Background
In recent years, significant progress has been made with Deep Neural Networks (DNN). Sharing trained DNN models is very important for the rapid progress of both research and industry and the development of intelligent systems. At the same time, a fully trained model is valuable and it is necessary to protect the rights of the shared models. To this end, digital watermarking technology can be used to protect intellectual property and detect intellectual property use infringement.
Brief problem description
The thesis focuses on the problem of embedding watermarks into deep neural networks. In the relevant literature, there are two types of approaches, either black block and white box. In the white box, we have access to the Neural Network (NN) structure and are able to modify directly the parameters, the activation functions and the regularization (among others). The black box approaches instead embed the watermark in the training dataset without touching the NN. Good watermarks do not impair the performance of networks into which a watermark is placed and do not disappear even after fine-tuning or parameter pruning. In this thesis you will explore different NN watermaking techniques presented in the literature, evaluate and compare them.
Prerequisite:
- Machine Learning theoretical and practical knowledge or will to learn quickly
- Focus on problem-solving and able to work independently
Related work you might want to read to understand if the thesis interests you:
- DeepSigns: A Generic Watermarking Framework for Protecting the Ownership of Deep Learning Models
- Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring
Contact information:
To ask for a (zoom) meeting, send an email to andremer@ifi.uio.no and romanvi@ifi.uio.no