IrisFP: Adversarial-Example-based Model Fingerprinting with Enhanced Uniqueness and Robustness
This addresses the problem of protecting intellectual property for machine learning model owners, though it appears incremental as it builds on prior adversarial-example-based methods.
The paper tackled the problem of model fingerprinting for ownership verification by proposing IrisFP, a framework that uses adversarial examples to enhance uniqueness and robustness, achieving reliable verification and outperforming state-of-the-art methods in experiments.
We propose IrisFP, a novel adversarial-example-based model fingerprinting framework that enhances both uniqueness and robustness by leveraging multi-boundary characteristics, multi-sample behaviors, and fingerprint discriminative power assessment to generate composite-sample fingerprints. Three key innovations make IrisFP outstanding: 1) It positions fingerprints near the intersection of all decision boundaries - unlike prior methods that target a single boundary - thus increasing the prediction margin without placing fingerprints deep inside target class regions, enhancing both robustness and uniqueness; 2) It constructs composite-sample fingerprints, each comprising multiple samples close to the multi-boundary intersection, to exploit collective behavior patterns and further boost uniqueness; and 3) It assesses the discriminative power of generated fingerprints using statistical separability metrics developed based on two reference model sets, respectively, for pirated and independently-trained models, retains the fingerprints with high discriminative power, and assigns fingerprint-specific thresholds to such retained fingerprints. Extensive experiments show that IrisFP consistently outperforms state-of-the-art methods, achieving reliable ownership verification by enhancing both robustness and uniqueness.