Portal de Periódicos da CAPES

PatchFinger: A Model Fingerprinting Scheme Based on Adversarial Patch

2023; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-981-99-8082-6_6

1611-3349

Bo Zeng, Kunhao Lai, Jianpeng Ke, Fangchao Yu, Lina Wang,

Advanced Neural Network Applications

As deep neural networks (DNNs) gain great popularity and importance, protecting their intellectual property is always the topic. Previous model watermarking schemes based on backdoors require explicit embedding of the backdoor, which changes the structure and parameters. Model fingerprinting based on adversarial examples does not require any modification of the model, but is limited by the characteristics of the original task and not versatile enough. We find that adversarial patch can be regarded as an inherent backdoor and can achieve the output of specific categories injected. Inspired by this, we propose PatchFinger, a model fingerprinting scheme based on adversarial patch which is applied to the original samples as a model fingerprinting through a specific fusion method. As a model fingerprinting scheme, PatchFinger does not sacrifice the accuracy of the source model, and the characteristics of the adversarial patch make it more flexible and highly robust. Experimental results show that PatchFinger achieves an ARUC value of 0.936 in a series of tests on the Tiny-ImageNet dataset, which exceeds the baseline by 19%. When considering average query accuracy, PatchFinger gets 97.04% outperforming the method tested.