IH&MMSec '21: Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security

IH&MMSec '21: Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security

Full Citation in the ACM Digital Library

SESSION: Keynote & Invited Talks

Evaluating and Designing against Side-Channel Leakage: White Box or Black Box?

  • François-Xavier Standaert

Side-channel analysis is an important concern for the security of cryptographic implementations, and may lead to powerful key recovery attacks if no countermeasures are deployed. Therefore, various types of protection mechanisms have been proposed over the last 20 years. In view of the cost and performance overheads caused by these protections, their fair evaluation and scarce use are a primary concern for hardware and software designers. Yet, the physical nature of side-channel analysis also renders the security evaluation of cryptographic implementations very different from the one of cryptographic algorithms against mathematical cryptanalysis. That is, while the latter can be quantified based on (well-defined) time, data and memory complexities, the evaluation of side-channel security additionally requires to quantify the informativeness and exploitability of the physical leakages. This implies that a part of these security evaluations is inherently heuristic and dependent on engineering expertise. It also raises the question of the capabilities given to the adversary/evaluator. For example, should she get full (unrestricted) access to the implementation to gain a precise understanding of its functioning (which I will denote as the white box approach) or should she be more restricted? In this talk, I will argue that a white box approach is not only desirable in order to avoid designing and evaluating implementations with a "false sense of security" but also that such designs become feasible in view of the research progresses made over the last two decades.

How Private is Machine Learning?

  • Nicolas Carlini

A machine learning model is private if it doesn't reveal (too much) about its training data. This three-part talk examines to what extent current networks are private. Standard models are not private. We develop an attack that extracts rare training examples (for example, individual people's names, phone numbers, or addresses) out of GPT-2, a language model trained on gigabytes of text from the Internet [2]. As a result there is a clear need for training models with privacy-preserving techniques. We show that InstaHide, a recent candidate, is not private. We develop a complete break of this scheme and can again recover verbatim inputs [1]. Fortunately, there exists provably-correct "differentiallyprivate" training that guarantees no adversary could ever succeed at the above attacks. We develop techniques to that allow us to empirically evaluate the privacy offered by such schemes, and find they may be more private than can be proven formally [3].

Tracing Data through Learning with Watermarking

  • Alexandre Sablayrolles

How can we gauge the privacy provided by machine learning algorithms? Models trained with differential privacy (DP) provably limit information leakage, but the question remains open for non-DP models. In this talk, we present multiple techniques for membership inference, which estimates if a given data sample is in the training set of a model. In particular, we introduce a watermarking-based method that allows for a very fast verification of data usage in a model: this technique creates marks called radioactive that propagates from the data to the model during training. This watermark is barely visible to the naked eye and allows data tracing even when the radioactive data represents only 1% of the training set.

SESSION: Session 1: Forensics I

PRNU-based Deepfake Detection

  • Florian Lugstein
  • Simon Baier
  • Gregor Bachinger
  • Andreas Uhl

As deepfakes become harder to detect by humans, more reliable detection methods are required to fight the spread of fake images and videos. In our work, we focus on PRNU-based detection methods, which, while popular in the image forensics scene, have not been given much attention in the context of deepfake detection. We adopt a PRNU-based approach originally developed for the detection of face morphs and facial retouching, and performed the first large scale test of PRNU-based deepfake detection methods on a variety of standard datasets. We show the impact of often neglected parameters of the face extraction stage on detection accuracy. We also document that existing PRNU-based methods cannot compete with state of the art methods based on deep learning but may be used to complement those in hybrid detection schemes.

Fake Speech Detection Using Residual Network with Transformer Encoder

  • Zhenyu Zhang
  • Xiaowei Yi
  • Xianfeng Zhao

Fake speech detection aims to distinguish fake speech from natural speech. This paper presents an effective fake speech detection scheme based on residual network with transformer encoder (TE-ResNet) for improving the performance of fake speech detection. Firstly, considering inter-frame correlation of the speech signal, we utilize transformer encoder to extract contextual representations of the acoustic features. Then, a residual network is used to process deep features and calculate score that the speech is fake. Besides, to increase the quantity of training data, we apply five speech data augmentation techniques on the training dataset. Finally, we fuse the different fake speech detection models on score-level by logistic regression for compensating the shortcomings of each single model. The proposed scheme is evaluated on two public speech datasets. Our experiments demonstrate that the proposed TE-ResNet outperforms the existing state-of-the-art methods both on development and evaluation datasets. In addition, the proposed fused model achieves improved performance for detection of unseen fake speech technology, which can obtain equal error rates (EERs) of 3.99% and 5.89% on evaluation set of FoR-normal dataset and ASVspoof 2019 LA dataset respectively.

