Robust Watermarking for Neural Network Models Using Residual Network

The training process of a neural network model requires plenty of costs, and so the intellectual property of neural network models should be protected. To this end, we propose a robust watermarking scheme for neural network models in this paper. In our scheme, an independent network is specially designed to help embedding watermarks into a given host network, and also be used for watermark extraction. The independent network is designed based on the residual structure which is sensitive to the parameter changes of the host network and conducive to finding suitable embedding locations. In addition, some residual blocks are randomly discarded during watermark embedding, which can increase the robustness against popular model attacks. Experimental results show that our scheme achieves satisfactory watermark verification performance without decreasing the original performance of the host network, even if the host network has been maliciously tampered.