Skip to main content
SpringerLink
Log in

PatchFinger: A Model Fingerprinting Scheme Based on Adversarial Patch

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14448))

Included in the following conference series:

  • 549 Accesses

Abstract

As deep neural networks (DNNs) gain great popularity and importance, protecting their intellectual property is always the topic. Previous model watermarking schemes based on backdoors require explicit embedding of the backdoor, which changes the structure and parameters. Model fingerprinting based on adversarial examples does not require any modification of the model, but is limited by the characteristics of the original task and not versatile enough. We find that adversarial patch can be regarded as an inherent backdoor and can achieve the output of specific categories injected. Inspired by this, we propose PatchFinger, a model fingerprinting scheme based on adversarial patch which is applied to the original samples as a model fingerprinting through a specific fusion method. As a model fingerprinting scheme, PatchFinger does not sacrifice the accuracy of the source model, and the characteristics of the adversarial patch make it more flexible and highly robust. Experimental results show that PatchFinger achieves an ARUC value of 0.936 in a series of tests on the Tiny-ImageNet dataset, which exceeds the baseline by 19%. When considering average query accuracy, PatchFinger gets 97.04% outperforming the method tested.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adi, Y., Baum, C., Cisse, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: USENIX Security Symposium, pp. 1615–1631 (2018)

    Google Scholar 

  2. Brown, T.B., Mané, D., Roy, A., Abadi, M., Gilmer, J.: Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)

  3. Cao, X., Jia, J., Gong, N.Z.: IPGuard: protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 14–25 (2021)

    Google Scholar 

  4. Cao, Y., et al.: Adversarial sensor attack on LiDAR-based perception in autonomous driving. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2267–2281 (2019)

    Google Scholar 

  5. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE (2017)

    Google Scholar 

  6. Esteva, A., et al.: Dermatologist-level classification of skin cancer with deep neural networks. Nature 542(7639), 115–118 (2017)

    Article  Google Scholar 

  7. Han, S., Pool, J., Tran, J., Dally, W.: Learning both weights and connections for efficient neural network. In: Advances in Neural Information Processing Systems, vol. 28 (2015)

    Google Scholar 

  8. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

    Google Scholar 

  9. Hinton, G., Vinyals, O., Dean, J.: Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 (2015)

  10. Jia, H., et al.: Proof-of-learning: Definitions and practice. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1039–1056. IEEE (2021)

    Google Scholar 

  11. Le, Y., Yang, X.: Tiny ImageNet visual recognition challenge. CS231n 7(7), 3 (2015)

    Google Scholar 

  12. Le Merrer, E., Perez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. Neural Comput. Appl. 32, 9233–9244 (2020)

    Article  Google Scholar 

  13. Liu, H., Weng, Z., Zhu, Y.: Watermarking deep neural networks with greedy residuals. In: ICML, pp. 6978–6988 (2021)

    Google Scholar 

  14. Lukas, N., Zhang, Y., Kerschbaum, F.: Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888 (2019)

  15. Ma, N., Zhang, X., Zheng, H.-T., Sun, J.: ShuffleNet V2: practical guidelines for efficient CNN architecture design. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) Computer Vision – ECCV 2018. LNCS, vol. 11218, pp. 122–138. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01264-9_8

    Chapter  Google Scholar 

  16. Maini, P., Yaghini, M., Papernot, N.: Dataset inference: ownership resolution in machine learning. arXiv preprint arXiv:2104.10706 (2021)

  17. Orekondy, T., Schiele, B., Fritz, M.: Knockoff Nets: stealing functionality of black-box models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4954–4963 (2019)

    Google Scholar 

  18. Pan, X., Yan, Y., Zhang, M., Yang, M.: MetaV: a meta-verifier approach to task-agnostic model fingerprinting. In: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pp. 1327–1336 (2022)

    Google Scholar 

  19. Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C.: MobileNetV2: inverted residuals and linear bottlenecks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4510–4520 (2018)

    Google Scholar 

  20. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)

  21. Wang, T., Kerschbaum, F.: RIGA: covert and robust white-box watermarking of deep neural networks. In: Proceedings of the Web Conference 2021, pp. 993–1004 (2021)

    Google Scholar 

  22. Yan, M., Fletcher, C., Torrellas, J.: Cache telepathy: leveraging shared resource attacks to learn DNN architectures. In: USENIX Security Symposium (2020)

    Google Scholar 

  23. Yang, K., Wang, R., Wang, L.: MetaFinger: fingerprinting the deep neural networks with meta-training. In: 31st International Joint Conference on Artificial Intelligence, IJCAI 2022 (2022)

    Google Scholar 

  24. Zhang, J., et al.: Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 159–172 (2018)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China under No. 62372334; in part by the National Key Research and Development Program of China under No. 2020YFB1805400.

Author information

Authors and Affiliations

  1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China

    Bo Zeng, Kunhao Lai, Jianpeng Ke, Fangchao Yu & Lina Wang

Authors
  1. Bo Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kunhao Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianpeng Ke
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fangchao Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lina Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lina Wang .

Editor information

Editors and Affiliations

  1. Central South University, Changsha, China

    Biao Luo

  2. Chinese Academy of Sciences, Beijing, China

    Long Cheng

  3. Zhejiang University, Hangzhou, China

    Zheng-Guang Wu

  4. Guangdong University of Technology, Guangzhou, China

    Hongyi Li

  5. UNSW Sydney, Sydney, NSW, Australia

    Chaojie Li

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zeng, B., Lai, K., Ke, J., Yu, F., Wang, L. (2024). PatchFinger: A Model Fingerprinting Scheme Based on Adversarial Patch. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Lecture Notes in Computer Science, vol 14448. Springer, Singapore. https://doi.org/10.1007/978-981-99-8082-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8082-6_6

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8081-9

  • Online ISBN: 978-981-99-8082-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation