IPRemover: A Generative Model Inversion Attack against Deep Neural Network Fingerprinting and Watermarking

Wei Zong, Yang Wai Chow, Willy Susilo, Joonsang Baek, Jongkil Kim, Seyit Camtepe

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Training Deep Neural Networks (DNNs) can be expensive when data is difficult to obtain or labeling them requires significant domain expertise.Hence, it is crucial that the Intellectual Property (IP) of DNNs trained on valuable data be protected against IP infringement.DNN fingerprinting and watermarking are two lines of work in DNN IP protection.Recently proposed DNN fingerprinting techniques are able to detect IP infringement while preserving model performance by relying on the key assumption that the decision boundaries of independently trained models are intrinsically different from one another.In contrast, DNN watermarking embeds a watermark in a model and verifies IP infringement if an identical or similar watermark is extracted from a suspect model.The techniques deployed in fingerprinting and watermarking vary significantly because their underlying mechanisms are different.From an adversary's perspective, a successful IP removal attack should defeat both fingerprinting and watermarking.However, to the best of our knowledge, there is no work on such attacks in the literature yet.In this paper, we fill this gap by presenting an IP removal attack that can defeat both fingerprinting and watermarking.We consider the challenging data-free scenario whereby all data is inverted from the victim model.Under this setting, a stolen model only depends on the victim model.Experimental results demonstrate the success of our attack in defeating state-of-the-art DNN fingerprinting and watermarking techniques.This work reveals a novel attack surface that exploits generative model inversion attacks to bypass DNN IP defenses.This threat must be addressed by future defenses for reliable IP protection.

Original languageEnglish
Title of host publicationTechnical Tracks 14
EditorsMichael Wooldridge, Jennifer Dy, Sriraam Natarajan
PublisherAssociation for the Advancement of Artificial Intelligence
Pages7837-7845
Number of pages9
Edition7
ISBN (Electronic)1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879
DOIs
StatePublished - 25 Mar 2024
Event38th AAAI Conference on Artificial Intelligence, AAAI 2024 - Vancouver, Canada
Duration: 20 Feb 202427 Feb 2024

Publication series

NameProceedings of the AAAI Conference on Artificial Intelligence
Number7
Volume38
ISSN (Print)2159-5399
ISSN (Electronic)2374-3468

Conference

Conference38th AAAI Conference on Artificial Intelligence, AAAI 2024
Country/TerritoryCanada
CityVancouver
Period20/02/2427/02/24

Bibliographical note

Publisher Copyright:
Copyright © 2024, Association for the Advancement of Artificial Intelligence (www.aaai.org).All rights reserved.

Fingerprint

Dive into the research topics of 'IPRemover: A Generative Model Inversion Attack against Deep Neural Network Fingerprinting and Watermarking'. Together they form a unique fingerprint.

Cite this