NeuralMark: Advancing White-Box Neural Network Watermarking

Thank you for your thoughtful review and valuable feedback. We address your concerns as follows.

W1. The authors establish a key-to-watermark hash mapping, but a similar method for establishing a passport sample-to-watermark hash mapping is already available in [1]. Despite the author's citation of the article in [1], the article does not explain the necessity of using keys directly for hash mapping. In addition, to defend against Removal+Forging Attack, the authors use average pooling, which was also proposed in previous articles [2,3]. As a key module to defend against watermark removal attacks, the approach used by the authors does not advance the knowledge in the field of watermarking.

AW1: We are sorry for this confusion about the key-to-watermark hash mapping, and we address your concerns as follows.

(1) We propose a direct hash binding of the secret key with the watermark to defend against forging attacks (Please refer to AW1 addressed to Reviewer ZqfG for a detailed explanation). Although [1] establishes a hash mapping between passport samples and the watermark, it still necessitates replacing the normalization layer parameters (e.g., batch normalization) with those generated from passport samples. This significantly complicates deployment in practical scenarios. Also, the primary purpose of replacing normalization layer parameters in passport-based methods is to defend against forging attacks. However, this can also be effectively achieved through the hash mapping between passport samples and the watermark. Thus, the use of both mechanisms within a single method is redundant. In contrast, NeuralMark simplifies the watermarking design by directly establishing a hash mapping between the secret key and the watermark, eliminating the need for additional passport samples. This streamlined approach reduces complexity, making NeuralMark simpler and more practical.

(2) We propose a watermark filtering mechanism to resist overwriting attacks with distinct strengths: Most white-box watermarking methods assume that the strength of the adversary's overwriting attack is equivalent to that of the original watermark embedding. This assumption, however, is not reasonable because adversaries cannot be limited in the strength of their overwriting attack. To resist overwriting attacks of varying strengths, we propose a watermark filtering mechanism. This mechanism utilizes the watermark as a filter to select model parameters for embedding, making it significantly increases the difficulty for adversaries to ascertain and manipulate those parameters. As a result, this mechanism effectively reduces interference with the original watermark (Strength 2 from 33YR and Strength 1 from Reviewer 2mAr), even when adversaries increase the embedding strength of their own watermark. To the best of our knowledge, there is no existing method that utilizes the watermark as a filter for selecting model parameters to resist overwriting attacks of varying strengths.

(3) We incorporate hash mapping, watermarking filtering, and average pooling mechanisms into a unified method: Although average pooling has been used in previous works [2, 3] to defend against removal attacks, our use of this technique is integrated into a unified method that includes hash mapping and watermark filtering mechanisms. This integration ensures a robust defense against watermark removal, forging, and overwriting attacks while maintaining practical deployment. To our humble knowledge, NeuralMark is the first to incorporate hash mapping, watermarking filtering, and average pooling mechanisms into a unified method. Also, we provide a theoretical analysis of NeuralMark's security boundary.

(4) We extend white-box model watermarks to the Transformer architectures ( i.e., ViT, GPT-2 ), whereas previous work does not (Strength 2 from Reviewer 464P): NeuralMark can be seamlessly integrated into various neural network architectures due to its simplicity and practicality, which are crucial for advancing the development and widespread adoption of white-box watermarking methods.

In summary, we believe that our work makes meaningful contributions to the white-box watermarking field, addressing the key limitations and advancing the state of the art. We hope this explanation clarifies the value and impact of our contributions.

[1] Hanwen Liu, Zhenyu Weng, Yuesheng Zhu, and Yadong Mu. 2023. Trapdoor normalization with irreversible ownership verification. ICML’23.

[2] Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. 2017. Embedding Watermarks into Deep Neural Networks. ICMR ’17.

[3] Liu, H., Weng, Z., Zhu, Y. (2021). Watermarking Deep Neural Networks with Greedy Residuals. ICML’21.

W2. Further results on ambiguity attacks (i.e., attacks that would cast ambiguity over the verification process, including forging attacks and overwriting attacks) are needed. See below for details. To my understanding, the proposed algorithm is public while the watermark (i.e., the specific parameter filter in the proposed method) is secret, according to Kerckhoff's Principle. After preliminary verification, the watermark is also publically available, and since the adversary also knows the hidden watermark, what happens to the next verification process? After the first verification, anyone knows the embedded watermark and anyone also could claim ownership, which may cast ambiguity over the verification process after the first verification. In other words, can the proposed method support public verification? For the above question, I think one possible solution is to map the owner's signature to the watermark binary code, e.g., [1, 0, 1, 0]. If so, I would suggest additional analyses and ablation studies about the binary code design in the experiment section.

