FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint

TL;DR

This paper introduces FIT-Print, a targeted fingerprinting method for model ownership verification that resists false claim attacks by focusing on specific sample signatures, improving security without modifying models.

Contribution

It proposes a novel targeted fingerprinting paradigm and develops new black-box methods, FIT-ModelDiff and FIT-LIME, to enhance model ownership verification against false claims.

Findings

Effective resistance to false claim attacks

High conferrability of the fingerprinting methods

Robustness demonstrated on benchmark models

Abstract

Model fingerprinting is a widely adopted approach to safeguard the intellectual property rights of open-source models by preventing their unauthorized reuse. It is promising and convenient since it does not necessitate modifying the protected model. In this paper, we revisit existing fingerprinting methods and reveal that they are vulnerable to false claim attacks where adversaries falsely assert ownership of any third-party model. We demonstrate that this vulnerability mostly stems from their untargeted nature, where they generally compare the outputs of given samples on different models instead of the similarities to specific references. Motivated by these findings, we propose a targeted fingerprinting paradigm (i.e., FIT-Print) to counteract false claim attacks. Specifically, FIT-Print transforms the fingerprint into a targeted signature via optimization. Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods, i.e., FIT-ModelDiff and FIT-LIME, which exploit the distance between model outputs and the feature attribution of specific samples as the fingerprint, respectively. Extensive experiments on benchmark models and datasets verify the effectiveness, conferrability, and resistance to false claim attacks of our FIT-Print.