Multi-bit, Black-box Watermarking of Deep Neural Networks in Embedded Applications

The effort required to collect data and train a large neural network requires a significant investment from organizations. Therefore, trained neural networks are often seen as valuable intellectual property that needs to be protected. At the same time, we are increasingly seeing applications where a model is deployed on an edge device. This has several benefits, including improved privacy and reduced latency but it also opens up the possibility for third parties to extract the trained model from the device and to use it for their own purposes. Watermarking techniques aim to safeguard neural networks from unauthorized usage. These methods alter the model's behavior for specific trigger inputs, enabling the owner to recognize stolen instances. However, existing watermarking algorithms are not suited for distributed edge AI scenarios as they only create a single watermarked model instance. We introduce a novel multi-bit watermarking approach capable of efficiently generating a large number of model instances. Each of these instances maintains functional equivalence but exhibits unique behaviors when prompted with a predefined trigger input. This allows the owner to trace the source of a model leak to a potentially malicious user. We experimentally validate our approach on the MNIST, CIFAR-10, and ImageNet datasets, evaluating model performance and resilience against watermark removal attacks.