AW2: You raise an insightful issue regarding repeated public verifications. In the design of NeuralMark, the identity information of the model owner is not intentionally embedded within the secret key. In practice, however, the model owner is typically the first to perform and publicly verify ownership on the timeline. This chronological precedence, we believe, provides sufficient evidence to establish ownership. This is akin to the discovery of a mathematical theorem, i.e., the first scientist to publicly disclose the theorem is acknowledged as the discoverer, whereas subsequent claims, lacking proof of independent discovery, are not recognized as such. In contrast, if an adversary attempts to publicly verify ownership of a model before the legitimate model owner, this constitutes forging attacks. However, such attacks are computationally infeasible due to the hash mapping between the secret key and the watermark.

In addition, we appreciate your suggestion, which has inspired us to design a more practical method capable of supporting repeated public verification by multiple owners. In several practical scenarios where a model is collaboratively developed by multiple owners, their signatures can be seamlessly integrated into NeuralMark to facilitate ownership verification. Specifically, the signatures of model owners are concatenated with the secret key and then hashed to generate the watermark, i.e., $\mathbf{b} = \mathcal{H} (\mathbf{S}_1 || \cdots || \mathbf{S}_n || \mathbf{K}) \in \{0, 1\}^n$, where $||$ denotes concatenation operation, and $\mathbf{S}_n$ represents the $n$-th model owner's signature, serving as cryptographic proof of its identity. Accordingly, this mechanism enables repeated public verification by multiple owners. Furthermore, its robustness in resisting forging attacks is guaranteed by the cryptographic properties of the hash function, similar to the case where $\mathbf{b} = \mathcal{H} (\mathbf{K})$. Also, this mechanism is orthogonal to NeuralMark's existing mechanisms ( i.e.,watermark filtering and average pooling) and does not compromise its robustness against other types of attacks. We have included those discussions in the revision, please refer to lines 211-212 and Appendix B.1 for details.

Q1. Will the source codes and datasets with necessary documents and instructions be publicly available?

AQ1: Yes, we will release our source codes and datasets upon acceptance. Indeed, we have already uploaded the source codes in the supplementary materials, and the datasets can be automatically downloaded. Additionally, all the source codes and necessary documents are organized and available at the following anonymous link: https://anonymous.4open.science/r/NeuralMark.

Thank you for your thoughtful review and valuable feedback. We address your concerns as follows.

W1. The proposed method seems to be incremental. I am aware that there are some numerical improvements in the reported results. However, no substantial contribution to watermark design, in the aspects of robustness or fidelity for example.

AW1: We feel that there may be a misunderstanding regarding the contributions of NeuralMark, which provides the following key contributions to the white-box watermarking field:

(1) We propose a direct hash binding of the secret key with the watermark to defend against forging attacks (Please refer to AW1 addressed to Reviewer ZqfG for a detailed explanation): Although [1] establishes a hash mapping between passport samples and the watermark, it still necessitates replacing the normalization layer parameters (e.g., batch normalization) with those generated from passport samples. This significantly complicates deployment in practical scenarios. Also, the primary purpose of replacing normalization layer parameters in passport-based methods is to defend against forging attacks. However, this can also be effectively achieved through the hash mapping between passport samples and the watermark. Thus, the use of both mechanisms within a single method is redundant. In contrast, NeuralMark simplifies the watermarking design by directly establishing a hash mapping between the secret key and the watermark, eliminating the need for additional passport samples. This streamlined approach reduces complexity, making NeuralMark simpler and more practical.

(2) We propose a watermark filtering mechanism to resist overwriting attacks with distinct strength levels: Most white-box watermarking methods assume that the level of strength of the adversary's overwriting attack is equivalent to that of the original watermark embedding. This assumption, however, is not reasonable because adversaries cannot be limited in the strength of their overwriting attacks. To resist overwriting attacks of varying strength levels, we propose a watermark filtering mechanism. This mechanism utilizes the watermark as a filter to select model parameters for embedding, making it significantly increase the difficulty for adversaries to ascertain and manipulate those parameters. As a result, this mechanism effectively reduces interference with the original watermark (Strength 2 from 33YR and Strength 1 from Reviewer 2mAr), even when adversaries increase the embedding strength of their own watermark. To the best of our knowledge, there is no existing method that utilizes the watermark as a filter for selecting model parameters to resist overwriting attacks of varying strength levels.

