Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation

Chenxi Gu; Xiaoqing Zheng; Jianhan Xu; Muling Wu; Cenyuan Zhang; Chengsong Huang; Hua Cai; Xuanjing Huang

doi:10.18653/v1/2023.findings-emnlp.239

Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation

Chenxi Gu
, Xiaoqing Zheng
, Jianhan Xu
, Muling Wu
, Cenyuan Zhang
, Chengsong Huang
, Hua Cai
, Xuanjing Huang

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

3 Citations (Scopus)

Abstract

Large pre-trained language models (PLMs) have achieved remarkable success, making them highly valuable intellectual property due to their expensive training costs. Consequently, model watermarking, a method developed to protect the intellectual property of neural models, has emerged as a crucial yet underexplored technique. The problem of watermarking PLMs has remained unsolved since the parameters of PLMs will be updated when fine-tuned on downstream datasets, and then embedded watermarks could be removed easily due to the catastrophic forgetting phenomenon. This study investigates the feasibility of watermarking PLMs by embedding backdoors that can be triggered by specific inputs. We employ contrastive learning during the watermarking phase, allowing the representations of specific inputs to be isolated from others and mapped to a particular label after fine-tuning. Moreover, we demonstrate that by combining weight perturbation with the proposed method, watermarks can be embedded in a flatter region of the loss landscape, thereby increasing their robustness to watermark removal. Extensive experiments on multiple datasets demonstrate that the embedded watermarks can be robustly extracted without any knowledge about downstream tasks, and with a high success rate.

Original language	English
Title of host publication	The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics
Editors	Houda Bouamor, Juan Pino, Kalika Bali
Place of Publication	Stroudsburg PA USA
Publisher	Association for Computational Linguistics (ACL)
Pages	3685-3694
Number of pages	10
ISBN (Electronic)	9798891760615
DOIs	https://doi.org/10.18653/v1/2023.findings-emnlp.239
Publication status	Published - 2023
Externally published	Yes
Event	Empirical Methods in Natural Language Processing 2023 - , Singapore Duration: 6 Dec 2023 → 10 Dec 2023 https://2023.emnlp.org/ https://aclanthology.org/volumes/2023.findings-emnlp/ (Proceedings) https://aclanthology.org/volumes/2023.emnlp-demo/ (Proceedings)

Conference

Conference	Empirical Methods in Natural Language Processing 2023
Abbreviated title	EMNLP 2023
Country/Territory	Singapore
Period	6/12/23 → 10/12/23
Internet address	https://2023.emnlp.org/ https://aclanthology.org/volumes/2023.findings-emnlp/ (Proceedings) https://aclanthology.org/volumes/2023.emnlp-demo/ (Proceedings)

Access to Document

10.18653/v1/2023.findings-emnlp.239Licence: CC BY

775799653-oaFinal published version, 1.74 MBLicence: CC BY

Cite this

Gu, C., Zheng, X., Xu, J., Wu, M., Zhang, C., Huang, C., Cai, H., & Huang, X. (2023). Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation. In H. Bouamor, J. Pino, & K. Bali (Eds.), The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics (pp. 3685-3694). Association for Computational Linguistics (ACL). https://doi.org/10.18653/v1/2023.findings-emnlp.239

Gu, Chenxi ; Zheng, Xiaoqing ; Xu, Jianhan et al. / Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation. The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics. editor / Houda Bouamor ; Juan Pino ; Kalika Bali. Stroudsburg PA USA : Association for Computational Linguistics (ACL), 2023. pp. 3685-3694

@inproceedings{349afdc1e863479688b1ab35a8b8668b,

title = "Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation",

abstract = "Large pre-trained language models (PLMs) have achieved remarkable success, making them highly valuable intellectual property due to their expensive training costs. Consequently, model watermarking, a method developed to protect the intellectual property of neural models, has emerged as a crucial yet underexplored technique. The problem of watermarking PLMs has remained unsolved since the parameters of PLMs will be updated when fine-tuned on downstream datasets, and then embedded watermarks could be removed easily due to the catastrophic forgetting phenomenon. This study investigates the feasibility of watermarking PLMs by embedding backdoors that can be triggered by specific inputs. We employ contrastive learning during the watermarking phase, allowing the representations of specific inputs to be isolated from others and mapped to a particular label after fine-tuning. Moreover, we demonstrate that by combining weight perturbation with the proposed method, watermarks can be embedded in a flatter region of the loss landscape, thereby increasing their robustness to watermark removal. Extensive experiments on multiple datasets demonstrate that the embedded watermarks can be robustly extracted without any knowledge about downstream tasks, and with a high success rate.",

author = "Chenxi Gu and Xiaoqing Zheng and Jianhan Xu and Muling Wu and Cenyuan Zhang and Chengsong Huang and Hua Cai and Xuanjing Huang",

note = "Publisher Copyright: {\textcopyright} 2023 Association for Computational Linguistics.; Empirical Methods in Natural Language Processing 2023, EMNLP 2023 ; Conference date: 06-12-2023 Through 10-12-2023",

year = "2023",

doi = "10.18653/v1/2023.findings-emnlp.239",

language = "English",

pages = "3685--3694",

editor = "Houda Bouamor and Juan Pino and Kalika Bali",

booktitle = "The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

url = "https://2023.emnlp.org/, https://aclanthology.org/volumes/2023.findings-emnlp/, https://aclanthology.org/volumes/2023.emnlp-demo/",

