skip to main content
10.1145/3652583.3658058acmconferencesArticle/Chapter ViewAbstractPublication PagesicmrConference Proceedingsconference-collections
research-article

MarginFinger: Controlling Generated Fingerprint Distance to Classification boundary Using Conditional GANs

Published: 07 June 2024 Publication History

Abstract

Deep neural networks (DNNs) are widely employed across various domains, with their training costs making them crucial assets for model owners. However, the rise of Machine Learning as a Service has made models more accessible, but also increases the risk of leakage. Attackers can successfully steal models through internal leaks or API access, emphasizing the critical importance of protecting intellectual property. Several watermarking methods have been proposed, embedding secret watermarks of model owners into models. However, watermarking requires tampering with the model's training process to embed the watermark, which may lead to a decrease in utility. Recently, some fingerprinting techniques have emerged to generate fingerprint samples near the classification boundary to detect pirated models. Nevertheless, these methods lack distance constraints and suffer from high training costs. To address these issues, we propose to utilize conditional generative network to generate fingerprint data points, enabling a better exploration of the model's decision boundary. By incorporating margin loss during GAN training, we can control the distance between generated data points and classification boundary to ensure the robustness and uniqueness of our method. Moreover, our method does not require additional training of proxy models, enhancing the efficiency of fingerprint acquisition. To validate the effectiveness of our approach, we evaluate it on CIFAR-10 and Tiny-ImageNet, considering three types of model extraction attacks, fine-tuning, pruning, and transfer learning attacks. The results demonstrate that our method achieves ARUC values of 0.186 and 0.153 on CIFAR-10 and Tiny-ImageNet datasets, respectively, representing a remarkable improvement of 400% and 380% compared to the current leading baseline. The source code is available at https://github.com/wason981/MarginFinger.