(3) We incorporate hash mapping, watermarking filtering, and average pooling mechanisms into a unified method: Although average pooling has been used in previous works [2, 3] to defend against removal attacks, our use of this technique is integrated into a unified method that includes hash mapping and watermark filtering mechanisms. This integration ensures a robust defense against watermark removal, forging, and overwriting attacks while maintaining practical deployment. To our humble knowledge, NeuralMark is the first to incorporate hash mapping, watermarking filtering, and average pooling mechanisms into a unified method. Also, we provide a theoretical analysis of NeuralMark's security boundary.

(4) We extend white-box model watermarks to the Transformer architectures ( i.e., ViT, GPT-2 ), whereas previous work does not (Strength 2 from Reviewer 464P): NeuralMark can be seamlessly integrated into various neural network architectures due to its simplicity and practicality, which are crucial for advancing the development and widespread adoption of white-box watermarking methods.

In summary, we believe that our work makes meaningful contributions to the white-box watermarking field, addressing the key limitations and advancing the state of the art. We hope this explanation clarifies the value and impact of our contributions.

[1] Hanwen Liu, Zhenyu Weng, Yuesheng Zhu, and Yadong Mu. 2023. Trapdoor normalization with irreversible ownership verification. ICML’23.

[2] Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. 2017. Embedding Watermarks into Deep Neural Networks. ICMR ’17.

[3] Liu, H., Weng, Z., Zhu, Y. (2021). Watermarking Deep Neural Networks with Greedy Residuals. ICML’21.

Thank you for your thoughtful review and valuable feedback. We address your concerns as follows.

W1. The motivation is unclear. Although the authors explain the motivation for the design of the scheme, they do not explain why they are interested in weight-based watermarking. In the introduction, the author introduces three types of model watermarking techniques and states that all three types of watermarking techniques face the same attacks. It is strange and incomprehensible that the author flatly promotes that they only focus on model weight-based watermarking techniques without clearly comparing the pros and cons of the three types of techniques.

AW1: We appreciate your insightful suggestion and have made the following revisions to make the motivation clearer:

• In the Introduction, we have provided the motivation behind our interest in weighted-based methods:

Building on the distinct characteristics of those methods, we are particularly drawn to weight-based methods due to their simplicity and practicability. On one hand, unlike passport-based methods, weight-based methods do not require complex passport layers or incur additional training burdens. On the other hand, unlike activation-based methods, they do not directly constrain the activation maps for watermark embedding. However, the aforementioned limitations of existing weight-based methods motivate us to study the following question: "How can we design a more effective and robust weight-based NNW method to address those limitations?"

• In the Related Work, we have included the following discussions about the pros and cons of the three types of methods:

In summary, weight-based methods, while straightforward, often lack robustness against forging and overwriting attacks. Passport-based methods enhance robustness by binding the watermark to model performance but incur significant training overhead and remain vulnerable to overwriting attacks. Similarly, activation-based methods improve robustness by associating the watermark with activation maps, yet they lack flexibility and fail to effectively defend against forging attacks.

Please see details in lines 048-053 and 108-112 in the revision.

W3. This paper says that performing the filtering round more times can reduce the overlap ratio, but it also reduces the number of weight parameters for embedding the watermark. Will this affect the security of the watermark? It is necessary to conduct an experimental analysis.

AW3: You raise an interesting point. Performing multiple rounds of filtering reduces the number of watermark embedding parameters. On the one hand, this reduction decreases the window size of average pooling, thereby diminishing its effect and, consequently, reducing robustness. On the other hand, since the total number of parameters in the watermark layer remains unchanged, this reduction makes it more difficult for adversaries to attack the watermark embedding parameters, thus enhancing robustness. Therefore, the number of watermark embedding parameters is not strictly positively correlated with robustness. To address your concern and verify our hypothesis, we have conducted additional experiments using 6 and 8 filters, compared to NeuralMark's default setting of 4 filters. Several key experimental results are listed as follows.

