**CS294-26 Final Research Project: An Empirical Study of GAN Watermarking** By Neerja Thakkar Overview ======== AI-synthesized content, known as deep fakes, are becoming increasingly accessible and indistinguishable from real content, and pose a significant threat to society. Existing detection methods face ever-improving deep fake technology at an increasingly large scale. We explore an alternate approach to the problem of deep fakes: GAN watermarking. Initial work has shown that a GAN trained on watermarked data will synthesize watermarked content. We empirically study the impact of different training schemes and image perturbations on watermark robustness and propose future avenues of study. ![](does_not_exist/1.jpeg width=300)![](does_not_exist/7.jpeg width=300)![](does_not_exist/15.jpeg width=300) These people do not exist. They were generated from StyleGAN2, and appear perceptually indistinguishable from images of real people. In order to obtain these images, no code was needed – they were simply taken fromthispersondoesnotexist.com. Method =============================================================================== We implement the method of Yu et al., namely, using a neural steganography algorithm to create a watermarked dataset, and then training a GAN on the watermarked data. We investigate different training schemes and perturb generated images to study watermark robustness. ![An overview of the method of Yu et al.](Yu_method.png width=700) We find that when training DCGAN, the watermark does transfer to generated images with bitwise accuracy of around 83%, much higher than the 50% accuracy expected for random guessing. For full details of experiments and results, see the paper. Paper and Presentation ========================= The project writeup is [here](CS294_26_Final_Project_Write_Up.pdf) and the presentation video can be found [here](https://www.youtube.com/watch?v=D2-BUrOxf04&ab_channel=NeerjaThakkar).