Intellectual property protection of neural network architectures via steganography and IEEE 754 standard Open Access

With the rapid development and widespread application of artificial intelligence (AI) systems based on neural networks, the need for robust intellectual property protection has become critical. Therefore, reliable ownership authentication methods are designed to prevent unauthorized use and tampering [1–4]. Different protection methodologies have been proposed, including steganography, watermarking, fingerprinting and backdoor-based verifications, offering copyright protection, enabling ownership verification and supporting authentication [5–9]. White-box protection methods embed information into the parameters of a neural network to verify ownership. Often, these techniques require access to the neural network parameters to ensure intellectual property protection and ownership verification of neural networks [10–13]. Protecting neural networks against pruning and compression remains a critical research area, as these techniques reduce model size and computational cost.

Recent methods have aimed to preserve model accuracy while embedding ownership information. Watermark embedding during training enhance protection effectiveness while maintaining model accuracy. However, retraining the network may remove the watermark [14]. Ownership data embedding on the discrete cosine transform (DCT) coefficients enhances resistance to pruning without affecting accuracy. However, it has limited payload embedding capacity [15]. Multi-watermark embedding has been demonstrated to have a minimal impact on model performance, and it is designed for robust information hiding. The watermark extraction may be computationally intensive [16]. Hybrid methods use zero-watermarking bit and neural network optimization as a second watermarking layer to enhance robustness. This makes it difficult to balance robustness, imperceptibility and efficiency [17]. The parameter regularizer function for embedding during training or fine-tuning allows data embedding across training. Its robustness is limited to certain attacks [18]. White-box feature embedding via decision tree selection enables relevant feature selection for embedding control. However, it is vulnerable to model extraction attacks [19]. The implementation of the Power Function Mapping (PF-Mapping) as an activation function embeds information with a secret key, but it is vulnerable to pruning [20]. DCT middle frequency coefficients replacement maintains the classification accuracy. The method has limited payload embedding [21]. Kernel information embedding generates robustness against fine-tuning and pruning. It requires high computational processing [22]. The protection of neural networks using layers is achieved through keys that modify the parameters, enabling multiple verification checks. If these layers are removed, model performance decreases [23]. ChainMarks embeds watermarks using cryptographic sequences for ownership verification even if the model has been modified or retrained. However, it creates a dependency on the original data [24]. Most methods focus on embedding information in the neural network parameters and assess performance based on the original task.

The proposed method enhances the robustness of neural networks against pruning, fine-tuning, overwriting and quantization attacks by embedding binary ownership information into the model weights. This is achieved through a steganographic bit replacement technique (15th bit) using the IEEE 754 floating-point representation to modify specific bits without affecting the performance. This approach was implemented in a variational autoencoder (VAE), but it is generalizable to other architectures. To minimize performance degradation, ownership information is embedded in stable layers with low gradient magnitudes, as these layers are less sensitive to small parameter changes. Experimental results demonstrate that the embedding process is imperceptible in terms of accuracy loss and robustness against optimization attacks. The main contributions are:

1. The bit replacement technique is used for the binary ownership information embedding into neural network weights, ensuring imperceptibility and preserving the model performance.

2. The incorporation of the IEEE 754 standard ensures that the embedded information remains undetectable and can be recovered for neural network ownership verification.

3. The combination of IEEE 754 representation and the 15th bit replacement from the selected weight value improves the robustness against attacks, including fine-tuning, pruning and parameter overwriting.

4. Gradient analysis identifies stable layers to enhance security and robustness against structural optimizations of the model and unauthorized tampering.

This methodology contributes to neural network security by introducing a robust and efficient steganographic framework for intellectual property protection.

The proposed method embeds a binary sequence into the weights by modifying specific bits in their IEEE 754 representation, enabling imperceptible ownership information. During authentication, the embedded sequence is retrieved to verify model ownership.

