Removal attack: a research on vulnerability of box-free watermarking
Protecting the intellectual property (IP) of Deep Neural Networks (DNNs), which requires significant time and financial investment to train, has garnered considerable attention recently. Among the prevalent methods, watermarking has emerged as a key strategy to trace IP theft by offenders. The embed...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Thesis-Master by Coursework |
| Language: | English |
| Published: |
Nanyang Technological University
2024
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/175877 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | Protecting the intellectual property (IP) of Deep Neural Networks (DNNs), which requires significant time and financial investment to train, has garnered considerable attention recently. Among the prevalent methods, watermarking has emerged as a key strategy to trace IP theft by offenders. The embedding techniques for watermarks are primarily categorized into three types: white-box, black-box, and box-free. In this dissertation, we focus on box-free watermarking and introduce our proposed watermark removal attack, named Observable Extractor-Guided (OEG) Remover, aimed at removing the watermark embedded by box-free model watermarking method and challenging its robustness. Initially, we propose three scenarios for the victim model that reflect realistic conditions and establish our attack objectives. Subsequently, we analyze the feasibility of the OEG Remover in all the scenarios and illustrate the process of the attack. Our experiments demonstrate that our proposed attack method can remove watermarks under various conditions with high success rate and without significant image quality degradation. Moreover, the experiments reveal the high versatility and scalability of our attack method, with seldom limitations on the victim model and the ability to interchange attack components at will. For the OEG Remover, we have the capability to not only remove the watermark embedded in the output of the victim model but also overwrite it. |
|---|