin, CUI Qi, FU Zhangjie. Highly Robust Model Structure Backdoor Method Based on Feature Distribution [J]. Computer Science, 2025, 52(12): 374-383.
[6] CHEN Ping’an, DENG Qi. Expression Detection Algorithm Based on SSD Network Model Reconstruction [J]. Computer Science, 2025, 52(11A): 250200066-6.
[7] YE Shuai, LI Hao, SHI Peiteng, HUANG Yulin. Deep Neural Network-based Resource Allocation for Large-scale Operation Simulation [J]. Computer Science, 2025, 52(11A): 241000036-5.
[8] HUANG Xinli, GAO Guoju. Adaptive Gradient Sparsification Approach to Training Deep Neural Networks [J]. Computer Science, 2025, 52(11A): 250100106-6.
[9] WANG Liuyi, ZHOU Chun, ZENG Wenqiang, HE Xingxing, MENG Hua. High-frequency Feature Masking-based Adversarial Attack Algorithm [J]. Computer Science, 2025, 52(10): 374-381.
[10] ZHU Fukun, TENG Zhen, SHAO Wenze, GE Qi, SUN Yubao. Semantic-guided Neural Network Critical Data Routing Path [J]. Computer Science, 2024, 51(9): 155-161.
[11] HAN Bing, DENG Lixiang, ZHENG Yi, REN Shuang. Survey of 3D Point Clouds Upsampling Methods [J]. Computer Science, 2024, 51(7): 167-196.
[12] XU Xiaohua, ZHOU Zhangbing, HU Zhongxu, LIN Shixun, YU Zhenjie. Lightweight Deep Neural Network Models for Edge Intelligence:A Survey [J]. Computer Science, 2024, 51(7): 257-271.
[13] ZHU Jin, TAO Chuanqi, GUO Hongjing. Test Input Prioritization Approach Based on DNN Model Output Differences [J]. Computer Science, 2024, 51(6A): 230600121-8.
[14] LI Wenting, XIAO Rong, YANG Xiao. Improving Transferability of Adversarial Samples Through Laplacian Smoothing Gradient [J]. Computer Science, 2024, 51(6A): 230800025-6.
[15] ZHONG Zhenyu, LIN Yongliang, WANG Haotian, LI Dongwen, SUN Yufei, ZHANG Yuzhi. Automatic Pipeline Parallel Training Framework for General-purpose Computing Devices [J]. Computer Science, 2024, 51(12): 129-136.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.