Watermark Learning Resources

This Github repository summarizes a list of Watermark Learning resources. For more details and the categorization criteria, please refer to our survey (opens new window).

We will try our best to continuously maintain this Github Repository in a weekly manner.

Why Watermark Learning?

Backdoor learning is an emerging research area, which discusses the security issues of the training process towards machine learning algorithms. It is critical for safely adopting third-party training resources or models in reality.

Reference

If our repo or survey is useful for your research, please cite our paper as follows:

Contributing

Please help to contribute this list by contacting me (opens new window) or add pull request (opens new window)

Markdown format:

- Paper Name. 
  [[pdf]](link) 
  [[code]](link).
  - Author 1, Author 2, Author 3. *conference/Journal*, Year.

Note: In the same year, please place the conference paper before the journal paper, as journals are usually submitted a long time ago and therefore have some lag. (i.e., Conferences-->Journals-->Preprints)

Table of Contents

• Watermark Learning Resources - Why Watermark Learning?
  • News
  • Reference
  • Contributing
  • Table of Contents
  • Survey
    • 2022
    • 2021
  • Toolbox
  • Dissertation and Thesis
  • White-box Watermark
    • 2023
    • 2022
    • 2021
    • 2020
    • 2019
    • 2017
  • Black-box Watermark
    • 2023
    • 2022
    • 2021
    • 2020
    • 2019
    • 2018
  • No-box Watermark
    • 2022
    • 2021
  • Attack on Watermark
    • 2023
    • 2022
    • 2021
    • 2019
  • Evaluation
    • 2022
  • Other Model Protection Methods
    • Fragile watermark
      • 2022
      • 2021
      • 2019
    • Hardware-based
      • 2022
      • 2019
    • Model Fingerprinting
      • 2023
      • 2022
      • 2021
      • 2020
      • 2019
    • Model Hashing
      • 2023
      • 2022
    • Active Control
      • 2023
      • 2022
      • 2021
      • 2020
    • Reversible Watermarking
      • 2020
    • Model Encryption
      • 2020
  • Competition

Survey

2022

• Copyright protection of deep neural network models using digital watermarking: a comparative study. [link] (opens new window)

  • Alaa Fkirin, Gamal Attiya, Ayman El-Sayed, Marwa A. Shouman. Multimedia Tools and Applications, 2022.

• Intellectual property protection of DNN models. [link] (opens new window)

  • Sen Peng, Yufei Chen, Jie Xu, Zizhuo Chen, Cong Wang and Xiaohua Jia. World Wide Web, 2022.

2021

• A systematic review on model watermarking for neural networks. [link] (opens new window)

  • Franziska Boenisch. Frontiers in big Data, 2021.

• DNN intellectual property protection: Taxonomy, attacks and evaluations. [pdf] (opens new window)

  • Mingfu Xue, Jian Wang, Weiqiang Liu. Great Lakes Symposium on VLSI, 2021.

• A survey of deep neural network watermarking techniques. [pdf] (opens new window)

  • Yue Lia , Hongxia Wangb and Mauro Barnic. Neurocomputing, 2021.

• Protecting artificial intelligence IPs: a survey of watermarking and fingerprinting for machine learning. [pdf] (opens new window)

  • Francesco Regazzoni, Paolo Palmieri, Fethulah Smailbegovic, Rosario Cammarota, Ilia Polian. CAAI Transactions on Intelligence Technology, 2021.

• Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations. [pdf] (opens new window)

  • Mingfu Xue, Yushu Zhang, Jian Wang, and Weiqiang Liu. IEEE Transactions on Artificial Intelligence, 2021.

Toolbox

Dissertation and Thesis

White-box Watermark

2023

• A Robustness-Assured White-Box Watermark in Neural Networks.

  • Lv, Peizhuo and Li, Pan and Zhang, Shengzhi and Chen, Kai and Liang, Ruigang and Ma, Hualong and Zhao, Yue and Li, Yingjiu. TDSC, 2023.

• Intellectual property protection for deep semantic segmentation models.

  • Hongjia Ruan, Huihui Song, Bo Liu, Yong Cheng, Qingshan Liu. FCS, 2023.

• Deep Learning Model Protection using Negative Correlation-based Watermarking with Best Embedding Regions.

  • Kakikura, Sayoko and Kang, Hyunho and Iwamura, Keiichi. ICACT, 2023.

2022

• Fostering The Robustness Of White-Box Deep Neural Network Watermarks By Neuron Alignment. [pdf] (opens new window)

  • Fang-Qi Li, Shi-Lin Wang, Yun Zhu:. ICASSP, 2022.