Meta and Media Data Stream Forensics in the Encrypted Domain of Video Conferences

  • Robert Altschaffel
  • Jonas Hielscher
  • Stefan Kiltz
  • Jana Dittmann

Our paper presents a systematic approach to investigate whether and how events can be identified and extracted during the use of video conferencing software. Our approach is based on the encrypted meta and multimedia data exchanged during video conference sessions. It relies on the network data stream which contains data interpretable without decryption (plain data) and encrypted data (encrypted content) some of which is decrypted using our approach (decrypted content). This systematic approach uses a forensic process model and the fission of network data streams before applying methods on the specific individual data types. Our approach is applied exemplary to the Zoom Videoconferencing Service with Client Version 5.4.57862.0110 [4], the mobile Android App Client Version 5.5.2 (1328) [4], the webbased client and the servers (accessed between Jan 21st and Feb 4th). The investigation includes over 50 different configurations. For the heuristic speaker identification, two series of nine sets for eight different speakers are collected. The results show that various user data can be derived from characteristics of encrypted media streams, even if end-to-end encryption is used. The findings suggest user privacy risks. Our approach offers the identification of various events, which enable activity tracking (e.g. camera on/off, increased activity in front of camera) by evaluating heuristic features of the network streams. Further research into user identification within the encrypted audio stream based on pattern recognition using heuristic features of the corresponding network data stream is conducted and suggests the possibility to identify users within a specific set.

SESSION: Session 2: Forensics II

Exploitation and Sanitization of Hidden Data in PDF Files: Do Security Agencies Sanitize Their PDF Files?

  • Supriya Adhatarao
  • Cédric Lauradoux

Organizations publish and share more and more electronic documents like PDF files. Unfortunately, most organizations are unaware that these documents can compromise sensitive information like authors names, details on the information system and architecture. All these information can be exploited easily by attackers to footprint and later attack an organization. In this paper, we analyze hidden data found in the PDF files published by an organization. We gathered a corpus of 39664 PDF files published by 75 security agencies from 47 countries. We have been able to measure the quality and quantity of information exposed in these PDF files. It can be effectively used to find weak links in an organization: the employees who are running outdated software. We have also measured the adoption of PDF files sanitization by security agencies. We identified only 7 security agencies which sanitize few of their PDF files before publishing. Unfortunately, we were still able to find sensitive information within 65% of these sanitized PDF files. Some agencies are using weak sanitization techniques: it requires to remove all the hidden sensitive information from the file and not just to remove the data at the surface. Security agencies need to change their sanitization methods.

Angular Margin Softmax Loss and Its Variants for Double Compressed AMR Audio Detection

  • Aykut Büker
  • Cemal Hanilçi

Double compressed (DC) adaptive multi-rate (AMR) audio detection is an important but challenging audio forensic task which has received great attention over the last decade. Although the majority of the existing studies extract hand-crafted features and classify these features using traditional pattern matching algorithms such as support vector machines (SVM), recently convolutional neural network (CNN) based DC AMR audio detection system was proposed which yields very promising detection performance. Similar to any traditional CNN based classification system, CNN based DC AMR recognition system uses standard softmax loss as the training criterion. In this paper, we propose to use angular margin softmax loss and its variants for DC AMR detection problem. Although using angular margin softmax was originally proposed for face recognition, we adapt it to the CNN based end-to-end DC audio detection system. The angular margin softmax basically introduces a margin between two classes so that the system can learn more discriminative embeddings for the problem. Experimental results show that adding angular margin penalty to the traditional softmax loss increases the average DC AMR audio detection from 95.83% to 100%. It is also found that the angular margin softmax loss functions boost the DC AMR audio detection performance when there is a mismatch between training and test datasets.

