Creating a state-of-the-art deep-learning system requires vast amounts of data, expertise, and hardware, yet research into copyright protection for neural networks has been limited. One of the main methods for achieving such protection involves relying on the susceptibility of neural networks to backdoor attacks in order to inject a watermark into the network, but the robustness of these tactics has been primarily evaluated against pruning, fine-tuning, and model inversion attacks. In this work, we propose an offensive neural network “laundering” algorithm to remove these backdoor watermarks from neural networks even when the adversary has no prior knowledge of the structure of the watermark. We can effectively remove watermarks used for recent defense or copyright protection mechanisms while retaining test accuracies on the target task above 97% and 80% for both MNIST and CIFAR-10, respectively. For all watermarking methods addressed in this paper, we find that the robustness of the watermark is significantly weaker than the original claims. We also demonstrate the feasibility of our algorithm in more complex tasks as well as in more realistic scenarios where the adversary can carry out efficient laundering attacks using less than 1% of the original training set size, demonstrating that existing watermark-embedding procedures are not sufficient to reach their claims.

创建最先进的深度学习系统需要大量的数据，专业知识和硬件，但是对神经网络的版权保护的研究却很有限。实现这种保护的主要方法之一是依赖于神经网络对后门攻击的敏感性，以便向网络中注入水印，但是这些策略的鲁棒性已经主要针对修剪，微调和模型反转进行了评估。攻击。在这项工作中，我们提出了一种进攻性的神经网络“洗钱”算法，即使对手没有水印结构的先验知识，也可以从神经网络中删除这些后门水印。我们可以有效地删除用于最近的防御或版权保护机制的水印，同时将MNIST和CIFAR-10的目标任务的测试准确度分别保持在97％和80％以上。对于本文中讨论的所有水印方法，我们发现水印的鲁棒性明显弱于原始要求。我们还展示了我们的算法在更复杂的任务以及更现实的情况下的可行性，在这种情况下，对手可以使用原始训练集大小的不到1％进行有效的洗钱攻击，表明现有的水印嵌入程序不足达到他们的要求。我们发现水印的鲁棒性明显弱于原始要求。我们还展示了我们的算法在更复杂的任务以及更现实的情况下的可行性，在这种情况下，对手可以使用原始训练集大小的不到1％进行有效的洗钱攻击，表明现有的水印嵌入程序不足达到他们的要求。我们发现水印的鲁棒性明显弱于原始要求。我们还展示了我们的算法在更复杂的任务以及更现实的情况下的可行性，在这种情况下，对手可以使用原始训练集大小的不到1％进行有效的洗钱攻击，表明现有的水印嵌入程序不足达到他们的要求。