AFA: Adversarial fingerprinting authentication for deep neural networks

With the vigorous development of deep learning, sharing trained deep neural network (DNN) models has become a common trend in various fields. An urgent problem is to protect the intellectual property (IP) rights of the model owners and detect IP infringement. DNN watermarking technology, which embeds signature information into the protected model and tries to extract it from the plagiarism model, has been the main approach of IP verification. However, the existing DNN watermarking methods have to be robust to various removal attacks since their watermarks are single in form or limited in quantity. Meanwhile, the process of adding watermarks to the DNN models will affect their original prediction abilities. Moreover, if the model has been distributed before embedding the watermarks, its IP cannot be correctly recognized and protected. To this end, we propose AFA, a new DNN fingerprinting technology aiming at extracting the inherent features of the model itself instead of embedding fixed watermarks. The features we selected as model fingerprints are a set of specially-crafted adversarial examples called Adversarial-Marks, which can transfer much better to the models that are derived from the original model than to other irrelative models. We also design a new IP verification scheme to identify a remote model's ownership. Experimental results show that our mechanism works well for common image classification models, and it can be easily adapted to other deep neural networks.