SESSION: Session 3: Security of Machine Learning

FederatedReverse: A Detection and Defense Method Against Backdoor Attacks in Federated Learning

  • Chen Zhao
  • Yu Wen
  • Shuailou Li
  • Fucheng Liu
  • Dan Meng

Federated learning is a secure machine learning technology proposed to protect data privacy and security in machine learning model training. However, recent studies show that federated learning is vulnerable to backdoor attacks, such as model replacement attacks and distributed backdoor attacks. Most backdoor defense techniques are not appropriate for federated learning since they are based on entire data samples that cannot be hold in federated learning scenarios. The newly proposed methods for federated learning sacrifice the accuracy of models and still fail once attacks persist in many training rounds. In this paper, we propose a novel and effective detection and defense technique called FederatedReverse for federated learning. We conduct extensive experimental evaluation of our solution. The experimental results show that, compared with the existing techniques, our solution can effectively detect and defend against various backdoor attacks in federated learning, where the success rate and duration of backdoor attacks can be greatly reduced and the accuracies of trained models are almost not reduced.

Banners: Binarized Neural Networks with Replicated Secret Sharing

  • Alberto Ibarrondo
  • Hervé Chabanne
  • Melek Önen

Binarized Neural Networks (BNN) provide efficient implementations of Convolutional Neural Networks (CNN). This makes them particularly suitable to perform fast and memory-light inference of neural networks running on resource-constrained devices. Motivated by the growing interest in CNN-based biometric recognition on potentially insecure devices, or as part of strong multi-factor authentication for sensitive applications, the protection of BNN inference on edge devices is rendered imperative. We propose a new method to perform secure inference of BNN relying on secure multiparty computation. While preceding papers offered security in a semi-honest setting for BNN or malicious security for standard CNN, our work yields security with abort against one malicious adversary for BNN by leveraging on Replicated Secret Sharing (RSS) for an honest majority with three computing parties. Experimentally, we implement Banners on top of MP-SPDZ and compare it with prior work over binarized models trained for MNIST and CIFAR10 image classification datasets. Our results attest the efficiency of Banners as a privacy-preserving inference technique.

Deep Neural Exposure: You Can Run, But Not Hide Your Neural Network Architecture!

  • Sayed Erfan Arefin
  • Abdul Serwadda

Deep Neural Networks (DNNs) are at the heart of many of today's most innovative technologies. With companies investing lots of resources to design, build and optimize these networks for their custom products, DNNs are now integral to many companies' tightly guarded Intellectual Property. As is the case for every high-value product, one can expect bad actors to increasingly design techniques aimed to uncover the architectural designs of proprietary DNNs. This paper investigates if the power draw patterns of a GPU on which a DNN runs could be leveraged to glean key details of its design architecture. Based on ten of the most well-known Convolutional Neural Network (CNN) architectures, we study this line of attack under varying assumptions about the kind of data available to the attacker. We show the attack to be highly effective, attaining an accuracy in the 80 percentage range for the best performing attack scenario.

iNNformant: Boundary Samples as Telltale Watermarks

  • Alexander Schlögl
  • Tobias Kupek
  • Rainer Böhme

Boundary samples are special inputs to artificial neural networks crafted to identify the execution environment used for inference by the resulting output label. The paper presents and evaluates algorithms to generate transparent boundary samples. Transparency refers to a small perceptual distortion of the host signal (i.e., a natural input sample). For two established image classifiers, ResNet on FMNIST and CIFAR10, we show that it is possible to generate sets of boundary samples which can identify any of four tested microarchitectures. These sets can be built to not contain any sample with a worse peak signal-to-noise ratio than 70dB. We analyze the relationship between search complexity and resulting transparency.

SESSION: Session 4: Biometry & Authentication

Towards Match-on-Card Finger Vein Recognition

  • Michael Linortner
  • Andreas Uhl

Security and privacy is of great interest in biometric systems which can be offered by Match-on-Card (MoC) technology, successfully applied in several areas of biometrics. In finger vein recognition such a system is not available yet. Utilizing minutiae points from vein images in combination with classical minutiae-based fingerprint comparison software offers a great opportunity to integrate vein recognition on MoC systems. In this work a publicly available and two commercial fingerprint comparison tools are used to evaluate the recognition performance of vein minutiae, represented in a standardized data format, on three publicly available databases. The results strongly indicate that minutiae-based comparison technology from fingerprint recognition can be applied to finger vein recognition and is able to compete with and even outperform classical correlation-based methods utilized in this field. The work done here prepares the way for vein recognition on MoC systems.

