Division and Union: Latent Model Watermarking

Model watermarking is a widely adopted mechanism for protecting deep learning (DL) model intellectual property (IP). Black-box verifiable watermarking typically involves injecting backdoors that cause the model to produce predetermined outputs for specific inputs. In contrast, white-box verifiable watermarking uses steganographic techniques to embed watermarks into weight parameters or activation values. However, the former poses new security risks, while the latter often lacks robustness against removal techniques. In this paper, we propose a latent model watermarking, constructing upon the model Division and Union operating concept, dubbed as DUO, leveraging the strengths of two watermarking methods above while eliminating each shortcoming. Once the model owner or provider embeds a watermark into the model using watermark data, the watermarked model is divided into two parts: the main model, which corresponds to the primary task and is made publicly available, and a small sub-network privately reserved by the owner. The watermark resides latently within the main model and can only be activated through the private sub-network (the reserved parameters) when they are united. Consequently, DUO does not adversely affect the performance of the main model on its primary task and does not induce any security risks, even in the presence of watermark data. We extensively validate DUO on four benchmark datasets (CIFAR-10, ImageNette, CIFAR-100, and Tiny-ImageNet) using various model architectures, including standardized ResNet and VGG. The results affirm its capability to accurately verify model ownership without compromising model accuracy. It exhibits a 100% detection accuracy on pirated/positive testing models (96 models are tested) with a 0% false positive rate on normal/negative testing models (64 models are tested). Due to its latent nature, DUO is both effective and robust, capable of withstanding a wide range of state-of-the-art watermark laundering including severe model fine-tuning and pruning. We further evaluate and demonstrate that DUO remains robust against adaptive attacks, even when both the watermark data and the reserved parameters are known to the adversary.