• Fused Pruning based Robust Deep Neural Network Watermark Embedding. [pdf] (opens new window)

  • Tengfei Li, Shuo Wang, Huiyun Jing, Zhichao Lian, Shunmei Meng, Qianmu Li. ICPR, 2022.

• Cosine Model Watermarking Against Ensemble Distillation. [pdf] (opens new window)

  • Laurent Charette, Lingyang Chu, Yizhou Chen, Jian Pei, Lanjun Wang, Yong Zhang. AAAI, 2022.

• Encryption Resistant Deep Neural Network Watermarking. [pdf] (opens new window)

  • Guobiao Li, Sheng Li, Zhenxing Qian, Xinpeng Zhang. *ICASSP *, 2022.

• Identification for Deep Neural Network: Simply Adjusting Few Weights!

  • Yingjie Lao, Peng Yang, Weijie Zhao, Ping Li. ICDE, 2022.

• Subnetwork-Lossless Robust Watermarking for Hostile Theft Attacks in Deep Transfer Learning Models.

  • Jia, Ju and Wu, Yueming and Li, Anran and Ma, Siqi and Liu, Yang. TDSC, 2022.

• FedIPR: Ownership verification for federated deep neural network models. [pdf] (opens new window) [code] (opens new window)

  • Lixin Fan, Bowen Li, Hanlin Gu, Jie Li, Qiang Yang. PAMI, 2022.

• Defending against model stealing via verifying embedded external features. [pdf] (opens new window) [code] (opens new window)

  • Yiming Li, Linghui Zhu, Xiaojun Jia, Yong Jiang, Shu-Tao Xia, Xiaochun Cao. AAAI, 2022.

• Collusion Resistant Watermarking for Deep Learning Models Protection.

  • Sayoko Kakikura, Hyunho Kang, Keiichi Iwamura. ICACT, 2022.

• AIME: watermarking AI models by leveraging errors.

  • Dhwani Mehta, Nurun N. Mondol, Farimah Farahmandi, Mark M. Tehranipoor. DATE, 2022.

• Leveraging Multi-task Learning for Umambiguous and Flexible Deep Neural Network Watermarking. [pdf] (opens new window)

  • Fangqi Li, Lei Yang, Shilin Wang, Alan Wee-Chung Liew:. SafeAI@AAAI, 2022.

2021

• Delving in the loss landscape to embed robust watermarks into neural networks.

  • Tartaglione, Enzo and Grangetto, Marco and Cavagnino, Davide and Botta, Marco. ICPR, 2021.

• RIGA:Covert and robust white-box watermarking of deep neural networks. [pdf] (opens new window)

  • Tianhao Wang, Florian Kerschbaum. WWW, 2021.

• White-box watermarking scheme for fully-connected layers in fine-tuning model. [pdf] (opens new window)

  • Kuribayashi, Minoru and Tanaka, Takuro and Suzuki, Shunta and Yasui, Tatsuya and Funabiki, Nobuo. IH&MMSec, 2021.

• Watermarking Deep Neural Networks with Greedy Residuals. [pdf] (opens new window) [code] (opens new window)

  • Liu, Hanwen, Zhenyu Weng, and Yuesheng Zhu. ICML, 2021.

• Spread-transform dither modulation watermarking of deep neural network. [pdf] (opens new window) [code] (opens new window)

  • Yue Li, Benedetta Tondi, Mauro Barni. Journal of Information Security and Applications, 2021.

• A Feature-Map-Based Large-Payload DNN Watermarking Algorithm. [code] (opens new window)

  • Yue Li, Lydia Abady, Hongxia Wang, Mauro Barni. IWDW, 2021.

• Don't Forget to Sign the Gradients! [pdf] (opens new window)

  • Omid Aramoon, Pin-Yu Chen, Gang Qu. MLSys, 2021.

• You are caught stealing my winning lottery ticket! Making a lottery ticket claim its ownership. [pdf] (opens new window) [code] (opens new window)

  • Xuxi Chen, Tianlong Chen, Zhenyu Zhang, Zhangyang Wang. NIPS, 2021.

2020

• Watermarking in deep neural networks via error back-propagation. [pdf] (opens new window)

  • Wang, Jiangfeng and Wu, Hanzhou and Zhang, Xinpeng and Yao, Yuwei. Electronic Imaging, 2020.

• Watermarking neural network with compensation mechanism.

  • Feng Le,Zhang Xinpeng. KSEM, 2020.

