Machine learning models are being used in an increasing number of critical applications; thus, securing their integrity and ownership is critical. Recent studies observed that adversarial training and watermarking have a conflicting interaction. This work introduces a novel framework to integrate adversarial training with watermarking techniques to fortify against evasion attacks and provide confident model verification in case of intellectual property theft. We use adversarial training together with adversarial watermarks to train a robust watermarked model. The key intuition is to use a higher perturbation budget to generate adversarial watermarks compared to the budget used for adversarial training, thus avoiding conflict. We use the MNIST and Fashion-MNIST datasets to evaluate our proposed technique on various model stealing attacks. The results obtained consistently outperform the existing baseline in terms of robustness performance and further prove the resilience of this defense against pruning and fine-tuning removal attacks.

翻译：机器学习模型正被部署于日益增多的关键应用中，确保其完整性与所有权至关重要。近期研究表明，对抗训练与水印技术之间存在冲突交互。本文提出一种新颖框架，将对抗训练与水印技术相结合，以强化模型对逃避攻击的防御能力，并在知识产权被盗用时实现可靠的模型验证。我们采用对抗训练协同对抗性水印来训练鲁棒的水印化模型。其核心思路是：相比于对抗训练所用的扰动预算，采用更高扰动预算生成对抗性水印，从而避免两者冲突。基于MNIST和Fashion-MNIST数据集，我们在多种模型窃取攻击场景下评估了所提技术。实验结果表明，该技术在鲁棒性性能上持续优于现有基线方法，并进一步证明了其对剪枝攻击和微调移除攻击具备可靠的防御能力。