This paper addresses the vulnerability of deep neural network watermarks to fine-tuning, proposing a fine-tuning-resilient watermarking method operating in the frequency domain. The core insight is a theoretical proof that low-frequency Fourier components of convolutional kernels exhibit invariance and equivariance under fine-tuning, weight scaling, and permutation. Leveraging this property, we design a modified discrete Fourier transform to extract robust frequency-domain features and embed all watermark information exclusively into the low-frequency coefficients. Our approach integrates theory-driven robustness analysis, frequency-domain watermark embedding, and detection. Experiments demonstrate that the proposed watermark achieves >98% detection accuracy across diverse fine-tuning scenarios—including transfer learning, LoRA, and full- or partial-parameter fine-tuning—while inducing <0.3% degradation in model accuracy, significantly outperforming state-of-the-art methods.

This paper proves a new watermarking method to embed the ownership information into a deep neural network (DNN), which is robust to fine-tuning. Specifically, we prove that when the input feature of a convolutional layer only contains low-frequency components, specific frequency components of the convolutional filter will not be changed by gradient descent during the fine-tuning process, where we propose a revised Fourier transform to extract frequency components from the convolutional filter. Additionally, we also prove that these frequency components are equivariant to weight scaling and weight permutations. In this way, we design a watermark module to encode the watermark information to specific frequency components in a convolutional filter. Preliminary experiments demonstrate the effectiveness of our method.