Robust Model Fingerprinting Against Adaptive Adversaries ...

ABSTRACT

This paper introduces Ensemble Adversarial Trajectory Fingerprinting, a method to embed multiple redundant fingerprint paths in DNNs to protect against removal by adaptive adversaries. The approach uses diverse adversarial trajectories to make complete removal computationally infeasible, while maintaining high verification accuracy and uniqueness.

PAPER · PDF

ensemble_fingerprinting_paper.pdf ↓ Download PDF

Loading PDF...

↓ View full paper PDF →

Key findings

Proposes Ensemble Adversarial Trajectory Fingerprinting for robust DNN intellectual property protection.

Achieves 0.92 True Positive Rate and 0.08 False Positive Rate, showing 18% improvement over IPGuard.

Maintains high verification scores under moderate fine-tuning and pruning attacks.

Removing all ensemble signatures would require modifying over 75% of the model's capacity.

Limitations & open questions

The paper does not discuss the impact of extreme model modifications on fingerprint robustness.

The scalability of the approach to larger models or different architectures is not addressed.

Robust Model Fingerprinting Against Adaptive Adversaries via Ensemble Adversarial Trajectory Signatures

Key findings

Limitations & open questions

Related Papers