An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks

doi:10.7544/issn1000-1239.2021.20200903

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (5): 1106-1117.doi: 10.7544/issn1000-1239.2021.20200903

Special Issue: 2021人工智能安全与隐私保护技术专题

Previous Articles Next Articles

An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks

Qian Yaguan^1,2, He Niannian^1,2, Guo Yankai^1,2, Wang Bin², Li Hui³, Gu Zhaoquan⁴, Zhang Xuhong⁵, Wu Chunming⁶

¹（School of Big-data Science, Zhejiang University of Science and Technology, Hangzhou 310023);²(Edge Intelligence Security Joint Laboratory, Hikvision & Zhejiang University of Science and Technology, Hangzhou 310023);³(School of Cyber Engineering, Xidian University, Xi’an 710071);⁴(Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006);⁵(College of Control Science and Engineering, Zhejiang University, Hangzhou 310058);⁶(College of Computer Science and Technology, Zhejiang University, Hangzhou 310058)

Online:2021-05-01
Supported by:
This work was supported by the National Key Research and Development Program of China (2018YFB2100400, 2018YFB1800601), the National Natural Science Foundation of China (61902082), the Key Research and Development Program of Zhejiang Province (2020C01077, 2021C01036, 2020C01021), and the Major Scientific Project of Zhejiang Lab (2018FD0ZX01).

Abstract

Abstract: With the successful application of deep neural networks in various fields, the protection of intellectual property of models becomes more important. Since training the deep neural network requires a large number of computing resources, labor costs, and time costs, some people attempt to build a local substitute model with lower cost by stealing the target model’s parameters. For protecting the intellectual property of model owners, a model fingerprint matching method is proposed recently, which uses the fingerprint examples near the decision boundary of the model and their fingerprints to check whether their models have been stolen. The advantage of this method is that it does not affect the performance of the model itself. However, this protection strategy has some vulnerabilities, and we propose an evasion algorithm to successfully bypass the protection. The key component of our evasion algorithm is a fingerprint-example detector termed as Fingerprint-GAN. The Fingerprint-GAN first learns the feature representation and distribution of normal examples in a latent space. According to the difference of the feature representation in the latent space between the fingerprint examples and the normal examples, the Fingerprint-GAN finds the fingerprint examples. Finally, the labels of the fingerprint examples different from the predictions are returned to fool fingerprint matching method of the target model owner. Extensive experiments are conducted on CIFAR-10 and CIFAR-100. The results show that the detection rate of this algorithm for fingerprint examples can reach 95% and 94%, respectively, while the model owner’s fingerprint matching success rate is only 19%, which proves the unreliability of the model fingerprint matching protection method.

Key words: intellectual property protection, model stealing, model fingerprints, generative adversarial network, evasion algorithms

CLC Number:

TP309

Qian Yaguan, He Niannian, Guo Yankai, Wang Bin, Li Hui, Gu Zhaoquan, Zhang Xuhong, Wu Chunming. An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks[J]. Journal of Computer Research and Development, 2021, 58(5): 1106-1117.

	Articles by Authors
	Qian Yaguan
	He Niannian
	Guo Yankai
	Wang Bin
	Li Hui
	Gu Zhaoquan
	Zhang Xuhong
	Wu Chunming

[1]	Kong Leyi, Zhang Jinyi, Lou Liangliang. Tolerance Feature Extension of Substandard Sign Language Recognition with Finite Samples [J]. Journal of Computer Research and Development, 2022, 59(3): 683-693.
[2]	Dai Hong, Sheng Lijie, Miao Qiguang. Adversarial Discriminative Domain Adaptation Algorithm with CapsNet [J]. Journal of Computer Research and Development, 2021, 58(9): 1997-2012.
[3]	Fu Zhangjie, Li Enlu, Cheng Xu, Huang Yongfeng, Hu Yuting. Recent Advances in Image Steganography Based on Deep Learning [J]. Journal of Computer Research and Development, 2021, 58(3): 548-568.
[4]	Chen Dawei, Fu Anmin, Zhou Chunyi, Chen Zhenzhu. Federated Learning Backdoor Attack Scheme Based on Generative Adversarial Network [J]. Journal of Computer Research and Development, 2021, 58(11): 2364-2373.
[5]	Yu Haitao, Yang Xiaoshan, Xu Changsheng. Antagonistic Video Generation Method Based on Multimodal Input [J]. Journal of Computer Research and Development, 2020, 57(7): 1522-1530.
[6]	Zhang Xian, Shi Canghong, Li Xiaojie. Visual Feature Attribution Based on Adversarial Feature Pairs [J]. Journal of Computer Research and Development, 2020, 57(3): 604-615.
[7]	Song Kehui, Zhang Ying, Zhang Jiangwei, Yuan Xiaojie. A Generative Model for Synthesizing Structured Datasets Based on GAN [J]. Journal of Computer Research and Development, 2019, 56(9): 1832-1842.
[8]	Tian Jiwei, Wang Jinsong, Shi Kai. Positive and Unlabeled Generative Adversarial Network on POI Positioning [J]. Journal of Computer Research and Development, 2019, 56(9): 1843-1850.
[9]	Zhang Han, Guo Yuanbo, Li Tao. Domain Named Entity Recognition Combining GAN and BiLSTM-Attention-CRF [J]. Journal of Computer Research and Development, 2019, 56(9): 1851-1858.
[10]	Dai Chenchao, Wang Hongyuan, Ni Tongguang, Chen Shoubing. Person Re-Identification Based on Deep Convolutional Generative Adversarial Network and Expanded Neighbor Reranking [J]. Journal of Computer Research and Development, 2019, 56(8): 1632-1641.

An Evasion Algorithm to Fool Fingerprint Detector for Deep Neural Networks

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 10

Recommended Articles

Metrics

Comments