Figure 1 illustrates the data embedding and extraction process. A VAE is employed to demonstrate the effectiveness of the proposed method, preserving its performance by reconstructing the original image in case of tampering.

The weights from stable layers are selected to embed the binary sequence by modifying specific bits of each one on its IEEE 754 floating representation [25]. The selection of stable layers minimizes the performance degradation of the neural network and improves the robustness of the model against manipulations. Layer stability is estimated by analyzing the gradient magnitudes, where lower values indicate more stability. The gradient $▿$ measures how a parameter (weight or bias) changes. For a given weight $w$ and a dataset $Ok$⁠, k = 1, …, L, the gradient is defined as (1):

The model parameters were updated during training by using the gradient descent algorithm (2) to minimize the loss function.

where η is the learning rate and w is updated (⁠$←$⁠) with gradient descent. Therefore, the average gradient magnitude $Gk$ is computed across the dataset, $Ok$ which is calculated as (3):

After calculating the gradient magnitude, a list containing each layer (layer) and the corresponding average gradient magnitude, $Gk$⁠, is generated. This list is sorted by SG in ascending order (⁠$↑$⁠) according to the $Gk$ values to identify the most stable layers (4):

The first four layers in SG with the smallest gradients were selected to embed binary information. This strategy improves robustness since these stable layers are less susceptible to fine-tuning. Then, the weight tensor from encoder $WE$ (5) is extracted to embed the binary information on the stable layers.

where i and j are the index of the layer and the neuron, respectively. Therefore, the binary sequence was embedded in the neural network weights, using the bit-replacement steganography method.

Figure 2 presents the pseudocode steps to illustrate the selection of the stable weights procedure employed during the embedding process.

Ownership information is embedded in the neural network by replacing the 15th bit of the IEEE 754 floating-point representation in its 32-bit format to encode the watermark. The IEEE 754 format increases security and minimizes perceptibility. This format transforms each floating-point number into its binary representation using three components (6): (1) Sign (S, 1 bit), (2) Exponent (E, 8 bits) and (3) Mantissa (M, 23 bits).

The Sign (S) indicate whether the number is positive or negative, represented by the most significant bit (MSB) (7):

The Exponent (E) defines the magnitude of the represented number. In the 32-bit format, the exponent is stored in 8 bits. For example, the binary number 1000.01₂ ​ can be normalized and represented as: 1.0000 $12$ x$23$⁠, E = 3. Therefore, the stored exponent value $Er$ is computed as (8) by adding a bias of 127, which is specific to the 32-bit floating-point format of the IEEE 754 representation.

The Mantissa (M) represents the fractional part of a decimal number. This element consists of 23 bits denoted as $fr1,…,frv$⁠, where each $fri∈{0,1}$⁠, and it is expressed as (9):

This binary representation is obtained through the following process: 1) Multiply the fractional part by 2. 2) The integer part of the result becomes the next bit. 3) The remaining fractional part is used for the next iteration. For example, for 0.75 in binary: Step 1: 0.75 × 2 = 1.5, integer part = 1 (first bit), fractional part = 0.5. Step 2: 0.5 × 2 = 1.0, integer part = 1 (second bit) and fractional part = 0. Conversion ends since the fractional part is zero. The binary representation of 0.75 is 0.11₂​. Therefore, the Mantissa is M = 11,000…0 (21 zeros added to complete 23 bits).

Once the IEEE 754 representation of the weights is obtained, the 15th bit is modified $mwIEEE$ with the binary sequence $sb$ (10). The 15th bit was selected because its modification has a minimal impact on the performance of the model.

where l is the corresponding bit from the binary sequence $sb$⁠. Therefore, the modified weights $mwIEEE$ are converted to their decimal representations. The recovery of the original decimal values from the IEEE 754 representation involves extracting the sign bit $Sr$ (11), exponent E’ (12) and mantissa $Mr$ (13), with the final value computed using (14):

where $Sr$ is the bit sign (0 = positive, 1 = negative), $Er$ is the decimal value from the stored exponent, $frv$ is the decimal value from the Mantissa M and X denotes the value of the number in decimal obtained from its IEEE 754 representation. Finally, the weights parameters were restored to their decimal forms.

