In order to protect the intellectual property of neural network, an owner may select a set of trigger samples and their corresponding labels to train a network, and prove the ownership by the trigger set without revealing the inner mechanism and parameters of the network. However, if an attacker is allowed to access the neural network, he can forge a matching relationship between fake trigger samples and fake labels to confuse the ownership. In this paper, we propose a novel neural network watermarking protocol against the forging attack. By introducing one-way hash function, the trigger samples used to prove ownership must form a one-way chain, and their labels are also assigned. By this way, an attacker without the right of network training is impossible to construct a chain of trigger samples or the matching relationship between the trigger samples and the assigned labels. Our experiments show that the proposed protocol can resist the watermark forgery without sacrificing the network performance.

中文翻译：

---

安全的神经网络水印协议，防止伪造攻击

为了保护神经网络的知识产权，所有者可以选择一组触发样本及其相应的标签来训练网络，并在不揭示网络内部机制和参数的情况下，通过触发集合证明所有权。但是，如果允许攻击者访问神经网络，则他可以在伪造的触发样本和伪造的标签之间建立匹配关系，以混淆所有权。在本文中，我们提出了一种针对伪造攻击的新型神经网络水印协议。通过引入单向哈希函数，用于证明所有权的触发样本必须形成单向链，并且还分配其标签。这样子 没有网络训练权的攻击者就不可能构建触发样本链或触发样本与分配的标签之间的匹配关系。我们的实验表明，所提出的协议可以在不牺牲网络性能的情况下抵抗水印伪造。