• Passport-aware normalization for deep model protection. [pdf] (opens new window)

  • Zhang, Jie and Chen, Dongdong and Liao, Jing and Zhang, Weiming and Hua, Gang and Yu, Nenghai. NIPS, 2020.

• Adam and the Ants: On the Influence of the Optimization Algorithm on the Detectability of DNN Watermarks. [pdf] (opens new window)

  • Cortiñas-Lorenzo, Betty, and Fernando Pérez-González. Entropy, 2020.

2019

• Deepsigns: An end-to-end watermarking framework for protecting the ownership of deep neural networks. [pdf] (opens new window)

  • BD Rouhani, H Chen, F Koushanfar. ASPLOS, 2019.

• Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models. [pdf] (opens new window)

  • Chen, Huili and Rouhani, Bita Darvish and Fu, Cheng and Zhao, Jishen and Koushanfar, Farinaz. ICMR, 2019.

• Rethinking deep neural network ownership verification:Embedding passports to defeat ambiguity attacks. [pdf] (opens new window) [code] (opens new window)

  • Fan, Lixin, Kam Woh Ng, and Chee Seng Chan. NIPS, 2019.

• Visual decoding of hidden watermark in trained deep neural network.

  • Sakazawa, Shigeyuki and Myodo, Emi and Tasaka, Kazuyuki and Yanagihara, Hiromasa. MIPR, 2019.

2017

• Embedding watermarks into deep neural networks. [pdf] (opens new window)
  • Uchida, Yusuke and Nagai, Yuki and Sakazawa, Shigeyuki and Satoh, Shin'ichi. ICMR, 2017.

Black-box Watermark

2023

• A Novel Model Watermarking for Protecting Generative Adversarial Network.

  • Tong Qiao, Yuyan Ma, Ning Zheng, Hanzhou Wu, Yanli Chen, Ming Xu, Xiangyang Luo. Computers & Security, 2023.

• Deep neural network watermarking based on a reversible image hiding network.

  • Wang, Linna and Song, Yunfei and Xia, Daoxun. PAA, 2023.

• Unambiguous and High-Fidelity Backdoor Watermarking for Deep Neural Networks. [code] (opens new window)

  • Hua, Guang and Teoh, Andrew Beng Jin and Xiang, Yong and Jiang, Hao. TNNLS, 2023.

• Universal BlackMarks: Key-Image-Free Blackbox Multi-Bit Watermarking of Deep Neural Networks.

  • Li Li, Weiming Zhang, Mauro Barni. SPL, 2023.

• Generative Model Watermarking Based on Human Visual System. [pdf] (opens new window)

  • Li Zhang, Yong Liu, Shaoteng Liu, Tianshu Yang, Yexin Wang, Xinpeng Zhang, Hanzhou Wu. IFTC, 2023.

• Mixer: DNN Watermarking using Image Mixup. [pdf] (opens new window)

  • Kassem Kallas, Teddy Furon. ICASSP, 2023.

2022

• Speech Pattern Based Black-Box Model Watermarking for Automatic Speech Recognition. [pdf] (opens new window)

  • Haozhe Chen, Weiming Zhang, Kunlin Liu, Kejiang Chen, Han Fang, Nenghai Yu. ICASSP, 2022.

• Sparse Trigger Pattern Guided Deep Learning Model Watermarking. [pdf] (opens new window)

  • Chun-Shien Lu. IH&MMSec, 2022.

• Protect, show, attend and tell: Empowering image captioning models with ownership protection. [pdf] (opens new window) [code] (opens new window)

  • Jian Han Lim, Chee Seng Chan, Kam Woh Ng, Lixin Fan, Qiang Yang. Pattern Recognition, 2022.

• Watermarking pre-trained encoders in contrastive learning. [pdf] (opens new window)

  • Yutong Wu, Han Qiu, Tianwei Zhang, Jiwei Li, Meikang Qiu. ICDIS, 2022.

• SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. [pdf] (opens new window) [code] (opens new window)

  • Tianshuo Cong, Xinlei He, Yang Zhang. CCS, 2022.

• Certified Neural Network Watermarks with Randomized Smoothing. [pdf] (opens new window)

  • Arpit Bansal, Ping-Yeh Chiang, Michael J. Curry, Rajiv Jain, Curtis Wigington, Varun Manjunatha, John P. Dickerson, Tom Goldstein. ICML, 2022.

• TADW: Traceable and Anti-detection Dynamic Watermarking of Deep Neural Networks.

  • Dong, Jinwei and Wang, He and He, Zhipeng and Niu, Jun and Zhu, Xiaoyan and Wu, Gaofei. SCN, 2022.

