Training machine learning (ML) models is expensive in terms of computational
power, amounts of labeled data and human expertise. Thus, ML models constitute
intellectual property (IP) and business value for their owners. Embedding
digital watermarks during model training allows a model owner to later identify
their models in case of theft or misuse. However, model functionality can also
be stolen via model extraction, where an adversary trains a surrogate model
using results returned from a prediction API of the original model. Recent work
has shown that model extraction is a realistic threat. Existing watermarking
schemes are ineffective against IP theft via model extraction since it is the
adversary who trains the surrogate model. In this paper, we introduce DAWN
(Dynamic Adversarial Watermarking of Neural Networks), the first approach to
use watermarking to deter model extraction IP theft. Unlike prior watermarking
schemes, DAWN does not impose changes to the training process but it operates
at the prediction API of the protected model, by dynamically changing the
responses for a small subset of queries (e.g., <0.5%) from API clients. This
set is a watermark that will be embedded in case a client uses its queries to
train a surrogate model. We show that DAWN is resilient against two
state-of-the-art model extraction attacks, effectively watermarking all
extracted surrogate models, allowing model owners to reliably demonstrate
ownership (with confidence $>1- 2^{-64}$), incurring negligible loss of
prediction accuracy (0.03-0.5%).

本文提出了一种名为 DAWN 的动态对抗水印方法，它通过在受保护的机器学习模型的预测 API 中动态地更改一小部分查询的响应生成水印，以遏制模型抽取知识产权盗窃，并对两种最新的模型抽取攻击具有鲁棒性。