Figure 3 illustrates the pseudocode of the watermark embedding process, detailing the steps required to integrate the binary sequence into the selected stable weights.

The ownership authentication protects against unauthorized use, ensuring the integrity of the model by extracting the embedded information into the weight parameters from the neural network.

First, it is necessary to locate the modified by calculating the gradient to identify the most stable layers. During verification, the gradients are recalculated to accurately locate these stable layers. For this reason, the authentication process uses the modified weight tensor $mwIEEE$ (15), which is converted to IEEE 754 format to extract the embedded sequence using in (16), using (6)-(8).

Therefore, the 15th bit of each weight in the IEEE 754 representation is extracted to recover the embedded binary information $sbr$⁠, (17), which is used to verify the authenticity of the model.

The authentication process verifies the ownership of the neural network by retrieving the embedded information. Furthermore, the proposed method preserves the model accuracy and provides a secure methodology for intellectual property protection.

Figure 4 presents the pseudocode for watermark retrieval, showing the procedure used to extract the embedded binary sequence from the stable weights.

This section presents the validation of the robustness against attacks such as quantization, pruning, fine-tuning, and noise injection. In addition, the VAE performance was assessed under image forgery scenarios involving object addition and removal. For evaluation, the MICC-F220 [26], coverage [27], realistic tampering [28] and a proprietary dataset were employed to provide a comprehensive assessment. Results demonstrate that the proposed method preserves the performance of the neural network even when the weights are modified. The algorithm was implemented in Python with PyTorch and executed on a system with a NVIDIA GeForce-4050 GPU and an Intel-CoreUltra-7 processor.

The neural network performance was evaluated by comparing the quality of the reconstructed image against the original image. PSNR measures the ratio between the original image $Io$ and the noise in the reconstructed image $Ir$​ (18).

where MSE is the mean squared error (19).

R and C denote the number of rows and columns and (x, y) the pixel coordinates. In contrast, SSIM evaluates image quality based on luminance, texture and structural similarity (20).

where $μIo,μIr$ represent the mean values, $σIo,σIr$ are the image variances and $σIo,Ir$ is the covariance. Finally, $C1$ and $C2$ are constant A higher SSIM indicates structural similarity between the reconstructed and original images.

Table 1 shows that the reconstruction of manipulated images using the neural network with modified weights is comparable to the performance of models with unmodified weights, as it is reflected in the PSNR and SSIM values.

Figure 5 compares the image reconstruction accuracy for 20 random images. This comparison shows that SSIM values from the modified and the original model are similar, demonstrating that embedding information has minimal impact on reconstruction quality.

Figure 6 presents the processing time required for the recovery of the embedded information and image reconstruction. Images from the high-resolution dataset need more processing time during processing and reconstruction for their size.

The evaluation of the information embedding imperceptibility used two binary sequences of the histograms with different payloads.

Figure 7 demonstrates that the embedding process preserves the statistical distribution of the neural network weights. The comparison is made with two payload configurations: 152 and 1,500 embedded bits. The results show the histograms of the original and watermarked weights are similar, confirming that the embedded information is imperceptible. This indicates that the embedding method maintains weight integrity without introducing detectable changes and preserves the statistical distribution of the parameters.

To assess the efficiency of the recovery process, the bit error rate (BER) was used (21) to measure the number of erroneous bits.

where $⊕$ is the XOR operation, L′ is the length of the signal $sb$⁠, $sb$ and $sbr$ are the binary information sequence and the recovered binary sequence, respectively.

