Can Image Watermarking Efficiently Protect Deep-Learning-Based Image Classifiers? – A Preliminary Security Analysis of an IP-Protecting Method

Being widely adopted by an increasingly rich array of classification tasks in different industries, image classifiers based on deep neural networks (DNNs) have successfully helped boost business efficiency and reduce costs. To protect the intellectual property (IP) of DNN classifiers, a blind-watermarking-based technique that opens “backdoors” through image steganography has been proposed. However, it is yet to explore whether this approach can effectively protect DNN models under practical settings where malicious attacks may be launched against it. In this paper, we study the feasibility and effectiveness of this previously proposed blind-watermarking-based DNN classifier protection technique from the security perspective (Our code is available athttps://github.com/ByGary/Security-of-IP-Protection-Frameworks.). We first show that, IP protection offered by the original algorithm, when trained with(256\,\times \,256)images, can easily be evaded due to obvious visibility issue. Adapting the original approach by replacing its steganalyzer with watermark extraction algorithm and revising the overall training strategy, we are able to mitigate the visibility issue. Furthermore, we evaluate our improved approaches under three simple yet practical attacks, i.e., evasion attacks, spoofing attacks, and robustness attacks. Our evaluation results reveal that further security enhancements are indispensable for the practical applications of the examined blind-watermarking-based DNN image classifier protection scheme, providing a set of guidelines and precautions to facilitate improved protection of intellectual property of DNN classifiers.