References

[1]
Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In 27th USENIX Security Symposium (USENIX Security 18). 1615--1631.
[2]
Arash Afkanpour, Shabir Adeel, Hansenclever Bassani, Arkady Epshteyn, Hongbo Fan, Isaac Jones, Mahan Malihi, Adrian Nauth, Raj Sinha, Sanjana Woonna, et al. 2022. BERT for Long Documents: A Case Study of Automated ICD Coding. arXiv preprint arXiv:2211.02519 (2022).
[3]
Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2021. IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 14--25.
[4]
Huili Chen, Bita Darvish Rouhani, Cheng Fu, Jishen Zhao, and Farinaz Koushanfar. 2019b. Deepmarks: A secure fingerprinting framework for digital rights management of deep learning models. In Proceedings of the 2019 on International Conference on Multimedia Retrieval. 105--113.
[5]
Huili Chen, Bita Darvish Rouhani, and Farinaz Koushanfar. 2019a. Blackmarks: Blackbox multibit watermarking for deep neural networks. arXiv preprint arXiv:1904.00344 (2019).
[6]
Mengzhao Chen, Mingbao Lin, Ke Li, Yunhang Shen, Yongjian Wu, Fei Chao, and Rongrong Ji. 2023. Cf-vit: A general coarse-to-fine method for vision transformer. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 37. 7042--7052.
[7]
Andre Esteva, Alexandre Robicquet, Bharath Ramsundar, Volodymyr Kuleshov, Mark DePristo, Katherine Chou, Claire Cui, Greg Corrado, Sebastian Thrun, and Jeff Dean. 2019. A guide to deep learning in healthcare. Nature medicine, Vol. 25, 1 (2019), 24--29.
[8]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[9]
Jiyang Guan, Jian Liang, and Ran He. 2022. Are you stealing my model? sample correlation for fingerprinting deep neural networks. Advances in Neural Information Processing Systems, Vol. 35 (2022), 36571--36584.
[10]
Xiquan Guan, Huamin Feng, Weiming Zhang, Hang Zhou, Jie Zhang, and Nenghai Yu. 2020. Reversible watermarking in deep convolutional neural networks for integrity authentication. In Proceedings of the 28th ACM International Conference on Multimedia. 2273--2280.
[11]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.
[12]
Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4700--4708.
[13]
Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20). 1345--1362.
[14]
Alex Krizhevsky, Geoffrey Hinton, et al. 2009. Learning multiple layers of features from tiny images. (2009).
[15]
Yingjie Lao, Peng Yang, Weijie Zhao, and Ping Li. 2022. Identification for deep neural network: Simply adjusting few weights!. In 2022 IEEE 38th International Conference on Data Engineering (ICDE). IEEE, 1328--1341.
[16]
Ya Le and Xuan Yang. 2015. Tiny imagenet visual recognition challenge. CS 231N, Vol. 7, 7 (2015), 3.
[17]
Erwan Le Merrer, Patrick Perez, and Gilles Trédan. 2020. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications, Vol. 32 (2020), 9233--9244.
[18]
Yuanchun Li, Ziqi Zhang, Bingyan Liu, Ziyue Yang, and Yunxin Liu. 2021. ModelDiff: Testing-based DNN similarity comparison for model reuse detection. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 139--151.
[19]
Hanwen Liu, Zhenyu Weng, and Yuesheng Zhu. 2021. Watermarking Deep Neural Networks with Greedy Residuals. In ICML. 6978--6988.
[20]
Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2018. Fine-pruning: Defending against backdooring attacks on deep neural networks. In International symposium on research in attacks, intrusions, and defenses. Springer, 273--294.
[21]
Yingfei Liu, Junjie Yan, Fan Jia, Shuailin Li, Aqi Gao, Tiancai Wang, and Xiangyu Zhang. 2023. Petrv2: A unified framework for 3d perception from multi-camera images. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 3262--3272.
[22]
Nils Lukas, Yuxuan Zhang, and Florian Kerschbaum. 2019. Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888 (2019).
[23]
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1765--1773.
[24]
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574--2582.
[25]
Ryota Namba and Jun Sakuma. 2019. Robust watermarking of neural network with exponential weighting. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 228--240.
[26]
Xudong Pan, Yifan Yan, Mi Zhang, and Min Yang. 2022. Metav: A meta-verifier approach to task-agnostic model fingerprinting. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. 1327--1336.
[27]
Zirui Peng, Shaofeng Li, Guoxing Chen, Cheng Zhang, Haojin Zhu, and Minhui Xue. 2022. Fingerprinting deep neural networks globally via universal adversarial perturbations. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 13430--13439.
[28]
Alec Radford, Luke Metz, and Soumith Chintala. 2015. Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv preprint arXiv:1511.06434 (2015).
[29]
Pengcheng Ren, Chaoshun Zuo, Xiaofeng Liu, Wenrui Diao, Qingchuan Zhao, and Shanqing Guo. 2024. DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile Apps. In Proceedings of the 46th IEEE/ACM International Conference on Software Engineering. 1--13.
[30]
Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4510--4520.
[31]
Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).
[32]
Congzheng Song, Thomas Ristenpart, and Vitaly Shmatikov. 2017. Machine learning models that remember too much. In Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security. 587--601.
[33]
Yuchen Sun, Tianpeng Liu, Panhe Hu, Qing Liao, Shouling Ji, Nenghai Yu, Deke Guo, and Li Liu. 2023. Deep Intellectual Property: A Survey. arXiv preprint arXiv:2304.14613 (2023).
[34]
Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin'ichi Satoh. 2017. Embedding watermarks into deep neural networks. In Proceedings of the 2017 ACM on international conference on multimedia retrieval. 269--277.
[35]
Si Wang and Chip-Hong Chang. 2021. Fingerprinting deep neural networks-a deepfool approach. In 2021 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 1--5.
[36]
Kang Yang and Kunhao Lai. 2023. NaturalFinger: Generating Natural Fingerprint with Generative Adversarial Networks. arXiv preprint arXiv:2305.17868 (2023).
[37]
Qi Zhong, Leo Yu Zhang, Jun Zhang, Longxiang Gao, and Yong Xiang. 2020. Protecting IP of deep neural networks with watermarking: A new label helps. In Advances in Knowledge Discovery and Data Mining: 24th Pacific-Asia Conference, PAKDD 2020, Singapore, May 11--14, 2020, Proceedings, Part II 24. Springer, 462--474.

Index Terms

  1. MarginFinger: Controlling Generated Fingerprint Distance to Classification boundary Using Conditional GANs

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ICMR '24: Proceedings of the 2024 International Conference on Multimedia Retrieval
      May 2024
      1379 pages
      ISBN:9798400706196
      DOI:10.1145/3652583
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 07 June 2024

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. classification boundary
      2. conditional generative adversarial network
      3. fingerprint
      4. intellectual property

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ICMR '24
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 254 of 830 submissions, 31%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 78
        Total Downloads
      • Downloads (Last 12 months)78
      • Downloads (Last 6 weeks)19
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media