• BlindSpot: Watermarking Through Fairness. [pdf] (opens new window)

  • Sofiane Lounici, Melek Önen, Orhan Ermis, Slim Trabelsi. IH&MMSec, 2022.

• Method for copyright protection of deep neural networks using digital watermarking. [pdf] (opens new window)

  • Yuliya D. Vybornova. ICMV, 2022.

• Rose: A robust and secure dnn watermarking. [pdf] (opens new window)

  • Kassem Kallas, Teddy Furon. WIFS, 2022.

• Watermarking of deep recurrent neural network using adversarial examples to protect intellectual property. [pdf] (opens new window)

  • Pulkit Rathi, Saumya Bhadauria, Sugandha Rathi. Applied Artificial Intelligence, 2022.

• RoSe: A RObust and SEcure Black-Box DNN Watermarking. [pdf] (opens new window)

  • Kallas, Kassem and Furon, Teddy. WIFS, 2022.

2021

• Dawn: Dynamic adversarial watermarking of neural networks. [pdf] (opens new window) [code] (opens new window)

  • Sebastian Szyller, Buse Gul Atli, Samuel Marchal, N. Asokan. ACM MM, 2021.

• Piracy-resistant DNN watermarking by block-wise image transformation with secret key. [pdf] (opens new window)

  • Maung Maung, April Pyone, and Hitoshi Kiya. IH&MMSec, 2021.

• Robust watermarking for deep neural networks via bi-level optimization. [pdf] (opens new window)

  • Peng Yang, Yingjie Lao, Ping Li. ICCV, 2021.

• Robust black-box watermarking for deep neural network using inverse document frequency. [pdf] (opens new window)

  • Mohammad Mehdi Yadollahi, Farzaneh Shoeleh, Sajjad Dadkhah, Ali A. Ghorbani. DASC/PiCom/CBDCom/CyberSciTech, 2021.

• Protecting intellectual property of generative adversarial networks from ambiguity attacks. [pdf] (opens new window) [code] (opens new window)

  • Ding Sheng Ong, Chee Seng Chan, Kam Woh Ng, Lixin Fan, Qiang Yang. CVPR, 2021.

• Entangled Watermarks as a Defense against Model Extraction. [pdf] (opens new window) [code] (opens new window)

  • Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. USENIX Security, 2021.

• Persistent watermark for image classification neural networks by penetrating the autoencoder.

  • Fang-Qi Li, Shi-Lin Wang. ICIP, 2021.

• Watermarking graph neural networks by random graphs. [pdf] (opens new window)

  • Xiangyu Zhao, Hanzhou Wu, Xinpeng Zhang. ISDFS, 2021.

• Yes We can: Watermarking Machine Learning Models beyond Classification. [pdf] (opens new window)

  • Sofiane Lounici, Mohamed Njeh, Orhan Ermis, Melek Önen, Slim Trabelsi. CSF, 2021.

• WAFFLE: Watermarking in federated learning. [pdf] (opens new window) [code] (opens new window)

  • Buse G. A. Tekgul, Yuxi Xia, Samuel Marchal, N. Asokan. SRDS, 2021.

2020

• Adversarial frontier stitching for remote neural network watermarking.Neural Computing and Applications. [pdf] (opens new window)

  • Erwan Le Merrer, Patrick Pérez, Gilles Trédan. Neural Computing and Applications, 2020.

• Protecting IP of deep neural networks with watermarking:A new label helps. [pdf] (opens new window) [code] (opens new window)

  • Qi Zhong, Leo Yu Zhang, Jun Zhang, Longxiang Gao, Yong Xiang. PAKDD, 2020.

• Protecting the intellectual property of deep neural networks with watermarking: The frequency domain approach. [pdf] (opens new window)

  • Li, Meng and Zhong, Qi and Zhang, Leo Yu and Du, Yajuan and Zhang, Jun and Xiang, Yong. TrustCom, 2020.

• Secure neural network watermarking protocol against forging attack. [pdf] (opens new window)

  • Renjie Zhu, Xinpeng Zhang, Mengte Shi, Zhenjun Tang. * EURASIP Journal on Image and Video Processing*, 2020.

• Watermarking deep neural networks in image processing. [pdf] (opens new window)

  • Yuhui Quan, Huan Teng, Yixin Chen, Hui Ji. TNNLS, 2020.

• SpecMark: A Spectral Watermarking Framework for IP Protection of Speech Recognition Systems. [pdf] (opens new window) [code]

  • . INTERSPEECH, 2020.

2019

• Robust watermarking of neural network with exponential weighting. [pdf] (opens new window)

  • Ryota Namba, Jun Sakuma. AsiaCCS, 2019.

