FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint

• URL: http://arxiv.org/abs/2501.15509v2
• Date: Fri, 23 May 2025 07:19:40 GMT
• Title: FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
• Authors: Shuo Shao, Haozhe Zhu, Hongwei Yao, Yiming Li, Tianwei Zhang, Zhan Qin, Kui Ren,
• Abstract summary: We propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks.<n>Specifically, FIT-Print transforms the fingerprint into a targeted signature via optimization.<n>Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods.
• Score: 29.015707553430442
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Model fingerprinting is a widely adopted approach to safeguard the copyright of open-source models by detecting and preventing their unauthorized reuse without modifying the protected model. However, in this paper, we reveal that existing fingerprinting methods are vulnerable to false claim attacks where adversaries falsely assert ownership of third-party non-reused models. We find that this vulnerability mostly stems from their untargeted nature, where they generally compare the outputs of given samples on different models instead of the similarities to specific references. Motivated by this finding, we propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks. Specifically, FIT-Print transforms the fingerprint into a targeted signature via optimization. Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods, i.e., FIT-ModelDiff and FIT-LIME, which exploit the distance between model outputs and the feature attribution of specific samples as the fingerprint, respectively. Experiments on benchmark models and datasets verify the effectiveness, conferrability, and resistance to false claim attacks of our FIT-Print.

