Recently, more and more attention has been focused on the intellectual property protection of deep neural networks (DNNs), promoting DNN watermarking to become a hot research topic. Compared with embedding watermarks directly into DNN parameters, inserting trigger-set watermarks enables us to verify the ownership without knowing the internal details of the DNN, which is more suitable for application scenarios. The cost is we have to carefully craft the trigger samples. Mainstream methods construct the trigger samples by inserting a noticeable pattern to the clean samples in the spatial domain, which does not consider sample imperceptibility, sample robustness and model robustness, and therefore has limited the watermarking performance and the model generalization. It has motivated the authors in this paper to propose a novel DNN watermarking method based on Fourier perturbation analysis and frequency sensitivity clustering. First, we analyze the perturbation impact of different frequency components of the input sample on the task functionality of the DNN by applying random perturbation. Then, by K-means clustering, we determine the frequency components that result in superior watermarking performance for crafting the trigger samples. Our experiments show that the proposed work not only maintains the performance of the DNN on its original task, but also provides better watermarking performance compared with related works.

翻译：近期，深度神经网络（DNN）的知识产权保护问题受到越来越多的关注，促使DNN水印技术成为研究热点。与直接将水印嵌入DNN参数相比，插入触发集水印可在不获知DNN内部细节的情况下验证所有权，更适用于实际应用场景。其代价是需要精心设计触发样本。主流方法通过在空间域将明显图案嵌入干净样本来构建触发样本，但未充分考虑样本隐蔽性、样本鲁棒性与模型鲁棒性，因此限制了水印性能与模型泛化能力。这促使本文作者提出一种基于傅里叶扰动分析与频率敏感性聚类的新型DNN水印方法。首先，通过施加随机扰动，分析输入样本不同频率分量对DNN任务功能的扰动影响；随后，利用K-means聚类确定可产生更优水印性能的频率分量以构建触发样本。实验表明，所提方法不仅保持了DNN在原始任务上的性能，而且相较于现有方法提供了更优的水印性能。