Universal BlackMarks: Key-Image-Free Blackbox Multi-Bit Watermarking of Deep Neural Networks

Existing methods for Deep Neural Networks (DNN) watermarking either require accessing the internal parameters of the DNN models (white-box watermarking), or rely on backdooring to enforce a desired behavior of the model when the DNN is fed with a specific set of key input images (black-box watermarking). In this letter, we propose a black-box multi-bit DNN watermarking algorithm, suitable for multiclass classification networks, whereby the presence of the watermark can be retrieved from the output of the network in correspondence to any input. To read the watermark, we first apply a power function to the softmax output of the DNN model to map it from an impulse-like to a smooth distibution. Then, we extract the watermark bits by projecting the output of the DNN onto a pseudorandom key vector. Watermark embedding is achieved by adding a proper regularizer term to the training loss. The effectiveness of the proposed method is demonstrated by applying it to various network architectures working on different datasets. The experimental results demonstrate the possibility to embed a robust watermark into the output of the host DNN with a negligible impact on the accuracy of the original task.