Research On Fingerprint Detection Problem For Model Extraction Attack

In current information age,a large amount of data is being generated all the time.Statistical machine learning has gradually become a research hotspot.Among them,deep learning,as an important big data analysis method,makes the Deep Neural Network(DNN)model obtain wide range of applications.Training deep neural networks requires a lot of training data,professional knowledge and hardware resources,so deep neural network models have become important assets and provide services for users.However,deep neural network models are also facing huge security challenges.Malicious users illegally distribute and use models,steal model relevant data for model cloning,etc.For model owners,protecting their models from piracy becomes crucial.Watermarking technology and model fingerprinting are currently the two main methods for protecting model intellectual property.Most of the previous work has focused on watermarking technology.The model fingerprinting method has not been deeply discussed.Therefore,this paper considers model extraction attack as the research scenario,and the security of the model fingerprinting verification method has been deeply researched and analyzed,which is of practical significance for promoting the protection of intellectual property of deep neural network models.This paper has carried out research in the following aspects:(1)Aiming at the model fingerprinting verification method,a model fingerprinting detection method based on feature extraction of Generative Adversarial Network(GAN)is proposed.GAN is used as a feature extractor to identify fingerprint examples based on the difference in feature information between normal examples and model fingerprint examples in the latent space,and return labels that are inconsistent with the predicted results.Experiments show that the method proposed in this paper has superior performance,escaping the fingerprint verification of the model owner with a success rate of 83.25%,revealing the fragility of the fingerprint verification method of the deep neural network model.(2)In view of the model query budget limitation and the problem that the model fingerprinting detection method based on the feature extraction of generative adversarial network occurs after the model fingerprinting verification,a model fingerprinting detection method based on the active learning of the generative adversarial network is proposed,which is an effective method that occurs before the model fingerprinting verification.By introducing a classifier to assist GAN training active learning,the generator generates potential fingerprint examples near the low-density boundary of normal examples,and performs post-statistics on the training examples.According to the difference of the distance between the fingerprint examples and the training examples,the fingerprint example is identified,and a label inconsistent with the predicted result is returned.Experiments show that the model fingerprinting detection method based on GAN active learning proposed in this paper further reduces the matching success rate of model owners fingerprinting verification and reveals the unreliability of the current model fingerprinting verification method.