Customized Watermarking for Deep Neural Networks via Label Distribution Perturbation

With the increasing application value of machine learning, the intellectual property (IP) rights of deep neural networks (DNN) are getting more and more attention. With our analysis, most of the existing DNN watermarking methods can resist fine-tuning and pruning attack, but distillation attack. To address these problem, we propose a new DNN watermarking framework, Unified Soft-label Perturbation (USP), having a detector paired with the model to be watermarked, and Customized Soft-label Perturbation (CSP), embedding watermark via adding perturbation into the model output probability distribution. Experimental results show that our methods can resist all watermark removal attacks and outperform in distillation attack. Besides, we also have an excellent trade-off between the main task and watermarking that achieving 98.68% watermark accuracy while only affecting the main task accuracy by 0.59%.