Abstract: With the successful application of deep neural networks in various fields, the protection of intellectual property of models becomes more important. Since training the deep neural network requires a large number of computing resources, labor costs, and time costs, some people attempt to build a local substitute model with lower cost by stealing the target model’s parameters. For protecting the intellectual property of model owners, a model fingerprint matching method is proposed recently, which uses the fingerprint examples near the decision boundary of the model and their fingerprints to check whether their models have been stolen. The advantage of this method is that it does not affect the performance of the model itself. However, this protection strategy has some vulnerabilities, and we propose an evasion algorithm to successfully bypass the protection. The key component of our evasion algorithm is a fingerprint-example detector termed as Fingerprint-GAN. The Fingerprint-GAN first learns the feature representation and distribution of normal examples in a latent space. According to the difference of the feature representation in the latent space between the fingerprint examples and the normal examples, the Fingerprint-GAN finds the fingerprint examples. Finally, the labels of the fingerprint examples different from the predictions are returned to fool fingerprint matching method of the target model owner. Extensive experiments are conducted on CIFAR-10 and CIFAR-100. The results show that the detection rate of this algorithm for fingerprint examples can reach 95% and 94%, respectively, while the model owner’s fingerprint matching success rate is only 19%, which proves the unreliability of the model fingerprint matching protection method.

Key words: intellectual property protection, model stealing, model fingerprints, generative adversarial network, evasion algorithms