Ownership Verification of DNN Models Using White-Box Adversarial Attacks with Specified Probability Manipulation
This addresses the issue of unauthorized copying of DNN models for cloud services, providing a verification method for owners and third parties, though it is incremental as it builds on existing adversarial attack techniques.
The paper tackles the problem of verifying ownership of deep neural network models in image classification by using white-box adversarial attacks to manipulate output probabilities, achieving effective identification as confirmed by experiments.
In this paper, we propose a novel framework for ownership verification of deep neural network (DNN) models for image classification tasks. It allows verification of model identity by both the rightful owner and third party without presenting the original model. We assume a gray-box scenario where an unauthorized user owns a model that is illegally copied from the original model, provides services in a cloud environment, and the user throws images and receives the classification results as a probability distribution of output classes. The framework applies a white-box adversarial attack to align the output probability of a specific class to a designated value. Due to the knowledge of original model, it enables the owner to generate such adversarial examples. We propose a simple but effective adversarial attack method based on the iterative Fast Gradient Sign Method (FGSM) by introducing control parameters. Experimental results confirm the effectiveness of the identification of DNN models using adversarial attack.