Fingerprinting Deep Neural Networks for Ownership Protection: An Analytical Approach
Guang Yang, Ziye Geng, Yihang Chen, Changqing Luo
TL;DR
This paper introduces AnaFP, an analytical method for neural network fingerprinting that uses theoretical bounds to optimize fingerprint placement, enhancing robustness and uniqueness for ownership protection.
Contribution
AnaFP provides a theoretically grounded approach to neural network fingerprinting, addressing the trade-off between robustness and uniqueness through formal bounds and a practical grid search.
Findings
AnaFP outperforms prior methods in ownership verification.
It maintains effectiveness across various model architectures.
It is resilient against model modification attacks.
Abstract
Adversarial-example-based fingerprinting approaches, which leverage the decision boundary characteristics of deep neural networks (DNNs) to craft fingerprints, have proven effective for model ownership protection. However, a fundamental challenge remains unresolved: how far a fingerprint should be placed from the decision boundary to simultaneously satisfy two essential properties, i.e., robustness and uniqueness, for effective and reliable ownership protection. Despite the importance of the fingerprint-to-boundary distance, existing works lack a theoretical solution and instead rely on empirical heuristics, which may violate either robustness or uniqueness properties. We propose AnaFP, an analytical fingerprinting scheme that constructs fingerprints under theoretical guidance. Specifically, we formulate fingerprint generation as controlling the fingerprint-to-boundary distance…
Peer Reviews
Decision·ICLR 2026 Poster
1. To the best of my knowledge, this might be the first work to analytically characterize the admissible τ-interval that jointly guarantees robustness and uniqueness. The derivation is clean and verifiable, and surrogate pools + quantile relaxation elegantly make the bounds estimable without violating the theory. 2. Consistently highest AUC on all six modification attacks and four datasets, while showing low sensitivity to pool size/quantile settings. 3. Extensive results demonstrate the superio
1. My first concern is about the cost. Every anchor requires a full targeted C&W optimization (≈ 3,000 steps) and a 500-point grid search over τ. Complexity is O(N_f × 3,000 × 500) forward-backward passes—impractical for ImageNet-scale models. No speed-up (e.g., early termination, bisection search, Jacobian-free solvers) is discussed. 2. Missing baselines. The experimental comparison is restricted to adversarial-example methods; recent non-adversarial ownership schemes are omitted, which can pro
1. The paper provides a clean analytical formulation for the long-standing heuristic choice of how far fingerprints should lie from the decision boundary. By deriving explicit upper and lower bounds on the scaling factor, the authors turn this into a principled optimization problem rather than an empirical guess. 2. Experiments cover multiple model families (CNN/MLP/GNN), datasets (image and graph), a wide range of model modification attacks, several baselines, and repeated runs to report mean ±
1. The related-work section lacks a systematic overview of existing fingerprinting or watermarking techniques for deep models. 2. While the appendix mentions some hyperparameters, key details such as exact model architectures used and number of models in each surrogate pool are missing or only briefly listed. These are central to understanding the experiment setup. Important configurations should appear in the main text, not just in appendices. 3. While AnaFP is analytically grounded, its deploy
- The paper rigorously formalizes the requirements for fingerprint robustness and uniqueness, deriving both lower and upper bounds on the stretch factor that controls fingerprint placement. - AnaFP is demonstrated on a diverse set of DNN models, indicating broad applicability. Unlike some baselines (UAP, MarginFinger), AnaFP naturally extends to non-Euclidean domains. - The paper provides well-designed ablations on surrogate pool size/diversity, quantile relaxation parameters, and the selecti
- While the authors thoroughly test robustness to model modifications and evaluate discriminability between pirated and independent models, there is no assessment of scenarios with "unknown" models or more ambiguous conditions (e.g., surrogate attacks specifically designed to evade fingerprints; adaptive adversaries targeting decision geometry). Similarly, detailed analysis of the potential for false positives in more open-world settings is missing. - AnaFP's practicality depends on the constru
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Physical Unclonable Functions (PUFs) and Hardware Security · Advanced Neural Network Applications