FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint

• URL: http://arxiv.org/abs/2501.15509v1
• Date: Sun, 26 Jan 2025 13:00:58 GMT
• Title: FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
• Authors: Shuo Shao, Haozhe Zhu, Hongwei Yao, Yiming Li, Tianwei Zhang, Zhan Qin, Kui Ren,
• Abstract summary: Model fingerprinting is a widely adopted approach to safeguard the intellectual property rights of open-source models. In this paper, we reveal that they are vulnerable to false claim attacks where adversaries falsely assert ownership of any third-party model. Motivated by these findings, we propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks.
• Score: 29.015707553430442
• License:
• Abstract: Model fingerprinting is a widely adopted approach to safeguard the intellectual property rights of open-source models by preventing their unauthorized reuse. It is promising and convenient since it does not necessitate modifying the protected model. In this paper, we revisit existing fingerprinting methods and reveal that they are vulnerable to false claim attacks where adversaries falsely assert ownership of any third-party model. We demonstrate that this vulnerability mostly stems from their untargeted nature, where they generally compare the outputs of given samples on different models instead of the similarities to specific references. Motivated by these findings, we propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks. Specifically, FIT-Print transforms the fingerprint into a targeted signature via optimization. Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods, i.e., FIT-ModelDiff and FIT-LIME, which exploit the distance between model outputs and the feature attribution of specific samples as the fingerprint, respectively. Extensive experiments on benchmark models and datasets verify the effectiveness, conferrability, and resistance to false claim attacks of our FIT-Print.

Related papers

• Scalable Fingerprinting of Large Language Models [46.26999419117367]
  We introduce a new method, dubbed Perinucleus sampling, to generate scalable, persistent, and harmless fingerprints. We demonstrate that this scheme can add 24,576 fingerprints to a Llama-3.1-8B model without degrading the model's utility.
  arXiv  Detail & Related papers  (2025-02-11T18:43:07Z)
• Sample Correlation for Fingerprinting Deep Face Recognition [83.53005932513156]
  We propose a novel model stealing detection method based on SA Corremplelation (SAC) SAC successfully defends against various model stealing attacks in deep face recognition, encompassing face verification and face emotion recognition, exhibiting the highest performance in terms of AUC, p-value and F1 score. We extend our evaluation of SAC-JC to object recognition including Tiny-ImageNet and CIFAR10, which also demonstrates the superior performance of SAC-JC to previous methods.
  arXiv  Detail & Related papers  (2024-12-30T07:37:06Z)
• MergePrint: Merge-Resistant Fingerprints for Robust Black-box Ownership Verification of Large Language Models [1.9249287163937978]
  We propose a novel fingerprinting method, MergePrint, to embed robust fingerprints capable of surviving model merging. MergePrint enables black-box ownership verification, where owners only need to check if a model produces target outputs for specific fingerprint inputs.
  arXiv  Detail & Related papers  (2024-10-11T08:00:49Z)
• Instructional Fingerprinting of Large Language Models [57.72356846657551]
  We present a pilot study on fingerprinting Large language models (LLMs) as a form of very lightweight instruction tuning. Results on 11 popularly-used LLMs showed that this approach is lightweight and does not affect the normal behavior of the model. It also prevents publisher overclaim, maintains robustness against fingerprint guessing and parameter-efficient training, and supports multi-stage fingerprinting akin to MIT License.
  arXiv  Detail & Related papers  (2024-01-21T09:51:45Z)
• VeriDIP: Verifying Ownership of Deep Neural Networks through Privacy Leakage Fingerprints [16.564206424838485]
  Deploying Machine Learning as a Service gives rise to model plagiarism, leading to copyright infringement. We propose a novel ownership testing method called VeriDIP, which verifies a model's intellectual property.
  arXiv  Detail & Related papers  (2023-09-07T01:58:12Z)
• On the Robustness of Dataset Inference [21.321310557323383]
  Machine learning (ML) models are costly to train as they can require a significant amount of data, computational resources and technical expertise. Ownership verification techniques allow the victims of model stealing attacks to demonstrate that a suspect model was in fact stolen from theirs. A fingerprinting technique, dataset inference (DI), has been shown to offer better robustness and efficiency than prior methods.
  arXiv  Detail & Related papers  (2022-10-24T22:17:55Z)
• Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks [86.55317144826179]
  Previous methods always leverage the transferable adversarial examples as the model fingerprint. We propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC) SAC successfully defends against various model stealing attacks, even including adversarial training or transfer learning.
  arXiv  Detail & Related papers  (2022-10-21T02:07:50Z)
• FBI: Fingerprinting models with Benign Inputs [17.323638042215013]
  This paper tackles the challenges to propose i) fingerprinting schemes that are resilient to significant modifications of the models, by generalizing to the notion of model families and their variants. We achieve both goals by demonstrating that benign inputs, that are unmodified images, are sufficient material for both tasks. Both approaches are experimentally validated over an unprecedented set of more than 1,000 networks.
  arXiv  Detail & Related papers  (2022-08-05T13:55:36Z)
• FedIPR: Ownership Verification for Federated Deep Neural Network Models [31.459374163080994]
  Federated learning models must be protected against plagiarism since these models are built upon valuable training data owned by multiple institutions or people. This paper illustrates a novel federated deep neural network (FedDNN) ownership verification scheme that allows ownership signatures to be embedded and verified to claim legitimate intellectual property rights (IPR) of FedDNN models.
  arXiv  Detail & Related papers  (2021-09-27T12:51:24Z)
• Fingerprinting Image-to-Image Generative Adversarial Networks [53.02510603622128]
  Generative Adversarial Networks (GANs) have been widely used in various application scenarios. This paper presents a novel fingerprinting scheme for the Intellectual Property protection of image-to-image GANs based on a trusted third party.
  arXiv  Detail & Related papers  (2021-06-19T06:25:10Z)
• Responsible Disclosure of Generative Models Using Scalable Fingerprinting [70.81987741132451]
  Deep generative models have achieved a qualitatively new level of performance. There are concerns on how this technology can be misused to spoof sensors, generate deep fakes, and enable misinformation at scale. Our work enables a responsible disclosure of such state-of-the-art generative models, that allows researchers and companies to fingerprint their models.
  arXiv  Detail & Related papers  (2020-12-16T03:51:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.