As deep learning (DL) models are widely and effectively used in Machine
Learning as a Service (MLaaS) platforms, there is a rapidly growing interest in
DL watermarking techniques that can be used to confirm the ownership of a
particular model. Unfortunately, these methods usually produce watermarks
susceptible to model stealing attacks. In our research, we introduce a novel
trigger set-based watermarking approach that demonstrates resilience against
functionality stealing attacks, particularly those involving extraction and
distillation. Our approach does not require additional model training and can
be applied to any model architecture. The key idea of our method is to compute
the trigger set, which is transferable between the source model and the set of
proxy models with a high probability. In our experimental study, we show that
if the probability of the set being transferable is reasonably high, it can be
effectively used for ownership verification of the stolen model. We evaluate
our method on multiple benchmarks and show that our approach outperforms
current state-of-the-art watermarking techniques in all considered experimental
setups.

我们介绍了一种新颖的基于触发集的水印技术，该方法对功能盗取攻击表现出强韧性，特别是涉及提取和精炼的攻击。我们的方法不需要额外的模型训练，并且可以应用于任何模型架构。通过计算可在源模型和代理模型集之间传输的触发集，我们展示了如果集合可传输的概率相当高，它可以有效用于盗取模型的所有权验证。我们在多个基准测试上评估了我们的方法，并展示了在所有考虑的实验设置中，我们的方法优于当前最先进的水印技术。