• How to prove your model belongs to you:A blind-watermark based framework to protect intellectual property of DNN. [pdf] (opens new window) [code] (opens new window)

  • Zheng Li, Chengyu Hu, Yang Zhang, Shanqing Guo. *ACSAC *, 2019.

2018

• Turning your weakness into a strength:Watermarking deep neural networks by backdooring. [pdf] (opens new window)

  • Yossi Adi, Carsten Baum, Moustapha Cissé, Benny Pinkas, Joseph Keshet. USENIX Security, 2018.

• Protecting intellectual property of deep neural networks with watermarking. [pdf] (opens new window)

  • Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph. Stoecklin, Heqing Huang, Ian M. Molloy. AsiaCCS, 2018.

• Watermarking deep neural networks for embedded systems. [pdf] (opens new window)

  • Jia Guo, Miodrag Potkonjak. ICCAD, 2018.

No-box Watermark

2022

• Protecting intellectual property of language generation apis with lexical watermark. [pdf] (opens new window)

  • Xuanli He, Qiongkai Xu, Lingjuan Lyu, Fangzhao Wu, Chenguang Wang. Proceedings of the AAAI Conference on Artificial Intelligence, 2022.

• Supervised gan watermarking for intellectual property protection. [pdf] (opens new window)

  • Jianwei Fei, Zhihua Xia, Benedetta Tondi, Mauro Barni. IEEE International Workshop on Information Forensics and Security (WIFS), 2022.

2021

• Adversarial watermarking transformer: Towards tracing text provenance with data hiding.
  [pdf] (opens new window)

  • Abdelnabi S,Fritz M. IEEE Symp on Security and Privacy, 2021.

• Watermarking neural networks with watermarked images. [link] (opens new window)

  • Hanzhou Wu, Gen Liu, Yuwei Yao, Xinpeng Zhang. IEEE Transactions on Circuits and Systems for Video Technology, 2021.

• Deep model intellectual property protection via deep watermarking. [pdf] (opens new window)

  • Jie Zhang, Dongdong Chen, Jing Liao, Weiming Zhang, Huamin Feng, Gang Hua, Nenghai Yu. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021.

Attack on Watermark

2023

• Effective ambiguity attack against passport-based dnn intellectual property protection schemes through fully connected layer substitution. [pdf] (opens new window)

  • Yiming Chen, Jinyu Tian, Xiangyu Chen and Jiantao Zhou. IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.

• Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. [pdf] (opens new window)

  • Yifan Yan, Xudong Pan, Mi Zhang, Min Yang. USENIX security symposium (USENIX Security 23), 2023.

• Linear Functionality Equivalence Attack Against Deep Neural Network Watermarks and a Defense Method by Neuron Mapping. [link] (opens new window)

  • Fang-Qi Li, Shi-Lin Wang and Alan Wee-Chung Liew. IEEE Transactions on Information Forensics and Security, 2023.

• Attacks on Recent DNN IP Protection Techniques and Their Mitigation. [link] (opens new window)

  • Rijoy Mukherjee and Rajat Subhra Chakraborty. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems ,2023.

2022

• Attention Distraction: Watermark Removal Through Continual Learning with Selective Forgetting. [pdf] (opens new window)

  • Qi Zhong, Leo Yu Zhang, Shengshan Hu, Longxiang Gao, Jun Zhang, Yong Xiang. IEEE International Conference on Multimedia and Expo (ICME), 2022.

• Rethinking the Vulnerability of DNN Watermarking: Are Watermarks Robust against Naturalness-aware Perturbations? [pdf] (opens new window)

  • ACM International Conference on Multimedia, 2022.

• Watermark Removal Scheme Based on Neural Network Model Pruning.

  • International Conference on Machine Learning and Natural Language Processing, 2022.

• Removing Watermarks For Image Processing Networks Via Referenced Subspace Attention. [link] (opens new window)

  • Run Wang, Haoxuan Li, Lingzhou Mu, Jixing Ren, Shangwei Guo, Li Liu, Liming Fang, Jing Chen, Lina Wang. The Computer Journal, 2022.

2021

• Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. [pdf] (opens new window)

  • Shangwei Guo, Tianwei Zhang, Han Qiu, Yi Zeng, Tao Xiang and Yang Liu. International Joint Conferences on Artificial Intelligence Organization (IJCAI), 2021.

• Refit:A unified watermark removal framework for deep learning systems with limited data. [pdf] (opens new window)

  • Xinyun Chen, Wenxiao Wang, Chris Bender, Yiming Ding, Ruoxi Jia, Bo Li, Dawn Song. ACM Asia Conf on Computer and Communications Security, 2021.