}

Gu, C, Zheng, X, Xu, J, Wu, M, Zhang, C, Huang, C, Cai, H & Huang, X 2023, Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation. in H Bouamor, J Pino & K Bali (eds), The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics. Association for Computational Linguistics (ACL), Stroudsburg PA USA, pp. 3685-3694, Empirical Methods in Natural Language Processing 2023, Singapore, 6/12/23. https://doi.org/10.18653/v1/2023.findings-emnlp.239

Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation. / Gu, Chenxi; Zheng, Xiaoqing; Xu, Jianhan et al.
The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics. ed. / Houda Bouamor; Juan Pino; Kalika Bali. Stroudsburg PA USA: Association for Computational Linguistics (ACL), 2023. p. 3685-3694.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation

AU - Gu, Chenxi

AU - Zheng, Xiaoqing

AU - Xu, Jianhan

AU - Wu, Muling

AU - Zhang, Cenyuan

AU - Huang, Chengsong

AU - Cai, Hua

AU - Huang, Xuanjing

PY - 2023

Y1 - 2023

N2 - Large pre-trained language models (PLMs) have achieved remarkable success, making them highly valuable intellectual property due to their expensive training costs. Consequently, model watermarking, a method developed to protect the intellectual property of neural models, has emerged as a crucial yet underexplored technique. The problem of watermarking PLMs has remained unsolved since the parameters of PLMs will be updated when fine-tuned on downstream datasets, and then embedded watermarks could be removed easily due to the catastrophic forgetting phenomenon. This study investigates the feasibility of watermarking PLMs by embedding backdoors that can be triggered by specific inputs. We employ contrastive learning during the watermarking phase, allowing the representations of specific inputs to be isolated from others and mapped to a particular label after fine-tuning. Moreover, we demonstrate that by combining weight perturbation with the proposed method, watermarks can be embedded in a flatter region of the loss landscape, thereby increasing their robustness to watermark removal. Extensive experiments on multiple datasets demonstrate that the embedded watermarks can be robustly extracted without any knowledge about downstream tasks, and with a high success rate.

AB - Large pre-trained language models (PLMs) have achieved remarkable success, making them highly valuable intellectual property due to their expensive training costs. Consequently, model watermarking, a method developed to protect the intellectual property of neural models, has emerged as a crucial yet underexplored technique. The problem of watermarking PLMs has remained unsolved since the parameters of PLMs will be updated when fine-tuned on downstream datasets, and then embedded watermarks could be removed easily due to the catastrophic forgetting phenomenon. This study investigates the feasibility of watermarking PLMs by embedding backdoors that can be triggered by specific inputs. We employ contrastive learning during the watermarking phase, allowing the representations of specific inputs to be isolated from others and mapped to a particular label after fine-tuning. Moreover, we demonstrate that by combining weight perturbation with the proposed method, watermarks can be embedded in a flatter region of the loss landscape, thereby increasing their robustness to watermark removal. Extensive experiments on multiple datasets demonstrate that the embedded watermarks can be robustly extracted without any knowledge about downstream tasks, and with a high success rate.

UR - https://www.scopus.com/pages/publications/85183296447

U2 - 10.18653/v1/2023.findings-emnlp.239

DO - 10.18653/v1/2023.findings-emnlp.239

M3 - Conference Paper

AN - SCOPUS:85183296447

SP - 3685

EP - 3694

BT - The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics

A2 - Bouamor, Houda

A2 - Pino, Juan

A2 - Bali, Kalika

PB - Association for Computational Linguistics (ACL)

CY - Stroudsburg PA USA

T2 - Empirical Methods in Natural Language Processing 2023

Y2 - 6 December 2023 through 10 December 2023

ER -

Gu C, Zheng X, Xu J, Wu M, Zhang C, Huang C et al. Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation. In Bouamor H, Pino J, Bali K, editors, The 2023 Conference on Empirical Methods in Natural Language Processing - Findings of the Association for Computational Linguistics. Stroudsburg PA USA: Association for Computational Linguistics (ACL). 2023. p. 3685-3694 doi: 10.18653/v1/2023.findings-emnlp.239

Watermarking PLMs on Classification Tasks by Combining Contrastive Learning with Weight Perturbation

Abstract

Conference

Access to Document

Other files and links

Cite this