DICTION: DynamIC robusT whIte bOx Watermarking Scheme for Deep Neural Networks

International audience ; Deep neural network (DNN) watermarking is a suitable method for protecting the ownership of deep learning (DL) models. It secretly embeds an identifier within the model, which can be retrieved by the owner to prove ownership. In this paper, we first provide a unified framework for white-box DNN watermarking schemes that encompasses current state-of-the-art methods and outlines their theoretical inter-connections. Next, we introduce DICTION, a new white-box dynamic robust watermarking scheme derived from this framework. Its main originality lies in a generative adversarial network (GAN) strategy where the watermark extraction function is a DNN trained as a GAN discriminator, while the target model acts as a GAN generator. DICTION can be viewed as a generalization of DeepSigns, which, to the best of our knowledge, is the only other dynamic white-box watermarking scheme in the literature. Experiments conducted on four benchmark models (MLP, CNN, ResNet-18, and LeNet) demonstrate that DICTION achieves a zero bit error rate (BER) while maintaining model accuracy within 0.5% of the baseline. DICTION shows superior robustness, tolerating up to 95% weight pruning compared to 80% for existing methods, and it demonstrates complete resistance to fine-tuning and overwriting attacks where competing methods fail, with a BER of >0.3.