FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
This work addresses a security problem for owners of open-source machine learning models by providing a more robust method to verify ownership and prevent unauthorized reuse, though it is incremental as it builds on existing fingerprinting approaches.
The paper tackled the vulnerability of existing model fingerprinting methods to false claim attacks, where adversaries can falsely assert ownership of third-party models, and proposed FIT-Print, a targeted fingerprinting paradigm that demonstrated effectiveness in resisting such attacks through experiments on benchmark models and datasets.
Model fingerprinting is a widely adopted approach to safeguard the intellectual property rights of open-source models by preventing their unauthorized reuse. It is promising and convenient since it does not necessitate modifying the protected model. In this paper, we revisit existing fingerprinting methods and reveal that they are vulnerable to false claim attacks where adversaries falsely assert ownership of any third-party model. We demonstrate that this vulnerability mostly stems from their untargeted nature, where they generally compare the outputs of given samples on different models instead of the similarities to specific references. Motivated by these findings, we propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks. Specifically, FIT-Print transforms the fingerprint into a targeted signature via optimization. Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods, i.e., FIT-ModelDiff and FIT-LIME, which exploit the distance between model outputs and the feature attribution of specific samples as the fingerprint, respectively. Extensive experiments on benchmark models and datasets verify the effectiveness, conferrability, and resistance to false claim attacks of our FIT-Print.