Since the figures cannot be displayed in rebuttal, we list some key results against pruning and overwriting attacks in the following tables. As can be seen, as the number of filtering rounds increases, the robustness of NeuralMark in resisting those attacks exhibits nearly no difference. In summary, NeuralMark maintains its robustness even as the number of filtering rounds increases. Please see details in Appendix E.6 in the revision.

Table 3. Comparison of resistance to pruning attacks at various pruning ratios on the CIFAR-100 dataset with distinct filter rounds using ResNet-18.

Table 4. Comparison of resistance to overwriting attacks at various trade-off hyper-parameters ($\lambda$) and learning rates ($\eta$) with distinct filtering rounds. Values (%) inside and outside the bracket are watermark detection rate and classification accuracy, respectively.

W2. There is no comparison with the SOTA weight-based solutions, which makes the experimental results unconvincing.

AW2: Thank you for your valuable feedback. In our manuscript, we have included two baseline methods: VanillaMark [1], which represents the pioneering work in weight-based methods, and GreedyMark [2], which showcases a representative approach that integrates weight-based methods with cryptographic techniques. Through an extensive literature review, we found that recent solutions combining cryptography with weight-based methods are relatively scarce, which is why we only included VanillaMark and GreedyMark in our comparison experiments. However, other types of weight-based methods are still available. One recent and representative method [3], published in AAAI'24, presents a unified approach for both white-box and black-box watermarking. We refer to this method as VoteMark, as it implements a voting-based mechanism for watermark verification, and we utilize its white-box version for comparison. Specifically, VoteMark introduces random noises to embed the watermark and then employs a majority voting scheme to aggregate the results of multiple rounds of verification, which can be regarded as an enhanced version of VanillaMark.

Several key results of VoteMark in resisting forging and overwriting attacks are presented in the following tables. As can be seen, VoteMark is less effective than NeuralMark in resisting forging attacks and overwriting attacks with varying strength levels due to its reliance on a majority voting mechanism. Additionally, VoteMark has been added in the Introduction and Related Work, and all results have been included in the revision.

Table 1. Comparison of resistance to forging attacks using ResNet-18.

Table 2. Comparison of resistance to overwriting attacks at various trade-off hyper-parameters ($\lambda$) and learning rates ($\eta$). Values (%) inside and outside the bracket are watermark detection rate and classification accuracy, respectively.

[1] Yusuke Uchida et al. Embedding Watermarks into Deep Neural Networks. ICMR ’17.

[2] Liu, H. et al. Watermarking Deep Neural Networks with Greedy Residuals. ICML’21.

[3] Fangqi Li et al. Revisiting the information capacity of neural network watermarks: Upper bound estimation and beyond. In AAAI'24.

W5. Experimental comparisons with other methods are insufficient. For instance, in Figure 3, only resistance to pruning attacks at various ratios is shown for NeuralMark without comparisons to other methods. Additionally, Table 5 only compares against VanillaMark, lacking comparisons with GreedyMark. Can the experimental comparisons with other methods be expanded? For example, comparative experiments with other methods need to be added in Figure 3 and Table 5.

AW5: Thanks for your valuable comment. Since GreedyMark does not need the secret key for verification that can effectively resist forging attacks, we did not include GreedyMark for comparison in our manuscript. For completeness, we have incorporated GreedyMark and VanillaMark for comparison as you suggested. Furthermore, we have added a recent method, VoteMark [1], as suggested by Reviewer 33YR. VoteMark introduces random noises to embed the watermark and then employs a majority voting scheme to aggregate the results of multiple rounds of verification. However, it remains ineffective in resisting forging and overwriting attacks. Several key experimental results are reported as follows.

Table 3. Comparison of resistance to forging attacks after fine-tuning attacks and pruning attacks (with a pruning ratio of 40%) using ResNet-18.

Table 4. Comparison of resistance to pruning attacks at various pruning ratios on the CIFAR-100 dataset using AlexNet and ResNet-18, respectively.

From the results, we can see that NeuralMark can effectively resist forging and pruning attacks in all scenarios compared to baseline methods. Please refer to Tables 4, 5, 6, and 7 and Figures 3, 6, 7, and 8 in the revision for more detailed experimental results.

[1] Fangqi Li, Haodong Zhao, Wei Du, and Shilin Wang. Revisiting the information capacity of neural network watermarks: Upper bound estimation and beyond. In AAAI’24.

