As Advanced Computing Proliferates Commercially, New Method Could Ward Off Copycats
Illustration by iStock
Companies spend vast amounts of time and millions of dollars on the development of neural network models used in facial recognition, artificial intelligence (AI) art generators and other cutting-edge technologies. These pricey, proprietary models could become prime targets for theft, which prompted a team of University of Maryland researchers to create an improved “watermark” to protect them that is far more sophisticated than hidden images on banknotes or printer paper.
Watermarks of the future will be a way for organizations to claim authorship of digital models and systems they create, akin to a painter signing their name in the corner of a painting. Current methods, however, are vulnerable to savvy adversaries who know how to tweak the network parameters in a way that would go unnoticed, allowing them to claim a model as their own.
That’s changing with the new watermark developed by the UMD team, which presented it at the International Conference on Machine Learning in July. It focuses on “neural networks,” a kind of machine-learning artificial intelligence that in some ways emulates the brain’s cognitive functions. The UMD watermark’s strength is that it cannot be removed from a neural network without making major changes that compromise the model itself.
“We can prove mathematically that it’s not possible to remove the watermark by making small changes to the network parameters,” said one of the paper’s co-authors, Tom Goldstein, an associate professor of computer science and Pier Giorgio Perotto Endowed Professor. “It doesn't matter how clever you are—unless the change you make to the neural network parameters is very large, you cannot come up with a method for removing the watermark.”
Computer science students Arpit Bansal Ph.D. ’22 and Ping-yeh Chiang M.S ’22 were lead authors, and Associate Professor John Dickerson, doctoral student Michael Curry and Goldstein were coauthors. The team collaborated with researchers from the Adobe Research lab located in the university’s Discovery District.
Watermarks typically use a signature or logo placed over an image to show ownership. But in this case, the watermarking process uses AI to assign unexpected labels to randomly generated “trigger images.” For example, the label “dog” could be assigned to an image of a cat.
This watermarking process makes it possible to detect when an adversary has stolen a model because those label and image pairings will also be duplicated. If 10 trigger images are used, the odds of the same pairings occurring by chance in two models are extremely slim—1 in 10 billion, to be exact.
Goldstein said that while he knows of no neural network model that has ever been stolen, the technology is still in its infancy, and AI is expected to become increasingly common in commercial products. With that comes the growing threat of theft, potentially leading to significant financial losses for a company.
“Because of the growth of AI, I think it’s likely that, down the road, we will see allegations of model theft being made,” Goldstein said. “However, I also think it’s very likely that companies will be savvy enough to employ some sort of watermarking technique to protect themselves against that.”
Maryland Today is produced by the Office of Marketing and Communications for the University of Maryland community on weekdays during the academic year, except for university holidays.
Faculty, staff and students receive the daily Maryland Today e-newsletter. To be added to the subscription list, sign up here:Subscribe