On the robustness of watermarking neural networks

DISI Seminar

17 ottobre 2019
Versione stampabile

Date&Time: October 17, 2019 - h. 10:00 am
Location: Via Sommarive 5 - Polo Ferrari 1 (Povo, TN) - Room Garda


  • Prof. Florian Kerschbaum - University of Waterloo, Canada


Data is becoming an asset and data holders want to commercially exploit their data resources.  One way is to sell machine learning models, in particular deep neural nets, created from that data.  However, these neural nets can be copied or stolen.  Watermarking should enable tracing of models by embedding a secret message into the neural net.  In this talk we will investigate the robustness of existing black-box and white-box watermarking algorithms to adversarial black-box and white-box transformations of the neural net.

About the Speaker

I am an associate professor in the David R. Cheriton School of Computer Science at the University of Waterloo (since 2017) and executive director of the Waterloo Cybersecurity and Privacy Institute (since 2018). Before I worked as chief research expert at SAP in Karlsruhe (2005 – 2016) and as a software architect at Arxan Technologies in San Francisco (2002 – 2004). I hold a Ph.D. in computer science from the Karlsruhe Institute of Technology (2010) and a master's degree from Purdue University (2001). I am interested in data security and privacy in data management, machine learning, and blockchains. I extend real-world systems with cryptographic security mechanisms to achieve (some) provable security guarantees. My work has been applied to products for databases, supply chain management and RFID tracking.

Contact: channam.ngo [at] unitn.it (Chan Nam Ngo)