W3. The resistance to overwriting attacks for NeuralMark is unclear. In Section 5.3, the “Overwriting Attack” paragraph states that “the adversary’s watermark detection rate reaches 100%”, which, even if matched by the original watermark, still leaves model ownership ambiguous. Can this method resist overwriting attacks? With both the original and adversarial watermark detection rates at 100%, there is ambiguity in model ownership.

AW3: We are sorry for this confusion. For overwriting attacks, if an adversary only embeds a counterfeit watermark through modifications to the model parameters without removing the original one, the resulting model will contain both the original and counterfeit watermarks. In this case, the model owner can submit a model containing only the original watermark to an authoritative third-party verification agency. In contrast, the adversary cannot provide a model with only the counterfeit watermark, as they have not successfully removed the original watermark. Accordingly, the adversary cannot prove innocence unless they develop a new model embedded with only their counterfeit watermark. This not only makes stealing the original model unnecessary but also incurs significant training costs.

In addition, this insight is supported by the consensus in the literature [1]. Specifically, on page 4 of 12 in [1]:

Some researchers believe embedding new watermarks as an effective white-box attack. They argue that once multiple watermarks exist in the network, the copyright should be shared by all the owners of those watermarks. In fact, this is not reasonable in the case of an authoritative third-party certifier existing. Because one of the watermark embedders can provide the trusted third party with a network containing only one authenticated watermark to prove that he or she owns the copyright exclusively. Therefore, we believe that simply embedding a new watermark is not enough as a successful attack.

In summary, we believe that for an overwriting attack involving modifications to model parameters to succeed, the original watermark must be removed. Otherwise, the overwriting attack fails, which is defined as the attack success Level III in our manuscript. We have clarified the above statements in the revision, please refer to Section 3.2 for details.

[1] Renjie Zhu, Xinpeng Zhang, Mengte Shi, and Zhenjun Tang. Secure neural network watermarking protocol against forging attack. EURASIP Journal on Image and Video Processing, 2020:1–12, 2020.

W4. Limitations of the proposed method are not explicitly discussed. What are the limitations of NeuralMark?

AW4: Thanks for your insightful suggestion. We have discussed the limitations and border impact of NeuralMark in Appendix B.4 in the revision. The specific details are as follows.

Limitations and Broader Impact

Although NeuralMark demonstrates promising results and can be seamlessly integrated into various architectures, it has certain limitations. Specifically, it requires direct access to the model parameters, making it unsuitable for verifying ownership through a remote Application Programming Interface (API) where model parameters remain inaccessible. To address this limitation, a potential solution involves integrating NeuralMark with black-box NNW watermarking methods, such as those proposed in [1–2]. Specifically, trigger samples can be utilized alongside vanilla training samples to train the model while embedding the watermark through NeuralMark. This method enables the initial verification of model ownership by evaluating the prediction performance of trigger samples via the remote API. Based on this preliminary evidence, a formal request can be made to the API service provider for access to the corresponding model parameters. Once obtained, NeuralMark can be employed for a secondary, white-box verification to conclusively confirm model ownership. The practical implementation of this combined method is beyond the scope of this work and will be explored in future research.

Ownership protection of artificial intelligence models is a critical and pressing issue. This paper presents a simple yet general method to safeguard model ownership. Our work aims to inspire further academic research in this vital area and advance industry adoption to effectively address ownership concerns related to models.

[1] Lixin Fan, Kam Woh Ng, and Chee Seng Chan. Rethinking deep neural network ownership verification: Embedding passports to defeat ambiguity attacks. In NeurIPS, volume 32, 2019.

[2] Lixin Fan, Kam Woh Ng, Chee Seng Chan, and Qiang Yang. Deepipr: Deep neural network ownership verification with passports. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44 (10):6122–6139, 2021.

W2. The paper lacks a detailed description of attack methods, particularly whether fine-tuning and pruning are applied to all parameters or only the Watermark Filtering layer. This could affect the resilience of the method. How are the three types of attacks applied? Are fine-tuning and pruning applied to all parameters, or only to the Watermark Filtering layer? If the latter, would the method still be effective against attacks?

AW2: Thank you for your valuable feedback. For all fine-tuning attacks, we follow [1] and use the same hyper-parameters as during training, except for setting the learning rate to 0.001. In the manuscript, we replace the task-specific classifier and minimize the main task loss $\mathcal{L}\_m$ to optimize all parameters for 100 epochs. In addition, as you suggested, we have conducted experiments where only the watermark embedding layer is fine-tuned, and the specific results are shown in the Table 2.

