WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking

Carl De Sousa Trias; Mihai Mitrea; Attilio Fiandrotti; Marco Cagnazzo; Sumanta Chaudhuri; Enzo Tartaglione

doi:10.1007/978-3-031-78169-8_20

WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking

Carl De Sousa Trias
, Mihai Mitrea
, Attilio Fiandrotti
, Marco Cagnazzo
, Sumanta Chaudhuri
, Enzo Tartaglione

Telecom Sudparis
University of Turin
Institut Polytechnique de Paris
University of Padova

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

langue originale	Anglais
titre	Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings
rédacteurs en chef	Apostolos Antonacopoulos, Subhasis Chaudhuri, Rama Chellappa, Cheng-Lin Liu, Saumik Bhattacharya, Umapada Pal
Editeur	Springer Science and Business Media Deutschland GmbH
Pages	301-317
Nombre de pages	17
ISBN (imprimé)	9783031781681
Les DOIs	https://doi.org/10.1007/978-3-031-78169-8_20
état	Publié - 1 janv. 2025
Evénement	27th International Conference on Pattern Recognition, ICPR 2024 - Kolkata, Inde Durée: 1 déc. 2024 → 5 déc. 2024

Série de publications

Nom	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15305 LNCS
ISSN (imprimé)	0302-9743
ISSN (Electronique)	1611-3349

Une conférence

Une conférence	27th International Conference on Pattern Recognition, ICPR 2024
Pays/Territoire	Inde
La ville	Kolkata
période	1/12/24 → 5/12/24

Accès au document

10.1007/978-3-031-78169-8_20

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

De Sousa Trias, C., Mitrea, M., Fiandrotti, A., Cagnazzo, M., Chaudhuri, S., & Tartaglione, E. (2025). WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. Dans A. Antonacopoulos, S. Chaudhuri, R. Chellappa, C.-L. Liu, S. Bhattacharya, & U. Pal (eds.), Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings (p. 301-317). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol 15305 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-78169-8_20

De Sousa Trias, Carl ; Mitrea, Mihai ; Fiandrotti, Attilio et al. / WaterMAS : Sharpness-Aware Maximization for Neural Network Watermarking. Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Editeur / Apostolos Antonacopoulos ; Subhasis Chaudhuri ; Rama Chellappa ; Cheng-Lin Liu ; Saumik Bhattacharya ; Umapada Pal. Springer Science and Business Media Deutschland GmbH, 2025. p. 301-317 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ).

@inproceedings{81f58ca5aa0c4071874bcfb9b5fb54c8,

title = "WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking",

abstract = "Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack{\textquoteright}s strength: even small alterations of the watermarked weights would impact the model{\textquoteright}s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.",

keywords = "IPR, Neural Networks, Sharpness-aware optimisation, Watermarking",

author = "\{De Sousa Trias\}, Carl and Mihai Mitrea and Attilio Fiandrotti and Marco Cagnazzo and Sumanta Chaudhuri and Enzo Tartaglione",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 27th International Conference on Pattern Recognition, ICPR 2024 ; Conference date: 01-12-2024 Through 05-12-2024",

year = "2025",

month = jan,

day = "1",

doi = "10.1007/978-3-031-78169-8\_20",

language = "English",

isbn = "9783031781681",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "301--317",

editor = "Apostolos Antonacopoulos and Subhasis Chaudhuri and Rama Chellappa and Cheng-Lin Liu and Saumik Bhattacharya and Umapada Pal",

booktitle = "Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings",

}

De Sousa Trias, C, Mitrea, M, Fiandrotti, A, Cagnazzo, M, Chaudhuri, S & Tartaglione, E 2025, WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. Dans A Antonacopoulos, S Chaudhuri, R Chellappa, C-L Liu, S Bhattacharya & U Pal (eds), Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , VOL. 15305 LNCS, Springer Science and Business Media Deutschland GmbH, p. 301-317, 27th International Conference on Pattern Recognition, ICPR 2024, Kolkata, Inde, 1/12/24. https://doi.org/10.1007/978-3-031-78169-8_20

WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. / De Sousa Trias, Carl; Mitrea, Mihai; Fiandrotti, Attilio et al.
Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Ed. / Apostolos Antonacopoulos; Subhasis Chaudhuri; Rama Chellappa; Cheng-Lin Liu; Saumik Bhattacharya; Umapada Pal. Springer Science and Business Media Deutschland GmbH, 2025. p. 301-317 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol 15305 LNCS).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - WaterMAS

T2 - 27th International Conference on Pattern Recognition, ICPR 2024

AU - De Sousa Trias, Carl

AU - Mitrea, Mihai

AU - Fiandrotti, Attilio

AU - Cagnazzo, Marco

AU - Chaudhuri, Sumanta

AU - Tartaglione, Enzo

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1/1

Y1 - 2025/1/1

N2 - Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

AB - Nowadays, deep neural networks are used for solving complex tasks in several critical applications and protecting both their integrity and intellectual property rights (IPR) has become of utmost importance. To this end, we advance WaterMAS, a substitutive, white-box neural network watermarking method that improves the trade-off among robustness, imperceptibility, and computational complexity, while making provisions for increased data payload and security. WasterMAS insertion keeps unchanged the watermarked weights while sharpening their underlying gradient space. The robustness is thus ensured by limiting the attack’s strength: even small alterations of the watermarked weights would impact the model’s performance. The imperceptibility is ensured by inserting the watermark during the training process. The relationship among the WaterMAS data payload, imperceptibility, and robustness properties is discussed. The secret key is represented by the positions of the weights conveying the watermark, randomly chosen through multiple layers of the model. The security is evaluated by investigating the case in which an attacker would intercept the key. The experimental validations consider 5 models and 2 tasks (VGG16, ResNet18, MobileNetV3, SwinT for CIFAR10 image classification, and DeepLabV3 for Cityscapes image segmentation) as well as 4 types of attacks (Gaussian noise addition, pruning, fine-tuning, and quantization). The code will be released open-source upon acceptance of the article.

KW - IPR

KW - Neural Networks

KW - Sharpness-aware optimisation

KW - Watermarking

UR - https://www.scopus.com/pages/publications/85211344520

U2 - 10.1007/978-3-031-78169-8_20

DO - 10.1007/978-3-031-78169-8_20

M3 - Conference contribution

AN - SCOPUS:85211344520

SN - 9783031781681

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 301

EP - 317

BT - Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings

A2 - Antonacopoulos, Apostolos

A2 - Chaudhuri, Subhasis

A2 - Chellappa, Rama

A2 - Liu, Cheng-Lin

A2 - Bhattacharya, Saumik

A2 - Pal, Umapada

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 1 December 2024 through 5 December 2024

ER -

De Sousa Trias C, Mitrea M, Fiandrotti A, Cagnazzo M, Chaudhuri S , Tartaglione E. WaterMAS: Sharpness-Aware Maximization for Neural Network Watermarking. Dans Antonacopoulos A, Chaudhuri S, Chellappa R, Liu CL, Bhattacharya S, Pal U, rédacteurs en chef, Pattern Recognition - 27th International Conference, ICPR 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 301-317. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ). doi: 10.1007/978-3-031-78169-8_20