General Requirements on Synthetic Fingerprint Images for Biometric Authentication and Forensic Investigations

  • Andrey Makrushin
  • Christof Kauba
  • Simon Kirchgasser
  • Stefan Seidlitz
  • Christian Kraetzer
  • Andreas Uhl
  • Jana Dittmann

Generation of synthetic biometric samples such as, for instance, fingerprint images gains more and more importance especially in view of recent cross-border regulations on security of private data. The reason is that biometric data is designated in recent regulations such as the EU GDPR as a special category of private data, making sharing datasets of biometric samples hardly possible even for research purposes. The usage of fingerprint images in forensic research faces the same challenge. The replacement of real datasets by synthetic datasets is the most advantageous straightforward solution which bears, however, the risk of generating "unrealistic" samples or "unrealistic distributions" of samples which may visually appear realistic. Despite numerous efforts to generate high-quality fingerprints, there is still no common agreement on how to define "high-quality'' and how to validate that generated samples are realistic enough. Here, we propose general requirements on synthetic biometric samples (that are also applicable for fingerprint images used in forensic application scenarios) together with formal metrics to validate whether the requirements are fulfilled. Validation of our proposed requirements enables establishing the quality of a generative model (informed evaluation) or even the quality of a dataset of generated samples (blind evaluation). Moreover, we demonstrate in an example how our proposed evaluation concept can be applied to a comparison of real and synthetic datasets aiming at revealing if the synthetic samples exhibit significantly different properties as compared to real ones.

SESSION: Session 5: Steganography I

Optimizing Additive Approximations of Non-additive Distortion Functions

  • Solène Bernard
  • Patrick Bas
  • Tomáš Pevný
  • John Klein

The progress in steganography is hampered by a gap between non-additive distortion functions, which capture well complex dependencies in natural images, and their additive counterparts, which are efficient for data embedding. This paper proposes a theoretically justified method to approximate the former by the latter. The proposed method, called Backpack (for BACKPropagable AttaCK), combines new results in the approximation of gradients of discrete distributions with a gradient of implicit functions in order to derive a gradient w.r.t. the distortion of each JPEG coefficient. Backpack combined with the min max iterative protocol leads to a very secure steganographic algorithm. For example, the error rate of XuNet on 512 X 512 JPEG images, compressed with quality factor 100 and a payload of 0.4 bits per non-zero AC coefficient is 37.3% with Backpack, compared to a 26.5% error rate using ADV-EMB with minmax (considered state of the art in this work) and a 16.9% error rate with J-UNIWARD.

Information Hiding in Cyber Physical Systems: Challenges for Embedding, Retrieval and Detection using Sensor Data of the SWAT Dataset

  • Kevin Lamshöft
  • Tom Neubert
  • Christian Krätzer
  • Claus Vielhauer
  • Jana Dittmann

In this paper, we present an Information Hiding approach that would be suitable for exfiltrating sensible information of Industrial Control Systems (ICS) by leveraging the long-term storage of process data in historian databases. We show how hidden messages can be embedded in sensor measurements as well as retrieved asynchronously by accessing the historian. We evaluate this approach at the example of water-flow and water-level sensors of the Secure Water Treatment (SWAT) dataset from iTrust. To generalize from specific cover channels (sensors and their transmitted data), we reflect upon general challenges that arise in such Information Hiding scenarios creating network covert channels and discuss aspects of cover channel selection and and sender receiver synchronisation as well as temporal aspects such as the potential persistence of hidden messages in Cyber Physical Systems (CPS). For an empirical evaluation we design and implement a covert channel that makes use of different embedding strategies to perform an adaptive approach in regards to the noise in sensor measurements, resulting in dynamic capacity and bandwidth selection to reduce detection probability. The results of this evaluation show that, using such methods, the exfiltration of sensible information in long-term scaled attacks would indeed be possible. Additionally, we present two detection approaches for the introduced hidden channel and carry out an extensive evaluation of our detectors with multiple test data sets and different parameters. We determine a detection accuracy of up to 87.8% on test data at a false positive rate (FPR) of 0%.

