Paper
Why Neural Structural Obfuscation Can't Kill White-Box Watermarks for Good!
Authors
Yanna Jiang, Guangsheng Yu, Qingyuan Yu, Yi Chen, Qin Wang
Abstract
Neural Structural Obfuscation (NSO) (USENIX Security'23) is a family of ``zero cost'' structure-editing transforms (\texttt{nso\_zero}, \texttt{nso\_clique}, \texttt{nso\_split}) that inject dummy neurons. By combining neuron permutation and parameter scaling, NSO makes a radical modification to the network structure and parameters while strictly preserving functional equivalence, thereby disrupting white-box watermark verification. This capability has been a fundamental challenge to the reliability of existing white-box watermarking schemes. We rethink NSO and, for the first time, fully recover from the damage it has caused. We redefine NSO as a graph-consistent threat model within a \textit{producer--consumer} paradigm. This formulation posits that any obfuscation of a producer node necessitates a compatible layout update in all downstream consumers to maintain structural integrity. Building on these consistency constraints on signal propagation, we present \textsc{Canon}, a recovery framework that probes the attacked model to identify redundancy/dummy channels and then \textit{globally} canonicalizes the network by rewriting \textit{all} downstream consumers by construction, synchronizing layouts across \texttt{fan-out}, \texttt{add}, and \texttt{cat}. Extensive experiments demonstrate that, even under strong composed and extended NSO attacks, \textsc{Canon} achieves \textbf{100\%} recovery success, restoring watermark verifiability while preserving task utility. Our code is available at https://anonymous.4open.science/r/anti-NSO-9874.
Metadata
Related papers
Fractal universe and quantum gravity made simple
Fabio Briscese, Gianluca Calcagni • 2026-03-25
POLY-SIM: Polyglot Speaker Identification with Missing Modality Grand Challenge 2026 Evaluation Plan
Marta Moscati, Muhammad Saad Saeed, Marina Zanoni, Mubashir Noman, Rohan Kuma... • 2026-03-25
LensWalk: Agentic Video Understanding by Planning How You See in Videos
Keliang Li, Yansong Li, Hongze Shen, Mengdi Liu, Hong Chang, Shiguang Shan • 2026-03-25
Orientation Reconstruction of Proteins using Coulomb Explosions
Tomas André, Alfredo Bellisario, Nicusor Timneanu, Carl Caleman • 2026-03-25
The role of spatial context and multitask learning in the detection of organic and conventional farming systems based on Sentinel-2 time series
Jan Hemmerling, Marcel Schwieder, Philippe Rufin, Leon-Friedrich Thomas, Mire... • 2026-03-25
Raw Data (Debug)
{
"raw_xml": "<entry>\n <id>http://arxiv.org/abs/2603.12679v1</id>\n <title>Why Neural Structural Obfuscation Can't Kill White-Box Watermarks for Good!</title>\n <updated>2026-03-13T05:50:26Z</updated>\n <link href='https://arxiv.org/abs/2603.12679v1' rel='alternate' type='text/html'/>\n <link href='https://arxiv.org/pdf/2603.12679v1' rel='related' title='pdf' type='application/pdf'/>\n <summary>Neural Structural Obfuscation (NSO) (USENIX Security'23) is a family of ``zero cost'' structure-editing transforms (\\texttt{nso\\_zero}, \\texttt{nso\\_clique}, \\texttt{nso\\_split}) that inject dummy neurons. By combining neuron permutation and parameter scaling, NSO makes a radical modification to the network structure and parameters while strictly preserving functional equivalence, thereby disrupting white-box watermark verification. This capability has been a fundamental challenge to the reliability of existing white-box watermarking schemes.\n We rethink NSO and, for the first time, fully recover from the damage it has caused. We redefine NSO as a graph-consistent threat model within a \\textit{producer--consumer} paradigm. This formulation posits that any obfuscation of a producer node necessitates a compatible layout update in all downstream consumers to maintain structural integrity. Building on these consistency constraints on signal propagation, we present \\textsc{Canon}, a recovery framework that probes the attacked model to identify redundancy/dummy channels and then \\textit{globally} canonicalizes the network by rewriting \\textit{all} downstream consumers by construction, synchronizing layouts across \\texttt{fan-out}, \\texttt{add}, and \\texttt{cat}. Extensive experiments demonstrate that, even under strong composed and extended NSO attacks, \\textsc{Canon} achieves \\textbf{100\\%} recovery success, restoring watermark verifiability while preserving task utility.\nOur code is available at https://anonymous.4open.science/r/anti-NSO-9874.</summary>\n <category scheme='http://arxiv.org/schemas/atom' term='cs.CR'/>\n <published>2026-03-13T05:50:26Z</published>\n <arxiv:primary_category term='cs.CR'/>\n <author>\n <name>Yanna Jiang</name>\n </author>\n <author>\n <name>Guangsheng Yu</name>\n </author>\n <author>\n <name>Qingyuan Yu</name>\n </author>\n <author>\n <name>Yi Chen</name>\n </author>\n <author>\n <name>Qin Wang</name>\n </author>\n </entry>"
}