• On the robustness of backdoor-based watermarking in deep neural networks. [pdf] (opens new window)

  • Masoumeh Shafieinejad, Jiaqi Wang, Nils Lukas, Xinda Li, Florian Kerschbaum. ACM Workshop on Information Hiding and Multimedia Security, 2021.

• NeuNAC: A novel fragile watermarking algorithm for integrity protection of neural networks. [link] (opens new window)

  • Marco Botta, Davide Cavagnino, Roberto Esposito. Information Sciences, 2021.

• Removing backdoor-based watermarks in neural networks with limited data. [pdf] (opens new window)

  • Xuankai Liu, Fengting Li, Bihan Wen, Qi Li. International Conference on Pattern Recognition (ICPR), 2021.

• Detect and remove watermark in deep neural networks via generative adversarial networks. [pdf] (opens new window)

  • Haoqi Wang, Mingfu Xue, Shichang Sun, Yushu Zhang, Jian Wang and Weiqiang Liu. Information Security: 24th International Conference, ISC 2021.

2019

• Attacks on digital watermarks for deep neural networks. [pdf] (opens new window)

  • Tianhao Wang, Florian Kerschbaum. Proc of IEEE Int Conf on Acoustics,Speech and Signal Processing.Piscataway, 2019.

• Leveraging unlabeled data for watermark removal of deep neural networks. [pdf] (opens new window)]

  • Xinyun Chen, Wenxiao Wang, Yiming Ding, Chris Bender, Ruoxi Jia, Bo Li, Dawn Song. ICML workshop on Security and Privacy of Machine Learning, 2019.

Evaluation

2022

• Sok: How robust is image classification deep neural network watermarking? [pdf] (opens new window)

  • Nils Lukas, Edward Jiang, Xinda Li, Florian Kerschbaum. IEEE Symposium on Security and Privacy (SP), 2022.

• Evaluating the robustness of trigger set-based watermarks embedded in deep neural networks. [pdf] (opens new window)

  • Suyoung Lee, Wonho Song, Suman Jana, Meeyoung Cha, and Sooel Son. IEEE Transactions on Dependable and Secure Computing, 2022.

Other Model Protection Methods

Fragile watermark

2022

• Neural network fragile watermarking with no model performance degradation. [pdf] (opens new window)

  • Zhaoxia Yin, Heng Yin, Xinpeng Zhang. IEEE International Conference on Image Processing (ICIP), 2022.

• Deepauth: A dnn authentication framework by model-unique and fragile signature embedding. [pdf] (opens new window)

  • Yingjie Lao1, Weijie Zhao, Peng Yang, Ping Li. AAAI Conference on Artificial Intelligence, 2022.

• Verifying integrity of deep ensemble models by lossless black-box watermarking with sensitive samples. [pdf] (opens new window)

  • Lina Lin and Hanzhou Wu. International Symposium on Digital Forensics and Security (ISDFS), 2022.

2021

• Fragile neural network watermarking with trigger image set. [pdf] (opens new window)

  • Renjie Zhu, Ping Wei, Sheng Li, Zhaoxia Yin, Xinpeng Zhang and Zhenxing Qian. Int Conf on Knowledge Science, 2021.

• DeepiSign: Invisible fragile watermark to protect the integrity and authenticity of CNN. [pdf] (opens new window)

  • Alsharif Abuadbba, Hyoungshick Kim, Surya Nepal. Annual ACM Symposium on Applied Computing, 2021.

• NeuNAC: A novel fragile watermarking algorithm for integrity protection of neural networks. [link] (opens new window)

  • Marco Botta, Davide Cavagnino, Roberto Esposito. Information Sciences, 2021.

2019

• Sensitive-sample fingerprinting of deep neural networks. [pdf] (opens new window)
• Zecheng He, Tianwei Zhang, Ruby Lee. IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019.

Hardware-based

2022

• Ownership Verification of DNN Architectures via Hardware Cache Side Channels. [pdf] (opens new window)

  • Xiaoxuan Lou, Shangwei Guo, Jiwei Li, and Tianwei Zhang. IEEE Transactions on Circuits and Systems for Video Technology, 2022.

• DeepHardMark: Towards watermarking neural network hardware. [pdf] (opens new window)

  • Joseph Clements, Yingjie Lao. AAAI Conference on Artificial Intelligence, 2022.

• PUF-Based Intellectual Property Protection for CNN Model. [link] (opens new window)

  • Dawei Li, Yangkun Ren, Di Liu, Zhenyu Guan, Qianyun Zhang, Yanzhao Wang and Jianwei Liu. Knowledge Science, Engineering and Management: 15th International Conference(KSEM), 2022.

2019

• Hardware-assisted intellectual property protection of deep learning models. [pdf] (opens new window)
  • Abhishek Chakraborty, Ankit Mondal, and Ankur Srivastava. ACM/IEEE Design Automation Conference (DAC), 2020.

Model Fingerprinting

2023

• Mitigating Query-based Neural Network Fingerprinting via Data Augmentation. [pdf] (opens new window)
  • MEIQI WANG, HAN QIU, TIANWEI ZHANG, MEIKANG QIU, BHAVANI THURAISINGHAM. ACM Transactions on Sensor Networks, 2023.

2022

• MetaV: A Meta-Verifier Approach to Task-Agnostic Model Fingerprinting. [link] (opens new window)

  • Xudong Pan, Yifan Yan, Mi Zhang, Min Yang. ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2022.

• Metafinger: Fingerprinting the deep neural networks with meta-training. [pdf] (opens new window)

  • Kang Yang, Run Wang, Lina Wang. International Joint Conference on Artificial Intelligence (IJCAI), 2022.

• Fingerprinting deep neural networks globally via universal adversarial perturbations. [pdf] (opens new window)

  • Zirui Peng, Shaofeng Li, Guoxing Chen, Cheng Zhang, Haojin Zhu, Minhui X. IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022.

• A DNN Fingerprint for Non-Repudiable Model Ownership Identification and Piracy Detection. [link] (opens new window)

  • Yue Zheng, Si Wang, Chip-Hong Chang. IEEE Transactions on Information Forensics and Security, 2022.

• Copy, right? A testing framework for copyright protection of deep learning models. [pdf] (opens new window)

  • Jialuo Chen, Jingyi Wang, Tinglan Peng, Youcheng Sun, Peng Cheng, Shouling Ji, Xingjun Ma, Bo Li and Dawn Song. IEEE Symposium on Security and Privacy (SP), 2022.

2021

• IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. [pdf] (opens new window)

  • Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong. ACM Asia Conference on Computer and Communications Security, 2021.

• Characteristic Examples: High-Robustness, Low-Transferability Fingerprinting of Neural Networks. [pdf] (opens new window)

  • Siyue Wang , Xiao Wang , Pin-Yu Chen , Pu Zhao and Xue Lin. International Joint Conferences on Artificial Intelligence Organization (IJCAI), 2021.

• ModelDiff: testing-based DNN similarity comparison for model reuse detection. [pdf] (opens new window)

  • Yuanchun Li, Ziqi Zhang, Bingyan Liu, Ziyue Yang, Yunxin Liu. ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021

• Deep neural network fingerprinting by conferrable adversarial examples. [pdf] (opens new window)

  • Nils Lukas, Yuxuan Zhang, Florian Kerschbaum. International Conference on Learning Representations, 2021

• Intrinsic examples: Robust fingerprinting of deep neural networks. [pdf] (opens new window)

  • Siyue Wang, Pu Zhao, Xiao Wang, Sang Chin, Thomas Wahl, Yunsi Fe, Qi Alfred Chen, Xue Lin. British Machine Vision Conference (BMVC), 2021.

• Tafa: A task-agnostic fingerprinting algorithm for neural networks. [pdf] (opens new window)

  • Xudong Pan, Mi Zhang, Yifan Lu, and Min Yang. Computer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, 2021.

• Fingerprinting deep neural networks-a deepfool approach. [link] (opens new window)

  • Si Wang, Chip-Hong Chang. IEEE International Symposium on Circuits and Systems (ISCAS), 2021 .

2020

• AFA: Adversarial fingerprinting authentication for deep neural networks. [link] (opens new window)
  • Jingjing Zhao, Qingyue Hu, Gaoyang Liu, Xiaoqiang Ma, Fei Chen, Mohammad Mehedi Hassan. Computer Communications, 2020.

2019

• DeepAttest: An end-to-end attestation framework for deep neural networks. [pdf] (opens new window)
  • Huili Chen, Cheng Fu, Bita Darvish Rouhani, Jishen Zhao, Farinaz Koushanfar. International Symposium on Computer Architecture, 2019.

Model Hashing

2023

• Perceptual Hashing of Deep Convolutional Neural Networks for Model Copy Detection. [link] (opens new window)
  • Haozhe Chen, Hang Zhou, Jie Zhang, Dongdong Chen, Weiming Zhang, Kejiang Chen, Gang Hua, Nenghai Yu. ACM Transactions on Multimedia Computing, Communications and Applications, 2023.

