Fingerprinting Deep Neural Networks for Ownership Protection: An Analytical Approach
Existing adversarial-example-based fingerprinting schemes rely on empirical heuristics to set the fingerprint-to-boundary distance, risking violations of either robustness or uniqueness. This paper proposes AnaFP, an analytical approach that derives theoretical lower and upper bounds $\tau_{\text{lower}} < \tau < \tau_{\text{upper}}$ on a stretch factor controlling this distance. By formalizing robustness and uniqueness constraints and employing surrogate model pools with quantile-based relaxation, AnaFP generates fingerprints with guaranteed properties, validated across CNNs, MLPs, and GNNs.
AnaFP offers a rigorous theoretical framework for DNN fingerprinting, deriving admissible intervals for the stretch factor via Lipschitz continuity and logit margin analysis. Experimental results demonstrate consistent improvements over six baselines across diverse architectures and attacks, though robustness against Knowledge Distillation remains imperfect (AUC 0.596–0.792 across tasks). The work successfully bridges theory and practice, though the computational cost and approximation errors warrant consideration.
The theoretical contribution is substantial: Lemma A.1 and A.2 formally establish conditions under which fingerprints guarantee robustness and uniqueness by bounding the stretch factor $\tau$ using local Lipschitz constants and logit shifts. The experimental protocol is comprehensive, evaluating ResNet-18, ResMLP, and GAT on CIFAR-10/100, MNIST, and PROTEINS under seven distinct attacks including composite threats like Prune-KD. The ablation study (Section 5.3) convincingly validates that selecting $\tau$ strictly within the admissible interval outperforms fixed-margin or boundary-only strategies.
The circular dependency between $\tau_{\text{lower}}$ and $\tau$ necessitates a grid search over 500 candidates, consuming up to 40 GB GPU memory and requiring an A100, which limits accessibility. More critically, the reliance on surrogate pools introduces 'approximation error' that is 'theoretically intractable' (Section 4.3.1), undermining the guaranteed nature of the bounds when extrapolating to unseen model variants. Performance under Knowledge Distillation attacks drops significantly (AUC 0.596 for CIFAR-100 vs. 0.954 for fine-tuning, Table 4), suggesting the theoretical guarantees may not hold for attacks that substantially alter the decision boundary geometry without the surrogate pool capturing such shifts.
Comparisons against six recent methods (UAP, IPGuard, MarginFinger, AKH, ADV-TRA, GMFIP) are fair and cover diverse fingerprinting paradigms, though UAP and MarginFinger cannot handle non-Euclidean data, excluding them from GNN evaluations. The sensitivity analysis (Section 5.2) demonstrates robustness to surrogate pool diversity and size, though the comparison assumes the attacker uses known modification strategies. The paper does not evaluate against adaptive adversaries who might specifically craft attacks to invalidate the estimated bounds.
While Appendix C provides detailed hyperparameters (e.g., $c=10^{-4}$ for CNNs, quantile thresholds $q_{\text{margin}}/q_{\text{lip}}$ ranging 0.3–0.5), no code repository or open-source implementation is referenced in the text. Reproduction requires substantial computational resources: fingerprinting a ViT-S/16 takes over 5,100 seconds with 40 GB peak memory (Table 9), and necessitates constructing surrogate pools with multiple fine-tuned and knowledge-distilled variants. The grid search resolution ($N_{\text{grid}}=500$) is specified, but sensitivity to this parameter is not analyzed.
Adversarial-example-based fingerprinting approaches, which leverage the decision boundary characteristics of deep neural networks (DNNs) to craft fingerprints, have proven effective for model ownership protection. However, a fundamental challenge remains unresolved: how far a fingerprint should be placed from the decision boundary to simultaneously satisfy two essential properties, i.e., robustness and uniqueness, for effective and reliable ownership protection. Despite the importance of the fingerprint-to-boundary distance, existing works lack a theoretical solution and instead rely on empirical heuristics, which may violate either robustness or uniqueness properties. We propose AnaFP, an analytical fingerprinting scheme that constructs fingerprints under theoretical guidance. Specifically, we formulate fingerprint generation as controlling the fingerprint-to-boundary distance through a tunable stretch factor. To ensure both robustness and uniqueness, we mathematically formalize these properties that determine the lower and upper bounds of the stretch factor. These bounds jointly define an admissible interval within which the stretch factor must lie, thereby establishing a theoretical connection between the two constraints and the fingerprint-to-boundary distance. To enable practical fingerprint generation, we approximate the original (infinite) sets of pirated and independently trained models using two finite surrogate model pools and employ a quantile-based relaxation strategy to relax the derived bounds. Due to the circular dependency between the lower bound and the stretch factor, we apply grid search over the admissible interval to determine the most feasible stretch factor. Extensive experimental results show that AnaFP consistently outperforms prior methods, achieving effective ownership verification across diverse model architectures and model modification attacks.
Pick a starting point or write your own. Challenges run in the background, so you can keep reading while the AI investigates.
No challenges yet. Disagree with the review? Ask the AI to revisit a specific claim.