With the increasing prevalence of Machine Learning as a Service (MLaaS)
platforms, there is a growing focus on deep neural network (DNN) watermarking
techniques. These methods are used to facilitate the verification of ownership
for a target DNN model to protect intellectual property. One of the most widely
employed watermarking techniques involves embedding a trigger set into the
source model. Unfortunately, existing methodologies based on trigger sets are
still susceptible to functionality-stealing attacks, potentially enabling
adversaries to steal the functionality of the source model without a reliable
means of verifying ownership. In this paper, we first introduce a novel
perspective on trigger set-based watermarking methods from a feature learning
perspective. Specifically, we demonstrate that by selecting data exhibiting
multiple features, also referred to as $\textit{multi-view data}$, it becomes
feasible to effectively defend functionality stealing attacks. Based on this
perspective, we introduce a novel watermarking technique based on Multi-view
dATa, called MAT, for efficiently embedding watermarks within DNNs. This
approach involves constructing a trigger set with multi-view data and
incorporating a simple feature-based regularization method for training the
source model. We validate our method across various benchmarks and demonstrate
its efficacy in defending against model extraction attacks, surpassing relevant
baselines by a significant margin.

使用多视图数据构建触发器集，并基于特征学习的角度引入了一种新的神经网络水印技术，名为 MAT，以有效地防御功能窃取攻击，并在各种基准测试中验证了其有效性，超过相关基线模型。

不只改变标签，学习特征：使用多视角数据为深度神经网络添加水印

Not Just Change the Labels, Learn the Features: Watermarking Deep Neural  Networks with Multi-View Data

As deep learning (DL) models are widely and effectively used in Machine
Learning as a Service (MLaaS) platforms, there is a rapidly growing interest in
DL watermarking techniques that can be used to confirm the ownership of a
particular model. Unfortunately, these methods usually produce watermarks
susceptible to model stealing attacks. In our research, we introduce a novel
trigger set-based watermarking approach that demonstrates resilience against
functionality stealing attacks, particularly those involving extraction and
distillation. Our approach does not require additional model training and can
be applied to any model architecture. The key idea of our method is to compute
the trigger set, which is transferable between the source model and the set of
proxy models with a high probability. In our experimental study, we show that
if the probability of the set being transferable is reasonably high, it can be
effectively used for ownership verification of the stolen model. We evaluate
our method on multiple benchmarks and show that our approach outperforms
current state-of-the-art watermarking techniques in all considered experimental
setups.

我们介绍了一种新颖的基于触发集的水印技术，该方法对功能盗取攻击表现出强韧性，特别是涉及提取和精炼的攻击。我们的方法不需要额外的模型训练，并且可以应用于任何模型架构。通过计算可在源模型和代理模型集之间传输的触发集，我们展示了如果集合可传输的概率相当高，它可以有效用于盗取模型的所有权验证。我们在多个基准测试上评估了我们的方法，并展示了在所有考虑的实验设置中，我们的方法优于当前最先进的水印技术。