To Protect Machine Learning IP, Model Watermarking Is on the Rise

For many tech companies, their greatest asset is their intellectual property (IP). Now, as machine learning becomes more prominent, concerns over protecting related IP are becoming a major concern for organizations.

 

 

One method for protecting machine learning IP is through watermarking, a practice of embedding hidden code in digital content to protect it from theft or misuse. In the past several years, universities and companies alike have invested significant research into digital watermarking techniques for machine learning. Below are a few examples of these watermarking methods and use cases. 

 

Watermarking in Machine Learning

Watermarking has become more popular as the need to protect machine learning-related IP has grown. 

Digital watermarking entails embedding a unique and undetectable code into a piece of content as an identifier. Here, the watermark serves as proof of ownership. Digital watermarking has existed for quite some time and has mostly found use in applications such as digital audio and images. 

 

Watermarking can be achieved by adding special parameters to the model or by training the model on a special trigger dataset. Image courtesy of Frontiers

 

In machine learning, watermarking can prove ownership of a model. In this context, watermarking is most commonly achieved in two different ways:

1. Embedding the digital watermark into the model parameters. Here, a watermark can either take the form of additional bit strings encoded within existing model parameters, or it can be achieved by adding parameters that contain the watermark.
2. Creating a trigger that evokes an unusual prediction behavior in the marked model. With this method, developers can input a special trigger dataset into the model that causes the model to act in an unusual yet deterministic way.

In both of these cases, the original owner of the model can use their knowledge of the watermark to prove ownership of the model and identify illegitimate copies of it.

 

Watermarking for Proprietary Language Models

Recently, researchers from the University of Maryland published a paper on machine-learning watermarking.

In the study, the researchers describe a new watermarking framework designed explicitly for proprietary language models. The algorithm takes advantage of the fact that language models work by generating and predicting a single word at a time. The algorithm randomly divides the model’s vocabulary into two different sets, a “green” list and a “red” list, after each generated word. Then, the algorithm influences the model to choose words from the green list over the red list. 

 

Example of texts generated with and without the watermark. Image courtesy of arXiv

 

The researchers use this bias in word choice as a form of a watermark, where models trained with this algorithm have a higher likelihood of writing certain words. In this way, the researchers have claimed to create an easy-to-embed watermark for language models that also has negligible influence on the model’s performance. Additionally, the researchers claim they can use this method to identify whether or not a text was written by an AI.

 

Watermarking for Safe IoT Onboarding

To onboard a new IoT device onto a user's network, users typically use serial numbers, QR codes, or pin codes printed on the device or package. These techniques, however, leave the door open for anyone with physical access to a device to onboard the device on their network and tamper with it—for example, by installing hidden malware on the device. 

At the 2021 IEEE Consum Commun Network Conference, a group of researchers presented a new framework called Deep Learning-based Watermarking for Authorized IoT Onboarding (DLWIoT) that uses deep neural networks to create a fully automated image watermarking scheme. This technique embeds the user's credentials into carrier images, like the QR code printed on the device, which prevents IoT onboarding from anyone but the authorized user. 

 

The design of DLWIoT and how it operates. Image courtesy of the IEEE Consum Commun Network Conference

 

Watermarking for Copyrighted Embedded Models

Moving from academia to industry, NXP recently made its own headlines in the machine learning watermark space with a new tool to help developers add watermarks to their production models.

The new tool, which is part of NXP’s eIQ Toolkit, is called the eIQ Model Watermarking tool and is designed to be an easy-to-use tool for embedded models. The tool works by embedding a secret drawing into a model, which can be used as an identifier of an original model versus an illegitimate one. The secret drawing can be accessed without requiring deep access to the model, meaning that users can identify if a model is a copy of the original IP without needing direct access to the model’s source code.

NXP designed this tool with copyrighting in mind, and claims the secret drawing can help to strengthen copyright claims toward any potential copyist.