Home

Awesome

Adversarial Frontier Stitching

This is an implemention of "Adversarial Frontier Stitching for Remote Neural Network Watermarking" by Erwan Le Merrer, Patrick Perez and Gilles Trédan in TensorFlow.

What is adversarial frontier stitching?

Adversarial frontier stitching is an algorithm to inject a watermark into a pretrained neural network. It works by first generating a set of data points, also called the key set which will act as our watermark. It does that by applying a transformation, using the "fast gradient sign" method, to correctly classified samples. If the transformed inputs are still correctly classified we call them false adversaries and if they are now incorrectly classified we call them true adversaries. The combination of true and false adversaries is called the key. Next we train our pretrained model on the key until the true adversaries are correctly classified again. Our model is now watermarked. If the accuracy of the key is above a predefined arbitrary threshold we verfied that the model was watermarked by us.

How to use

A simple example can be found at example.ipynb or example.py.

  1. Call gen_adversaries(model, l, dataset, eps) in order to generate your true and false adversary sets, which will act as your watermark, where:
  1. Train your model on the concatenation of the training dataset and the true and false adversaries until the true adversaries are properly predicted again. Afterwards the model is watermarked.
  2. Use verify(model, key_set, threshold=0.05) on a model in order to test wether the model was watermarked by us, where:

Contribute

Show your support by ⭐ the project. Pull requests are always welcome.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.