Digital Watermarking for Machine Learning Model: Techniques, Protocols and Applications

Machine learning (ML) models, especially large pretrained deep learning (DL) models, are of high economic value and must be properly protected with regard to intellectual property rights (IPR). Model watermarking methods are proposed to embed watermarks into the target model, so that, in the event it is stolen, the model's owner can extract the pre-defined watermarks to assert ownership. Model watermarking methods adopt frequently used techniques like backdoor training, multi-task learning, decision boundary analysis etc. to generate secret conditions that constitute model watermarks or fingerprints only known to model owners. These methods have little or no effect on model performance, which makes them applicable to a wide variety of contexts. In terms of robustness, embedded watermarks must be robustly detectable against varying adversarial attacks that attempt to remove the watermarks. The efficacy of model watermarking methods is showcased in diverse applications including image classification, image generation, image captions, natural language processing and reinforcement learning.

This book covers the motivations, fundamentals, techniques and protocols for protecting ML models using watermarking. Furthermore, it showcases cutting-edge work in e.g. model watermarking, signature and passport embedding and their use cases in distributed federated learning settings.

機器學習（ML）模型，尤其是大型預訓練深度學習（DL）模型，具有很高的經濟價值，必須妥善保護其智慧財產權（IPR）。模型浮水印方法被提出，將浮水印嵌入目標模型中，以便在被盗時，模型的所有者可以提取預先定義的浮水印來主張所有權。模型浮水印方法採用常用技術，如後門訓練、多任務學習、決策邊界分析等，生成只有模型所有者知道的構成模型浮水印或指紋的秘密條件。這些方法對模型性能幾乎沒有或沒有影響，使它們適用於各種情境。就韌性而言，嵌入的浮水印必須能夠抵抗各種不同的對抗性攻擊，試圖刪除浮水印。模型浮水印方法的有效性在各種應用中得到展示，包括圖像分類、圖像生成、圖像標題、自然語言處理和強化學習。

本書介紹了使用浮水印保護ML模型的動機、基礎知識、技術和協議。此外，它展示了在分散式聯邦學習環境中使用模型浮水印、簽名和護照嵌入的尖端工作及其應用案例。

Lixin Fan is currently the Chief Scientist of Artificial Intelligence at WeBank, Shenzhen, China. His research interests include machine learning and deep learning, privacy computing and federated learning, computer vision and pattern recognition, image and video processing, mobile computing and ubiquitous computing. He was the Organizing Chair of workshops in these research areas held in CVPR, ICCV, ICPR， ACCV, NeurIPS, AAAI, and IJCAI. He is the author of 3 edited books and more than 70 articles in peer-review international journals and conference proceedings. He holds more than one hundred patents filed in the United States, Europe and China, and he was Chairman of the IEEE P2894 Explainable Artificial Intelligence (XAI) Standard Working Group.

Chee Seng Chan is currently a Full Professor at the Faculty of Computer Science and Information Technology, Universiti Malaya, Kuala Lumpur, Malaysia. His research interests include computer vision and machine learning where he has published more than 100 papers in related top peer-review conferences and journals. He was the Organizing Chair of the Asian Conference on Pattern Recognition (2015) and General Chair of the IEEE Workshop on Multimedia Signal Processing (2019) and IEEE Visual Communications and Image Processing (2013). He was the recipient of Top Research Scientists Malaysia (TRSM) in 2022, Young Scientists Network Academy of Sciences Malaysia (YSN-ASM) in 2015 and Hitachi Research Fellowship in 2013. Besides that, he is also a senior member (IEEE), Professional Engineer (BEM) and Chartered Engineer (IET). During 2020-2022, he was seconded to the Ministry of Science, Technology and Innovation (MOSTI) as the Undersecretary for Division of Data Strategic and Foresight.

Qiang Yang is a Fellow of the Canadian Academy of Engineering (CAE) and Royal Society of Canada (RSC), Chief Artificial Intelligence Officer of WeBank, and Chair Professor at the Computer Science and Engineering Department of Hong Kong University of Science and Technology (HKUST). He is the Conference Chair of AAAI-21, Honorary Vice President of the Chinese Association for Artificial Intelligence (CAAI), President of the Hong Kong Society of Artificial Intelligence and Robotics (HKSAIR) and President of the Investment Technology League (ITL). He is a fellow of the AAAI, ACM, CAAI, IEEE, IAPR and AAAS. He was the Founding Editor in Chief of the ACM Transactions on Intelligent Systems and Technology (ACM TIST) and the Founding Editor in Chief of IEEE Transactions on Big Data (IEEE TBD). He received the ACM SIGKDD Distinguished Service Award in 2017. He served as Founding Director of Huawei's Noah's Ark Research Lab from 2012 to 2015, Founding Director of HKUST's Big Data Institute, Founder of 4Paradigm and President of the IJCAI (2017-2019). His research interests include artificial intelligence, machine learning, data mining and planning.

李新凡（Lixin Fan）目前擔任中國深圳微众银行的人工智能首席科学家。他的研究兴趣包括机器学习和深度学习、隐私计算和联邦学习、计算机视觉和模式识别、图像和视频处理、移动计算和普适计算。他曾担任CVPR、ICCV、ICPR、ACCV、NeurIPS、AAAI和IJCAI等研究领域的研讨会组织主席。他是3本编辑书籍的作者，发表了70多篇同行评审的国际期刊和会议论文。他在美国、欧洲和中国申请了100多项专利，并担任IEEE P2894可解释人工智能（XAI）标准工作组主席。

陈志成（Chee Seng Chan）目前是马来西亚吉隆坡马来亚大学计算机科学与信息技术学院的教授。他的研究兴趣包括计算机视觉和机器学习，在相关的顶级同行评审会议和期刊上发表了100多篇论文。他曾担任亚洲模式识别会议（2015年）的组织主席，以及IEEE多媒体信号处理研讨会（2019年）和IEEE视觉通信与图像处理（2013年）的总主席。他曾获得2022年马来西亚顶级研究科学家（TRSM）奖、2015年马来西亚科学院青年科学家网络（YSN-ASM）奖和2013年日立研究奖学金。此外，他还是IEEE的高级会员、马来西亚工程师协会（BEM）的专业工程师和英国工程师学会（IET）的特许工程师。在2020年至2022年期间，他被派驻到马来西亚科学、技术和创新部（MOSTI）担任数据战略与前瞻部门的副秘书长。

杨强（Qiang Yang）是加拿大工程院（CAE）和加拿大皇家学会（RSC）的院士，微众银行的首席人工智能官员，以及香港科技大学计算机科学与工程系的讲座教授。他是AAAI-21的会议主席，中国人工智能学会（CAAI）的名誉副主席，香港人工智能与机器人学会（HKSAIR）的主席，以及投资技术联盟（ITL）的主席。他是AAAI、ACM、CAAI、IEEE、IAPR和AAAS的会士。他曾担任ACM智能系统与技术交易（ACM TIST）的创始主编，以及IEEE大数据交易（IEEE TBD）的创始主编。他于2017年获得ACM SIGKDD杰出服务奖。他曾担任华为诺亚方舟研究实验室的创始主任（2012年至2015年），香港科技大学大数据研究所的创始主任，4Paradigm的创始人，以及IJCAI的主席（2017年至2019年）。他的研究兴趣包括人工智能、机器学习、数据挖掘和规划。