Machine learning (ML) models are costly to train as they can require a significant amount of data, computational resources and technical expertise. Thus, they constitute valuable intellectual property that needs protection from adversaries wanting to steal them. Ownership verification techniques allow the victims of model stealing attacks to demonstrate that a suspect model was in fact stolen from theirs. Although a number of ownership verification techniques based on watermarking or fingerprinting have been proposed, most of them fall short either in terms of security guarantees (well-equipped adversaries can evade verification) or computational cost. A fingerprinting technique introduced at ICLR '21, Dataset Inference (DI), has been shown to offer better robustness and efficiency than prior methods. The authors of DI provided a correctness proof for linear (suspect) models. However, in the same setting, we prove that DI suffers from high false positives (FPs) -- it can incorrectly identify an independent model trained with non-overlapping data from the same distribution as stolen. We further prove that DI also triggers FPs in realistic, non-linear suspect models. We then confirm empirically that DI leads to FPs, with high confidence. Second, we show that DI also suffers from false negatives (FNs) -- an adversary can fool DI by regularising a stolen model's decision boundaries using adversarial training, thereby leading to an FN. To this end, we demonstrate that DI fails to identify a model adversarially trained from a stolen dataset -- the setting where DI is the hardest to evade. Finally, we discuss the implications of our findings, the viability of fingerprinting-based ownership verification in general, and suggest directions for future work.

翻译：机器学习（ML）模型训练成本高昂，需要大量数据、计算资源和技术专长。因此，它们构成需要防范窃取攻击者窃取的有价值知识产权。所有权验证技术允许模型窃取攻击的受害者证明可疑模型实际上是从其模型窃取的。尽管已有许多基于水印或指纹验证的所有权验证技术被提出，但大多数在安全保证（装备精良的攻击者可规避验证）或计算成本方面存在不足。ICLR '21提出的一种指纹验证技术——数据集推断（DI），已被证明比先前方法具有更好的鲁棒性和效率。DI作者为线性（可疑）模型提供了正确性证明。然而，我们证明在相同设定下，DI存在高误报率（FP）——它可能错误地将使用同一分布中非重叠数据训练的独立模型识别为窃取模型。我们进一步证明DI在现实非线性可疑模型中也会引发误报。随后通过实证研究高置信度确认DI确实导致误报。其次，我们证明DI还存在漏报（FN）问题——攻击者可通过对抗训练正则化窃取模型的决策边界来欺骗DI，从而引发漏报。为此，我们证明DI未能识别从窃取数据集进行对抗训练的模型——这正是DI最难规避的设定。最后，我们讨论研究发现的意义、基于指纹验证的所有权验证技术的普遍可行性，并指出未来研究方向。