Table 2 presents image reconstruction performance and information retrieval for different embedding sequence lengths. The number of embedded bits increases from 15,200 bits to 22,829,811 bits, the SSIM of the reconstructed images shows a slight decrease (SSIM_decrease<0.1) between the original model and the modified model, demonstrating that the method does not modify the performance, while the BER from the retrieval information remains zero. These results confirm the robustness of the proposed method and do not compromise the neural network performance.

Table 3 evaluates the robustness against pruning attacks. Two scenarios were tested: pruning all four embedding layers and pruning only two layers. Results show the method preserves the information even at pruning of 50%. To reduce information loss, redundant embedding in bias parameters is suggested.

Table 4 shows when information is redundantly embedded in bias, the BER is reduced to 0 because pruning techniques are typically applied to the weights. Furthermore, the method was evaluated under a different manipulation, including quantization, fine-tuning, weight bit values overwriting and noise injection.

Table 5 presents the robustness of the recovery process for different attacks. Modifications to the weights have a minimal effect on information recovery. However, higher noise levels increase the BER, which affects the accuracy of the recovered information. Bit overwriting shows no impact on the retrieval of the embedded information, which demonstrates the selection of the 15th bit is resistant to manipulations.

Table 6 presents the BER of the sequence retrieval after fine-tuning for different numbers of epochs. The results indicate that fine-tuning has an impact on the embedded data since LSB were modified while the bits containing the embedded information remain intact. The BER remains low across all fine-tuning epochs, demonstrating the stability of the proposed method, which leverages embedding information using the gradient to select the most stable layers.

The proposed method was compared with existing techniques reported in the literature, in which most approaches primarily focused on evaluating the performance of a neural network with embedded data. However, some methodologies focus on information recovery under specific network alterations.

Table 7 presents a comparative analysis with other methods and demonstrate the robustness of the proposed method. Kernel embedding and multi-bit replacement methods achieve a perfect recovery under some scenarios; their evaluations are limited to specific neural network optimizations. In contrast, the proposed method was comprehensively tested under more parameters optimizations and manipulations. Most of the previous studies are tested on classification networks, which may not illustrate the impact of embedded information on the network.

Table 1 shows that the proposed method does not compromise the forgery image reconstruction performance of the neural network with modified weights, although reconstruction quality slightly decreases for more complex manipulations compared to the unmodified network. In this context, Figure 7 illustrates the imperceptibility of the embedded information, as the histogram remains unchanged.

Table 2 evaluates the method under pruning attacks, achieving high information retrieval accuracy even with 50% pruning. Table 5 shows the robustness of the approach during neural network optimization. Bit overwriting does not affect the retrieval of the embedded data. However, the proposed method has some limitations. High noise levels can alter the values of the modified weights, including the bits containing the embedded information, which increases the BER and reduces retrieval accuracy. Similarly, high pruning removes a significant number of the network weights, eliminating those that were modified with the embedded data, compromising the information retrieval process.

This paper introduces a steganographic method using the IEEE 754 standard to embed ownership information directly into neural network weights. The technique ensures imperceptibility and maintains model performance. The proposed method shows robustness for model optimizations such as pruning, quantization and fine-tuning. Experimental results demonstrate the imperceptibility of the embedded information as the statistical distribution of the neural network weights remains unchanged. The results demonstrate robustness in information retrieval, even when up to 50% of the weights from the selected are pruned. Nevertheless, a slight increase in the BER is observed as the pruning ratio grows, which can be attributed to the removal of some modified weight.

Future work will extend this approach to protect the neural network and the associated data against manipulation. Additionally, the network protection mechanisms could be leveraged in the detection of images from generative models by integrating structural components. This design includes activation functions into the inference process by incorporating watermark into the data. Additionally, it is considered the adaptation of image watermarking techniques such as zero-watermarking or data hiding.

This study did not involve human participants or animals; therefore, ethical approval was not require ethical approval.

The authors thank to the Secretaría de Ciencia, Humanidades, Tecnología e Innovación (SECIHTI) of Mexico and the Instituto Politécnico Nacional for the support provided during the realization of this research.