DNN self-embedding watermarking: Towards tampering detection and parameter recovery for deep neural network

In recent years, a large number of deep neural networks (DNN) models have been built and deployed, which need to be protected against malicious tampering by the adversary. This work is the first to propose a recoverable, self-embedding fragile watermarking scheme for DNN models to protect the model integrity. This scheme can not only identify and locate the tampered parameter blocks in the model, but can also recover the damaged parameters accurately. Detailedly, through exploiting the characteristics of the to-be-protected DNN model, the authentication data and recovery data are generated, and then the reference sharing mechanism is used to embed these data into the model without affecting its original functionality, which can realize the model parameter recovery under different tampering rates. Experimental results demonstrate that, the proposed scheme can achieve satisfactory performance of tampering detection and parameter recovery with low device requirements and can be effectively adaptable to a variety of existing DNNs.