Exposing Model Theft: A Robust and Transferable Watermark for Thwarting Model Extraction Attacks

Ruixiang Tang, Curtis Wigington, Hongye Jin, Rajiv Jain, Mengnan Du, Xia Hu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

The increasing prevalence of Deep Neural Networks (DNNs) in cloud-based services has led to their widespread use through various APIs. However, recent studies reveal the susceptibility of these public APIs to model extraction attacks, where adversaries attempt to create a local duplicate of the private model using data and API-generated predictions. Existing defense methods often involve perturbing prediction distributions to hinder an attacker's training goals, inadvertently affecting API utility. In this study, we extend the concept of digital watermarking to protect DNNs' APIs. We suggest embedding a watermark into the safeguarded APIs; thus, any model attempting to copy will inherently carry the watermark, allowing the defender to verify any suspicious models. We propose a simple yet effective framework to increase watermark transferability. By requiring the model to memorize the preset watermarks in the final decision layers, we significantly enhance the transferability of watermarks. Comprehensive experiments show that our proposed framework not only successfully watermarks APIs but also maintains their utility.

Original languageEnglish (US)
Title of host publicationCIKM 2023 - Proceedings of the 32nd ACM International Conference on Information and Knowledge Management
PublisherAssociation for Computing Machinery
Pages4315-4319
Number of pages5
ISBN (Electronic)9798400701245
DOIs
StatePublished - Oct 21 2023
Event32nd ACM International Conference on Information and Knowledge Management, CIKM 2023 - Birmingham, United Kingdom
Duration: Oct 21 2023Oct 25 2023

Publication series

NameInternational Conference on Information and Knowledge Management, Proceedings

Conference

Conference32nd ACM International Conference on Information and Knowledge Management, CIKM 2023
Country/TerritoryUnited Kingdom
CityBirmingham
Period10/21/2310/25/23

All Science Journal Classification (ASJC) codes

  • General Business, Management and Accounting
  • General Decision Sciences

Keywords

  • API Protection
  • Intellectual Property Protection
  • MLaaS

Fingerprint

Dive into the research topics of 'Exposing Model Theft: A Robust and Transferable Watermark for Thwarting Model Extraction Attacks'. Together they form a unique fingerprint.

Cite this