Table 2. Comparison of resistance to fine-tuning attacks against watermark embedding layer using ResNet-18. Values (%) inside and outside the bracket are watermark detection rate and classification accuracy, respectively.

As can be seen, the watermark detection rate remains at 100%, but the model performance exhibits a substantial decline. Specifically, for the CIFAR-10 to CIFAR-100 task using ResNet-18, the accuracy achieved by NeuralMark through fine-tuning the watermark embedding layer is 49.77%, which is markedly lower than the 71.67% accuracy obtained when all parameters are fine-tuned. Similar trends are observed across other methods. Those results indicate that solely fine-tuning the watermark embedding layer and classifier makes it challenging to ensure effective model performance. Consequently, we do not consider this type of fine-tuning attack in the subsequent experiments.

For pruning attacks, we randomly reset a specified proportion of model parameters in the watermark embedding layer to zero. We have added the above experimental details and results in the revision, please refer to lines 372-375 and 406-408, and Appendix E.1 for details.

[1] Liu, H., Weng, Z., Zhu, Y. (2021). Watermarking Deep Neural Networks with Greedy Residuals. ICML’21.

Thank you for your thoughtful review and valuable feedback. We address your concerns as follows.

W1. The paper lacks consideration for the adaptive attack, which are crucial for robustness. A naïve adaptive attack can freeze model parameters and minimize the loss to learn the key and watermark, potentially compromising model ownership. Can the proposed method defend against adaptive attacks? Additional experiments to assess its resilience to adaptive attacks are necessary.

AW1: We appreciate your insightful suggestion. Indeed, we have considered the adaptive attack, which we refer to reverse engineering attack in our manuscript (please see the details in Section 3.3 in the manuscript). Such attacks involve first randomly forging a counterfeit watermark and then deriving a corresponding secret key by freezing the model parameters. To defend against such attacks, we establish a hash mapping relationship between the secret key and the watermark.

On the one hand, if an adversary attempts to forge a pair of counterfeit secret key and watermark through reverse engineering while considering the hash mapping relationship, it is computationally infeasible due to the avalanche effect of hash functions, where even small changes in the input result in significantly different outputs [1]. As a result, any attempt to learn the secret key and watermark would require breaking the underlying cryptographic hash function, as detailed in Strength 1 from Reviewer 33YR.

On the other hand, if an adversary forges a pair of counterfeit secret key and watermark through reverse engineering without considering the hash mapping relationship, the adversary may achieve a watermark detection rate exceeding the security threshold $\rho\^\ast$ but will fail to satisfy the hash mapping relationship. However, the legitimate model owner can present a valid pair of secret key and watermark that not only exceeds $\rho^\ast$, but also satisfies the hash mapping relationship. As established in Theorem 1, the probability of such an occurrence occurring by chance is negligible, providing strong cryptographic evidence to support third-party verification agencies in correctly determining the model's ownership. Consequently, we have defined the following conditions for watermark verification in NeuralMark (please see the details in Watermark Verification in Section 4.2):

(i) The watermark detection rate exceeds a theoretical security boundary, which will be analyzed later; and (ii) The watermark must correspond to the output of the hash function applied to the secret key, ensuring cryptographic consistency with the predefined hash mapping.

To further clarify this mechanism, we have summarized the watermark verification process in Algorithm 2 within Appendix A in the revision. In summary, the forging attack through reverse engineering in NeuralMark is infeasible, regardless of whether the hash mapping relationship is considered. Therefore, to evaluate its resilience against forging attacks, we have used 10 sets of randomly forged watermarks to directly verify them with the watermarked model in the experiments. Table 1 shows the watermark detection rates of forging attacks, we can see that NeuralMark demonstrates robust resistance against forging attacks (Please see the details in Forging Attack in Section 5.3 of the revision). Additionally, we have revised the relevant statements in lines 178–185 and Section 3.3, and included Appendix B.2 in the revision.

Table 1. Comparison of resistance to forging attacks using ResNet-18

[1] Hanwen Liu, Zhenyu Weng, Yuesheng Zhu, and Yadong Mu. 2023. Trapdoor normalization with irreversible ownership verification. ICML’23.