Revisiting Perturbed Quantization

  • Jan Butora
  • Jessica Fridrich

In this work, we revisit Perturbed Quantization steganography with modern tools available to the steganographer today, including near-optimal ternary coding and content-adaptive embedding with side-information. In PQ, side-information in the form of rounding errors is manufactured by recompressing a JPEG image with a judiciously selected quality factor. This side-information, however, cannot be used in the same fashion as in conventional side-informed schemes nowadays as this leads to highly detectable embedding. As a remedy, we utilize the steganographic Fisher information to allocate the payload among DCT modes. In particular, we show that the embedding should not be constrained to contributing coefficients only as in the original PQ but should be expanded to the so-called "contributing DCT modes." This approach is extended to color images by slightly modifying the SI-UNIWARD algorithm. Using the best detectors currently available, it is shown that by manufacturing side information with double compression, one can embed the same amount of information into the doubly-compressed cover image with a significantly better security than applying J-UNIWARD directly in the single-compressed image. At the end of the paper, we show that double compression with the same quality makes side-informed steganography extremely detectable and should be avoided.

SESSION: Session 6: Steganography II

Fast Detection of Heterogeneous Parallel Steganography for Streaming Voice

  • Huili Wang
  • Zhongliang Yang
  • Yuting Hu
  • Zhen Yang
  • Yongfeng Huang

Heterogeneous parallel steganography (HPS) has become a new trend of current streaming media voice steganography, which hides secret information in the frames of streaming media with multiple kinds of orthogonal steganography. Because of the complexity and imperceptibility of HPS, detecting its existence is a challenge for previous steganalysis methods, especially in the case of short sliding window length and low embedding rate. In order to improve the situation, we design a fast and efficient detection method named the key feature extraction and fusion network (KFEF) based on attention mechanism. The proposed model is able to effectively extract the key characteristic of the exceptions due to steganography and fuse the extracted features for different steganographic algorithms used in HPS. Experimental results show that the proposed method significantly improves the classification accuracy in detecting both low embedding rate samples and short segment samples. In addition, the detection time consumption is shorter than other methods and meets real-time requirements. Finally, with the help of attention we can predict the approximate locations of secret information which may bring new ideas to further steganalysis.

How to Pretrain for Steganalysis

  • Jan Butora
  • Yassine Yousfi
  • Jessica Fridrich

In this paper, we investigate the effect of pretraining CNNs on ImageNet on their performance when refined for steganalysis of digital images. In many cases, it seems that just 'seeing' a large number of images helps with the convergence of the network during the refinement no matter what the pretraining task is. To achieve the best performance, the pretraining task should be related to steganalysis, even if it is done on a completely mismatched cover and stego datasets. Furthermore, the pretraining does not need to be carried out for very long and can be done with limited computational resources. An additional advantage of the pretraining is that it is done on color images and can later be applied for steganalysis of color and grayscale images while still having on-par or better performance than detectors trained specifically for a given source. The refining process is also much faster than training the network from scratch. The most surprising part of the paper is that networks pretrained on JPEG images are a good starting point for spatial domain steganalysis as well.

Improving EfficientNet for JPEG Steganalysis

  • Yassine Yousfi
  • Jan Butora
  • Jessica Fridrich
  • Clément Fuji Tsang

In this paper, we study the EfficientNet family pre-trained on ImageNet when used for steganalysis using transfer learning. We show that certain "surgical modifications" aimed at maintaining the input resolution in EfficientNet architectures significantly boost their performance in JPEG steganalysis, establishing thus new benchmarks. The modified models are evaluated by their detection accuracy, the number of parameters, the memory consumption, and the total floating point operations (FLOPs) on the ALASKA II dataset. We also show that, surprisingly, EfficientNets in their "vanilla form" do not perform as well as the SRNet in BOSSbase+BOWS2. This is because, unlike ALASKA II images, BOSSbase+BOWS2 contains aggressively subsampled images with more complex content. The surgical modifications in EfficientNet remedy this underperformance as well.

SESSION: Session 7: Special Session on DNN Watermarking I

Piracy-Resistant DNN Watermarking by Block-Wise Image Transformation with Secret Key

  • April Pyone Maung Maung
  • Hitoshi Kiya

In this paper, we propose a novel DNN watermarking method that utilizes a learnable image transformation method with a secret key. The proposed method embeds a watermark pattern in a model by using learnable transformed images and allows us to remotely verify the ownership of the model. As a result, it is piracy-resistant, so the original watermark cannot be overwritten by a pirated watermark, and adding a new watermark decreases the model accuracy unlike most of the existing DNN watermarking methods. In addition, it does not require a special pre-defined training set or trigger set. We empirically evaluated the proposed method on the CIFAR-10 dataset. The results show that it was resilient against fine-tuning and pruning attacks while maintaining a high watermark-detection accuracy.

