Abstract
As deep neural networks (DNNs) gain great popularity and importance, protecting their intellectual property is always the topic. Previous model watermarking schemes based on backdoors require explicit embedding of the backdoor, which changes the structure and parameters. Model fingerprinting based on adversarial examples does not require any modification of the model, but is limited by the characteristics of the original task and not versatile enough. We find that adversarial patch can be regarded as an inherent backdoor and can achieve the output of specific categories injected. Inspired by this, we propose PatchFinger, a model fingerprinting scheme based on adversarial patch which is applied to the original samples as a model fingerprinting through a specific fusion method. As a model fingerprinting scheme, PatchFinger does not sacrifice the accuracy of the source model, and the characteristics of the adversarial patch make it more flexible and highly robust. Experimental results show that PatchFinger achieves an ARUC value of 0.936 in a series of tests on the Tiny-ImageNet dataset, which exceeds the baseline by 19%. When considering average query accuracy, PatchFinger gets 97.04% outperforming the method tested.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adi, Y., Baum, C., Cisse, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: USENIX Security Symposium, pp. 1615–1631 (2018)
Brown, T.B., Mané, D., Roy, A., Abadi, M., Gilmer, J.: Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)
Cao, X., Jia, J., Gong, N.Z.: IPGuard: protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 14–25 (2021)
Cao, Y., et al.: Adversarial sensor attack on LiDAR-based perception in autonomous driving. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2267–2281 (2019)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE (2017)
Esteva, A., et al.: Dermatologist-level classification of skin cancer with deep neural networks. Nature 542(7639), 115–118 (2017)
Han, S., Pool, J., Tran, J., Dally, W.: Learning both weights and connections for efficient neural network. In: Advances in Neural Information Processing Systems, vol. 28 (2015)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
Hinton, G., Vinyals, O., Dean, J.: Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 (2015)
Jia, H., et al.: Proof-of-learning: Definitions and practice. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1039–1056. IEEE (2021)
Le, Y., Yang, X.: Tiny ImageNet visual recognition challenge. CS231n 7(7), 3 (2015)
Le Merrer, E., Perez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. Neural Comput. Appl. 32, 9233–9244 (2020)
Liu, H., Weng, Z., Zhu, Y.: Watermarking deep neural networks with greedy residuals. In: ICML, pp. 6978–6988 (2021)
Lukas, N., Zhang, Y., Kerschbaum, F.: Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888 (2019)
Ma, N., Zhang, X., Zheng, H.-T., Sun, J.: ShuffleNet V2: practical guidelines for efficient CNN architecture design. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) Computer Vision – ECCV 2018. LNCS, vol. 11218, pp. 122–138. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01264-9_8
Maini, P., Yaghini, M., Papernot, N.: Dataset inference: ownership resolution in machine learning. arXiv preprint arXiv:2104.10706 (2021)
Orekondy, T., Schiele, B., Fritz, M.: Knockoff Nets: stealing functionality of black-box models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4954–4963 (2019)
Pan, X., Yan, Y., Zhang, M., Yang, M.: MetaV: a meta-verifier approach to task-agnostic model fingerprinting. In: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pp. 1327–1336 (2022)
Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C.: MobileNetV2: inverted residuals and linear bottlenecks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4510–4520 (2018)
Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)
Wang, T., Kerschbaum, F.: RIGA: covert and robust white-box watermarking of deep neural networks. In: Proceedings of the Web Conference 2021, pp. 993–1004 (2021)
Yan, M., Fletcher, C., Torrellas, J.: Cache telepathy: leveraging shared resource attacks to learn DNN architectures. In: USENIX Security Symposium (2020)
Yang, K., Wang, R., Wang, L.: MetaFinger: fingerprinting the deep neural networks with meta-training. In: 31st International Joint Conference on Artificial Intelligence, IJCAI 2022 (2022)
Zhang, J., et al.: Protecting intellectual property of deep neural networks with watermarking. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 159–172 (2018)
Acknowledgements
This work was supported in part by the National Natural Science Foundation of China under No. 62372334; in part by the National Key Research and Development Program of China under No. 2020YFB1805400.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zeng, B., Lai, K., Ke, J., Yu, F., Wang, L. (2024). PatchFinger: A Model Fingerprinting Scheme Based on Adversarial Patch. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Lecture Notes in Computer Science, vol 14448. Springer, Singapore. https://doi.org/10.1007/978-981-99-8082-6_6
Download citation
DOI: https://doi.org/10.1007/978-981-99-8082-6_6
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8081-9
Online ISBN: 978-981-99-8082-6
eBook Packages: Computer ScienceComputer Science (R0)