Investigating vulnerability of watermarking neural network

A neural network with great performance often incurs a high cost to train. The data used to train a neural network can be confidential or need additional substantial processing. Hence, a trained neural network is regarded as intellectual property. To protect a neural network from infringement of intellectual property, the idea to watermark a neural network has been introduced. This project investigates the vulnerability of a state-of-the-art deep learning watermarking scheme. The project focus on investigating the behavior of backdoor-based watermarking scheme then proposes 2 methods to remove the watermark using the concept of transfer learning. Method 1 retrains the last convolutional layer of a model, sothe newly trained layer cannot represent the abstract features of a watermarked sample to the classifier. Method 2 involves using the basic features learn by the early convolutional layers of the watermarked model to train a model with comparable performance. The given methods show that an adversary in the same domain as the owner of the watermarked model can remove the backdoor-based watermark and invalidate any potential claim on the model. The investigation and methods aim to identify the vulnerability of backdoor-based watermark so a countermeasure can be developed to protect neural network.