White-Box Watermarking Scheme for Fully-Connected Layers in Fine-Tuning Model

  • Minoru Kuribayashi
  • Takuro Tanaka
  • Shunta Suzuki
  • Tatsuya Yasui
  • Nobuo Funabiki

For the protection of trained deep neural network(DNN) models, embedding watermarks into the weights of the DNN model have been considered. However, the amount of change in the weights is large in the conventional methods, and it is reported that the existence of hidden watermark can be detected from the analysis of weight variance. This helps attackers to modify the watermark by effectively adding noise to the weight. In this paper, we focus on the fully-connected layers of fine-tuning models and apply a quantization-based watermarking method to the weights sampled from the layers. The advantage of the proposed method is that the change caused by watermark embedding is much smaller and the distortion converges gradually without using any loss function. The validity of the proposed method was evaluated by varying the conditions during the training of DNN model. The results shows the impact of training for DNN model, effectiveness of the embedding method, and high robustness against pruning attacks.

A Protocol for Secure Verification of Watermarks Embedded into Machine Learning Models

  • Katarzyna Kapusta
  • Vincent Thouvenot
  • Olivier Bettan
  • Hugo Beguinet
  • Hugo Senet

Machine Learning is a well established tool used in a variety of applications. As training advanced models requires considerable amounts of meaningful data in addition to specific knowledge, a new business model separate models creators from model users. Pre-trained models are sold or made available as a service. This raises several security challenges, among others the one of intellectual property protection. Therefore, a new research track actively seeks to provide techniques for model watermarking that would enable model identification in case of suspicion of model theft or misuse. In this paper, we focus on the problem of secure watermarks verification, which affects all of the proposed techniques and until now was barely tackled. First, we revisit the existing threat model. In particular, we explain the possible threats related to a semi-honest or dishonest verification authority. Secondly, we show how to reduce trust requirements between participants by performing the watermarks verification on encrypted data. Finally, we describe a novel secure verification protocol as well as detail its possible implementation using Multi-Party Computation. The proposed solution does not only preserve the confidentiality of the watermarks but also helps detecting evasion attacks. It could be adopted to work with other authentication schemes based on watermarking, especially with image watermarking schemes.

SESSION: Session 8: Special Session on DNN Watermarking II

On the Robustness of Backdoor-based Watermarking in Deep Neural Networks

  • Masoumeh Shafieinejad
  • Nils Lukas
  • Jiaqi Wang
  • Xinda Li
  • Florian Kerschbaum

Watermarking algorithms have been introduced in the past years to protect deep learning models against unauthorized re-distribution. We investigate the robustness and reliability of state-of-the-art deep neural network watermarking schemes. We focus on backdoor-based watermarking and propose two simple yet effective attacks -- a black-box and a white-box -- that remove these watermarks without any labeled data from the ground truth. Our black-box attack steals the model and removes the watermark with only API access to the labels. Our white-box attack proposes an efficient watermark removal when the parameters of the marked model are accessible, and improves the time to steal a model up to twenty times over the time to train a model from scratch. We conclude that these watermarking algorithms are insufficient to defend against redistribution by a motivated attacker.

DNN Watermarking: Four Challenges and a Funeral

  • Mauro Barni
  • Fernando Pérez-González
  • Benedetta Tondi

The demand for methods to protect the Intellectual Property Rights (IPR) associated to Deep Neural Networks (DNNs) is rising. Watermarking has been recently proposed as a way to protect the IPR of DNNs and track their usages. Although a number of techniques for media watermarking have been proposed and developed over the past decades, their direct translation to DNN watermarking faces the problem of the embedding being carried out on functionals instead of signals. This originates differences not only in the way performance, robustness and unobtrusiveness are measured, but also on the embedding domain, since there is the possibility of hiding information in the model behavior. In this paper, we discuss these dissimilarities that lead to a DNN-specific taxonomy of watermarking techniques. Then, we present four challenges specific to DNN watermarking that, for their practical importance and theoretical interest, should occupy the agenda of researchers in the next years. Finally, we discuss some bad practices that negatively affected research in media watermarking and that should not be repeated in the case of DNNs.