2022

• Perceptual hash of neural networks. [pdf] (opens new window)

  • Zhiying Zhu, Hang Zhou, Siyuan Xing, Zhenxing Qian, Sheng Li and Xinpeng Zhang. Symmetry, 202.

• Neural Network Model Protection with Piracy Identification and Tampering Localization Capability. [link] (opens new window)

  • Cheng Xiong, Guorui Feng, Xinran Li, Xinpeng Zhang, Chuan Qin. ACM International Conference on Multimedia, 2022.

• DNN self-embedding watermarking: Towards tampering detection and parameter recovery for deep neural network. [link] (opens new window)

  • Gejian Zhao, Chuan Qin, Heng Yao, Yanfang Han. Pattern Recognition Letters, 2022.

• Graph-based Robust Model Hashing. [link] (opens new window)

  • Yitong Tao, Chuan Qin. IEEE International Workshop on Information Forensics and Security (WIFS), 2022.

• Perceptual Model Hashing: Towards Neural Network Model Authentication. [link] (opens new window)

  • Xinran Li, Zichi Wang, Guorui Feng, Xinpeng Zhang, Chuan Qin. IEEE International Workshop on Multimedia Signal Processing (MMSP), 2022.

Active Control

2023

• Image and model transformation with secret key for vision transformer. [pdf] (opens new window)

  • Hitoshi KIYA, Ryota IIJIMA, MaungMaung APRILPYONE and Yuma KINOSHITA. IEICE TRANSACTIONS on Information and Systems, 2023.

• ActiveGuard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users' fingerprints. [pdf] (opens new window)

  • Mingfu Xue, Shichang Sun, Can He, Dujuan Gu, Yushu Zhang, Jian Wang, Weiqiang Liu. IET Computers & Digital Techniques, 2023.

• Active Authorization Control of Deep Models Using Channel Pruning. [link] (opens new window)

  • Linna Wang, Yunfei Song, Yujia Zhu and Daoxun Xia. Computer Supported Cooperative Work and Social Computing, ChineseCSCW 2022. Springer Nature Singapore, 2023.

2022

• Sample-Specific Backdoor based Active Intellectual Property Protection for Deep Neural Networks. [link] (opens new window)

  • Yinghao Wu, Mingfu Xue, Dujuan Gu, Yushu Zhang, Weiqiang Liu. IEEE International Conference on Artificial Intelligence Circuits and Systems (AICAS), 2022.

• Active intellectual property protection for deep neural networks through stealthy backdoor and users' identities authentication. [link] (opens new window)

  • Mingfu Xue, Shichang Sun, Yushu Zhang, Jian Wang and Weiqiang Liu. Applied Intelligence, 2022.

• AdvParams: An active DNN intellectual property protection technique via adversarial perturbation based parameter encryption. [pdf] (opens new window)

  • Mingfu Xue, Zhiyu Wu, Jian Wang, Yushu Zhang, and Weiqiang Liu. IEEE Transactions on Emerging Topics in Computing, 2022.

• Access control of semantic segmentation models using encrypted feature maps. [pdf] (opens new window)

  • Hiroki Ito, MaungMaung AprilPyone, Sayaka Shiota and Hitoshi Kiya. APSIPA Transactions on Signal and Information Processing, 2022.

2021

• Transfer learning-based model protection with secret key. [pdf] (opens new window)
  • MaungMaung AprilPyone and Hitoshi Kiya. IEEE International Conference on Image Processing (ICIP), 2021.

2020

• Active DNN IP protection: A novel user fingerprint management and DNN authorization control technique. [link] (opens new window)

  • Mingfu Xue, Zhiyu Wu, Can He, Jian Wang, Weiqiang Liu. IEEE International Conference on Trust, 2020.

• Training DNN model with secret key for model protection. [pdf] (opens new window)

  • MaungMaung AprilPyone and Hitoshi Kiya. IEEE Global Conference on Consumer Electronics (GCCE), 2020.

Reversible Watermarking

2020

• Reversible watermarking in deep convolutional neural networks for integrity authentication. [pdf] (opens new window)
  • Xiquan Guan, Huamin Feng, Weiming Zhang, Hang Zhou, Jie Zhang, Nenghai Yu. ACM International Conference on Multimedia, 2020.

Model Encryption

2020

• Chaotic weights: A novel approach to protect intellectual property of deep neural networks. [pdf] (opens new window)
  • Ning Lin, Xiaoming Chen, Hang Lu and Xiaowei L. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2020.

Competition