ML Model Watermarking
Project description
Protect your machine learning models easily and securely with watermarking :key:
The concept of digital watermarking has been known for 30 years, mainly for image and audio contents. The goal is to insert a unique, hidden and non-removable signal in the original content, to be used as an identifier. If a thief steals a content, the original owner can still prove his/her ownership. ML Model Watermarking offers basic primitives for researchers and machine learning enthusiasts to watermark their models, without advanced knowledge of underlying concepts.
- :book: Watermark models on various tasks, such as image classification or sentiment analysis, with a compatibility with the main Machine Learning frameworks like Scikit-learn, Pytorch or the HuggingFace library.
- :triangular_flag_on_post: Detect if one of your models has been used without consent.
- :chart_with_upwards_trend: Integrate watermark in your pipeline, with a negligible accuracy loss.
Installation
Simply run:
>>> pip install .
How to use it
ML Model Watermarking acts as a wrapper for your model, provoding a range of techniques for watermarking your model as well as ownership detection function. After the watermarking phase, you can retrieve your model and save the ownership information.
>>> from mlmodelwatermarking.markface import TrainerWM
>>> trainer = TrainerWM(model=your_model)
>>> ownership = trainer.watermark()
>>> watermarked_model = trainer.get_model()
Later, it is possible verify if a given model has been stolen based on the ownership information
>>> from mlmodelwatermarking.marktorch import TrainerWM
>>> from mlmodelwatermarking.verification import verify
>>> trainer = TrainerWM(model=suspect_model, ownership=ownership)
>>> trainer.verify()
{'is_stolen': True, 'score': 0.88, 'threshold': 0.66}
References
The library implements several ideas presented in academic papers:
Technique |
Scikit-learn |
PyTorch |
HuggingFace |
---|---|---|---|
Adi et al. | :heavy_check_mark: | ||
Zhang et al. | :heavy_check_mark: | :heavy_check_mark: | |
Gu et al. | :heavy_check_mark: | ||
Merrer et al. | :heavy_check_mark: | ||
Yang et al. | :heavy_check_mark: | ||
Szyller et al. | :heavy_check_mark: | :heavy_check_mark: | |
Lounici et al. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
- Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring by Adi et al.
- Protecting Intellectual Property of Deep Neural Networks with Watermarking by Zhang et al.
- BadNets: Evaluating Backdooring Attacks on Deep Neural Networks by Gu et al.
- Adversarial frontier stitching for remote neural network watermarking by Merrer et al.
- Rethinking Stealthiness of Backdoor Attack against NLP Models by Yang et al.
- DAWN: Dynamic Adversarial Watermarking of Neural Networks by Szyller et al.
- Yes We can: Watermarking Machine Learning Models beyond Classification by Lounici et al.
Contributing
We invite your participation to the project through issues and pull requests. Please refer to the Contributing guidelines for how to contribute.
How to obtain support
You can open an issue.
Licensing
Copyright 2020-21 SAP SE or an SAP affiliate company and ml-model-watermarking contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file mlmodelwatermarking-0.0.1-py3-none-any.whl
.
File metadata
- Download URL: mlmodelwatermarking-0.0.1-py3-none-any.whl
- Upload date:
- Size: 16.9 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.8.2 requests/2.25.1 setuptools/41.4.0 requests-toolbelt/0.9.1 tqdm/4.64.0 CPython/3.5.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 62529b85d1e7d552b76a4238f8385ba9d2e36a05c1037efe41d1390c93e04f63 |
|
MD5 | 17e828f01c728587157a5c280758e303 |
|
BLAKE2b-256 | 09d88df8c44bf6de1c30c8ac1f4343d5ef2060cbecd387335877122b2aa290ad |