Related papers

• RouteMark: A Fingerprint for Intellectual Property Attribution in Routing-based Model Merging [69.2230254959204]
  We propose RouteMark, a framework for IP protection in merged MoE models.<n>Our key insight is that task-specific experts exhibit stable and distinctive routing behaviors under probing inputs.<n>For attribution and tampering detection, we introduce a similarity-based matching algorithm.
  arXiv  Detail & Related papers  (2025-08-03T14:51:58Z)
• ImF: Implicit Fingerprint for Large Language Models [0.0]
  We propose a novel injected fingerprint paradigm called Implicit Fingerprints (ImF) ImF constructs fingerprint pairs with strong semantic correlations, disguising them as natural question-answer pairs within large language models (LLMs) Our experiment on multiple LLMs demonstrates that ImF retains high verification success rates under adversarial conditions.
  arXiv  Detail & Related papers  (2025-03-25T05:47:34Z)
• Privacy-Preserving Biometric Verification with Handwritten Random Digit String [49.77172854374479]
  Handwriting verification has stood as a steadfast identity authentication method for decades. However, this technique risks potential privacy breaches due to the inclusion of personal information in handwritten biometrics such as signatures. We propose using the Random Digit String (RDS) for privacy-preserving handwriting verification.
  arXiv  Detail & Related papers  (2025-03-17T03:47:25Z)
• Adversarial Example Based Fingerprinting for Robust Copyright Protection in Split Learning [17.08424946015621]
  We propose the first copyright protection scheme for Split Learning model, leveraging fingerprint to ensure effective and robust copyright protection. This is demonstrated by a remarkable fingerprint verification success rate (FVSR) of 100% on MNIST, 98% on CIFAR-10, and 100% on ImageNet.
  arXiv  Detail & Related papers  (2025-03-05T06:07:16Z)
• Scalable Fingerprinting of Large Language Models [46.26999419117367]
  We introduce a new method, dubbed Perinucleus sampling, to generate scalable, persistent, and harmless fingerprints. We demonstrate that this scheme can add 24,576 fingerprints to a Llama-3.1-8B model without degrading the model's utility.
  arXiv  Detail & Related papers  (2025-02-11T18:43:07Z)
• Sample Correlation for Fingerprinting Deep Face Recognition [83.53005932513156]
  We propose a novel model stealing detection method based on SA Corremplelation (SAC)<n>SAC successfully defends against various model stealing attacks in deep face recognition, encompassing face verification and face emotion recognition, exhibiting the highest performance in terms of AUC, p-value and F1 score.<n>We extend our evaluation of SAC-JC to object recognition including Tiny-ImageNet and CIFAR10, which also demonstrates the superior performance of SAC-JC to previous methods.
  arXiv  Detail & Related papers  (2024-12-30T07:37:06Z)
• MergePrint: Robust Fingerprinting against Merging Large Language Models [1.9249287163937978]
  We propose a novel fingerprinting method MergePrint that embeds robust fingerprints designed to preserve ownership claims even after model merging. By optimizing against a pseudo-merged model, MergePrint generates fingerprints that remain detectable after merging. This approach provides a practical fingerprinting strategy for asserting ownership in cases of misappropriation through model merging.
  arXiv  Detail & Related papers  (2024-10-11T08:00:49Z)
• Hey, That's My Model! Introducing Chain & Hash, An LLM Fingerprinting Technique [2.7174461714624805]
  Growing concerns over the theft and misuse of Large Language Models (LLMs) have heightened the need for effective fingerprinting.<n>We define five key properties for a successful fingerprint: Transparency, Efficiency, Persistence, Robustness, and Unforgeability.<n>We introduce a novel fingerprinting framework that provides verifiable proof of ownership while maintaining fingerprint integrity.
  arXiv  Detail & Related papers  (2024-07-15T16:38:56Z)
• Instructional Fingerprinting of Large Language Models [57.72356846657551]
  We present a pilot study on fingerprinting Large language models (LLMs) as a form of very lightweight instruction tuning. Results on 11 popularly-used LLMs showed that this approach is lightweight and does not affect the normal behavior of the model. It also prevents publisher overclaim, maintains robustness against fingerprint guessing and parameter-efficient training, and supports multi-stage fingerprinting akin to MIT License.
  arXiv  Detail & Related papers  (2024-01-21T09:51:45Z)
• VeriDIP: Verifying Ownership of Deep Neural Networks through Privacy Leakage Fingerprints [16.564206424838485]
  Deploying Machine Learning as a Service gives rise to model plagiarism, leading to copyright infringement. We propose a novel ownership testing method called VeriDIP, which verifies a model's intellectual property.
  arXiv  Detail & Related papers  (2023-09-07T01:58:12Z)
• WOUAF: Weight Modulation for User Attribution and Fingerprinting in Text-to-Image Diffusion Models [32.29120988096214]
  This paper introduces a novel approach to model fingerprinting that assigns responsibility for the generated images. Our method modifies generative models based on each user's unique digital fingerprint, imprinting a unique identifier onto the resultant content that can be traced back to the user.
  arXiv  Detail & Related papers  (2023-06-07T19:44:14Z)
• On the Robustness of Dataset Inference [21.321310557323383]
  Machine learning (ML) models are costly to train as they can require a significant amount of data, computational resources and technical expertise. Ownership verification techniques allow the victims of model stealing attacks to demonstrate that a suspect model was in fact stolen from theirs. A fingerprinting technique, dataset inference (DI), has been shown to offer better robustness and efficiency than prior methods.
  arXiv  Detail & Related papers  (2022-10-24T22:17:55Z)
• Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks [86.55317144826179]
  Previous methods always leverage the transferable adversarial examples as the model fingerprint. We propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC) SAC successfully defends against various model stealing attacks, even including adversarial training or transfer learning.
  arXiv  Detail & Related papers  (2022-10-21T02:07:50Z)
• FBI: Fingerprinting models with Benign Inputs [17.323638042215013]
  This paper tackles the challenges to propose i) fingerprinting schemes that are resilient to significant modifications of the models, by generalizing to the notion of model families and their variants. We achieve both goals by demonstrating that benign inputs, that are unmodified images, are sufficient material for both tasks. Both approaches are experimentally validated over an unprecedented set of more than 1,000 networks.
  arXiv  Detail & Related papers  (2022-08-05T13:55:36Z)
• FedIPR: Ownership Verification for Federated Deep Neural Network Models [31.459374163080994]
  Federated learning models must be protected against plagiarism since these models are built upon valuable training data owned by multiple institutions or people. This paper illustrates a novel federated deep neural network (FedDNN) ownership verification scheme that allows ownership signatures to be embedded and verified to claim legitimate intellectual property rights (IPR) of FedDNN models.
  arXiv  Detail & Related papers  (2021-09-27T12:51:24Z)
• Fingerprinting Image-to-Image Generative Adversarial Networks [53.02510603622128]
  Generative Adversarial Networks (GANs) have been widely used in various application scenarios. This paper presents a novel fingerprinting scheme for the Intellectual Property protection of image-to-image GANs based on a trusted third party.
  arXiv  Detail & Related papers  (2021-06-19T06:25:10Z)
• Responsible Disclosure of Generative Models Using Scalable Fingerprinting [70.81987741132451]
  Deep generative models have achieved a qualitatively new level of performance. There are concerns on how this technology can be misused to spoof sensors, generate deep fakes, and enable misinformation at scale. Our work enables a responsible disclosure of such state-of-the-art generative models, that allows researchers and companies to fingerprint their models.
  arXiv  Detail & Related papers  (2020-12-16T03:51:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.