WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking

Carl De Sousa Trias; Mihai Mitrea; Attilio Fiandrotti; Marco Cagnazzo; Sumanta Chaudhuri; Enzo Tartaglione

doi:10.1007/978-3-031-78169-8_20

WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking

Carl De Sousa Trias
, Mihai Mitrea
, Attilio Fiandrotti
, Marco Cagnazzo
, Sumanta Chaudhuri
, Enzo Tartaglione

Telecom Sudparis
University of Turin
Institut Polytechnique de Paris
University of Padova

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

Original language	English
Title of host publication	Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings
Editors	Apostolos Antonacopoulos, Subhasis Chaudhuri, Rama Chellappa, Cheng-Lin Liu, Saumik Bhattacharya, Umapada Pal
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	301-317
Number of pages	17
ISBN (Print)	9783031781681
DOIs	https://doi.org/10.1007/978-3-031-78169-8_20
Publication status	Published - 1 Jan 2025
Event	27th International Conference on Pattern Recognition, ICPR 2024 - Kolkata, India Duration: 1 Dec 2024 → 5 Dec 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15305 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	27th International Conference on Pattern Recognition, ICPR 2024
Country/Territory	India
City	Kolkata
Period	1/12/24 → 5/12/24

Keywords

IPR
Neural Networks
Sharpness-aware optimisation
Watermarking

Access to Document

10.1007/978-3-031-78169-8_20

Cite this

De Sousa Trias, C., Mitrea, M., Fiandrotti, A., Cagnazzo, M., Chaudhuri, S., & Tartaglione, E. (2025). WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. In A. Antonacopoulos, S. Chaudhuri, R. Chellappa, C.-L. Liu, S. Bhattacharya, & U. Pal (Eds.), Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings (pp. 301-317). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol. 15305 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-78169-8_20

De Sousa Trias, Carl ; Mitrea, Mihai ; Fiandrotti, Attilio et al. / WaterMAS : Sharpness-Aware Maximization for Neural Network Watermarking. Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. editor / Apostolos Antonacopoulos ; Subhasis Chaudhuri ; Rama Chellappa ; Cheng-Lin Liu ; Saumik Bhattacharya ; Umapada Pal. Springer Science and Business Media Deutschland GmbH, 2025. pp. 301-317 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ).

@inproceedings{81f58ca5aa0c4071874bcfb9b5fb54c8,

title = "WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking",

abstract = "Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack{\textquoteright}s strength: even small alterations of the watermarked weights would impact the model{\textquoteright}s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.",

keywords = "IPR, Neural Networks, Sharpness-aware optimisation, Watermarking",

author = "\{De Sousa Trias\}, Carl and Mihai Mitrea and Attilio Fiandrotti and Marco Cagnazzo and Sumanta Chaudhuri and Enzo Tartaglione",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 27th International Conference on Pattern Recognition, ICPR 2024 ; Conference date: 01-12-2024 Through 05-12-2024",

year = "2025",

month = jan,

day = "1",

doi = "10.1007/978-3-031-78169-8\_20",

language = "English",

isbn = "9783031781681",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "301--317",

editor = "Apostolos Antonacopoulos and Subhasis Chaudhuri and Rama Chellappa and Cheng-Lin Liu and Saumik Bhattacharya and Umapada Pal",

booktitle = "Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings",

}

De Sousa Trias, C, Mitrea, M, Fiandrotti, A, Cagnazzo, M, Chaudhuri, S & Tartaglione, E 2025, WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. in A Antonacopoulos, S Chaudhuri, R Chellappa, C-L Liu, S Bhattacharya & U Pal (eds), Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , vol. 15305 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 301-317, 27th International Conference on Pattern Recognition, ICPR 2024, Kolkata, India, 1/12/24. https://doi.org/10.1007/978-3-031-78169-8_20

WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. / De Sousa Trias, Carl; Mitrea, Mihai; Fiandrotti, Attilio et al.
Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. ed. / Apostolos Antonacopoulos; Subhasis Chaudhuri; Rama Chellappa; Cheng-Lin Liu; Saumik Bhattacharya; Umapada Pal. Springer Science and Business Media Deutschland GmbH, 2025. p. 301-317 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol. 15305 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - WaterMAS

T2 - 27th International Conference on Pattern Recognition, ICPR 2024

AU - De Sousa Trias, Carl

AU - Mitrea, Mihai

AU - Fiandrotti, Attilio

AU - Cagnazzo, Marco

AU - Chaudhuri, Sumanta

AU - Tartaglione, Enzo

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1/1

Y1 - 2025/1/1

N2 - Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

AB - Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

KW - IPR

KW - Neural Networks

KW - Sharpness-aware optimisation

KW - Watermarking

UR - https://www.scopus.com/pages/publications/85211344520

U2 - 10.1007/978-3-031-78169-8_20

DO - 10.1007/978-3-031-78169-8_20

M3 - Conference contribution

AN - SCOPUS:85211344520

SN - 9783031781681

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 301

EP - 317

BT - Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings

A2 - Antonacopoulos, Apostolos

A2 - Chaudhuri, Subhasis

A2 - Chellappa, Rama

A2 - Liu, Cheng-Lin

A2 - Bhattacharya, Saumik

A2 - Pal, Umapada

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 1 December 2024 through 5 December 2024

ER -

De Sousa Trias C, Mitrea M, Fiandrotti A, Cagnazzo M, Chaudhuri S , Tartaglione E. WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. In Antonacopoulos A, Chaudhuri S, Chellappa R, Liu CL, Bhattacharya S, Pal U, editors, Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 301-317. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ). doi: 10.1007/978-3-031-78169-8_20