This public repository is read-only and no longer maintained.
The concept of digital watermarking has been known for 30 years, mainly for image and audio contents. The goal is to insert a unique, hidden and non-removable signal in the original content, to be used as an identifier. If a thief steals a content, the original owner can still prove his/her ownership. ML Model Watermarking offers basic primitives for researchers and machine learning enthusiasts to watermark their models, without advanced knowledge of underlying concepts.
- 📖 Watermark models on various tasks, such as image classification or sentiment analysis, with a compatibility with the main Machine Learning frameworks like Scikit-learn, Pytorch or the HuggingFace library.
- 🚩 Detect if one of your models has been used without consent.
- 📈 Integrate watermark in your pipeline, with a negligible accuracy loss.
Simply run:
>>> pip install .
ML Model Watermarking acts as a wrapper for your model, provoding a range of techniques for watermarking your model as well as ownership detection function. After the watermarking phase, you can retrieve your model and save the ownership information.
>>> from mlmodelwatermarking.markface import TrainerWM
>>> trainer = TrainerWM(model=your_model)
>>> ownership = trainer.watermark()
>>> watermarked_model = trainer.get_model()
Later, it is possible verify if a given model has been stolen based on the ownership information
>>> from mlmodelwatermarking.marktorch import TrainerWM
>>> from mlmodelwatermarking.verification import verify
>>> trainer = TrainerWM(model=suspect_model, ownership=ownership)
>>> trainer.verify()
{'is_stolen': True, 'score': 0.88, 'threshold': 0.66}
The library implements several ideas presented in academic papers:
Technique |
Scikit-learn |
PyTorch |
HuggingFace |
---|---|---|---|
Adi et al. | ✔️ | ||
Zhang et al. | ✔️ | ✔️ | |
Gu et al. | ✔️ | ||
Merrer et al. | ✔️ | ||
Yang et al. | ✔️ | ||
Szyller et al. | ✔️ | ✔️ | |
Lounici et al. | ✔️ | ✔️ | ✔️ |
- Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring by Adi et al.
- Protecting Intellectual Property of Deep Neural Networks with Watermarking by Zhang et al.
- BadNets: Evaluating Backdooring Attacks on Deep Neural Networks by Gu et al.
- Adversarial frontier stitching for remote neural network watermarking by Merrer et al.
- Rethinking Stealthiness of Backdoor Attack against NLP Models by Yang et al.
- DAWN: Dynamic Adversarial Watermarking of Neural Networks by Szyller et al.
- Yes We can: Watermarking Machine Learning Models beyond Classification by Lounici et al.
We invite your participation to the project through issues and pull requests. Please refer to the Contributing guidelines for how to contribute.
You can open an issue.
Copyright 2020-21 SAP SE or an SAP affiliate company and ml-model-watermarking contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.