MetaV: A Meta-Verifier Approach to Task-Agnostic Model Fingerprinting

TL;DR

MetaV introduces a task-agnostic, robust model fingerprinting framework that effectively verifies model ownership across diverse DNN architectures and tasks, significantly outperforming existing methods in accuracy and generality.

Contribution

The paper proposes MetaV, a novel task-agnostic fingerprinting framework with adaptive fingerprints and a meta-verifier, enabling broad applicability and robustness against obfuscation techniques.

Findings

MetaV achieves 100% true positives and negatives on skin cancer diagnosis models.

MetaV outperforms state-of-the-art schemes with about 220% improvement in ARUC.

The framework generalizes across classification, regression, and generative models.

Abstract

For model piracy forensics, previous model fingerprinting schemes are commonly based on adversarial examples constructed for the owner's model as the \textit{fingerprint}, and verify whether a suspect model is indeed pirated from the original model by matching the behavioral pattern on the fingerprint examples between one another. However, these methods heavily rely on the characteristics of classification tasks which inhibits their application to more general scenarios. To address this issue, we present MetaV, the first task-agnostic model fingerprinting framework which enables fingerprinting on a much wider range of DNNs independent from the downstream learning task, and exhibits strong robustness against a variety of ownership obfuscation techniques. Specifically, we generalize previous schemes into two critical design components in MetaV: the \textit{adaptive fingerprint} and the \textit{meta-verifier}, which are jointly optimized such that the meta-verifier learns to determine whether a suspect model is stolen based on the concatenated outputs of the suspect model on the adaptive fingerprint. As a key of being task-agnostic, the full process makes no assumption on the model internals in the ensemble only if they have the same input and output dimensions. Spanning classification, regression and generative modeling, extensive experimental results validate the substantially improved performance of MetaV over the state-of-the-art fingerprinting schemes and demonstrate the enhanced generality of MetaV for providing task-agnostic fingerprinting. For example, on fingerprinting ResNet-18 trained for skin cancer diagnosis, MetaV achieves simultaneously $100\%$ true positives and $100\%$ true negatives on a diverse test set of $70$ suspect models, achieving an about $220\%$ relative improvement in ARUC in comparison to the optimal baseline.