Machine learning models are being used in an increasing number of critical applications; thus, securing their integrity and ownership is critical. Recent studies observed that adversarial training and watermarking have a conflicting interaction. This work introduces a novel framework to integrate adversarial training with watermarking techniques to fortify against evasion attacks and provide confident model verification in case of intellectual property theft. We use adversarial training together with adversarial watermarks to train a robust watermarked model. The key intuition is to use a higher perturbation budget to generate adversarial watermarks compared to the budget used for adversarial training, thus avoiding conflict. We use the MNIST and Fashion-MNIST datasets to evaluate our proposed technique on various model stealing attacks. The results obtained consistently outperform the existing baseline in terms of robustness performance and further prove the resilience of this defense against pruning and fine-tuning removal attacks.

翻译：机器学习模型正被广泛应用于越来越多的关键任务中，因此确保其完整性和所有权至关重要。最新研究表明，对抗训练与水印技术之间存在相互冲突。本文提出一种创新框架，将对抗训练与水印技术相结合，以抵御规避攻击，并在知识产权被盗用情况下实现可靠的模型验证。我们采用对抗训练结合对抗性水印的方法，训练出具有鲁棒性的水印模型。核心思路是对抗性水印使用比对抗训练更高的扰动预算，从而避免两者冲突。我们利用MNIST和Fashion-MNIST数据集，评估所提技术对多种模型窃取攻击的防御效果。实验结果表明，该方法在鲁棒性指标上持续优于现有基线，并进一步验证了该防御机制对剪枝和微调移除攻击的抵抗能力。