Typically, foundation models are hosted on cloud servers to meet the high demand for their services. However, this exposes them to security risks, as attackers can modify them after uploading to the cloud or transferring from a local system. To address this issue, we propose an iterative decision-based fragile watermarking algorithm that transforms normal training samples into fragile samples that are sensitive to model changes. We then compare the output of sensitive samples from the original model to that of the compromised model during validation to assess the model's completeness.The proposed fragile watermarking algorithm is an optimization problem that aims to minimize the variance of the predicted probability distribution outputed by the target model when fed with the converted sample.We convert normal samples to fragile samples through multiple iterations. Our method has some advantages: (1) the iterative update of samples is done in a decision-based black-box manner, relying solely on the predicted probability distribution of the target model, which reduces the risk of exposure to adversarial attacks, (2) the small-amplitude multiple iterations approach allows the fragile samples to perform well visually, with a PSNR of 55 dB in TinyImageNet compared to the original samples, (3) even with changes in the overall parameters of the model of magnitude 1e-4, the fragile samples can detect such changes, and (4) the method is independent of the specific model structure and dataset. We demonstrate the effectiveness of our method on multiple models and datasets, and show that it outperforms the current state-of-the-art.

翻译：通常，基础模型托管在云服务器上以满足对其服务的高需求。然而，这使它们面临安全风险，因为攻击者可以在将模型上传到云端或从本地系统转移后对其进行修改。为解决这一问题，我们提出了一种迭代的基于决策的脆弱水印算法，该算法将正常训练样本转换为对模型变化敏感的脆弱样本。随后，我们在验证过程中比较原始模型与受损模型对敏感样本的输出，以评估模型的完整性。所提出的脆弱水印算法是一个优化问题，旨在最小化目标模型在输入转换后的样本时输出的预测概率分布的方差。我们通过多次迭代将正常样本转换为脆弱样本。该方法具有以下优点：(1) 样本的迭代更新以基于决策的黑盒方式进行，仅依赖于目标模型的预测概率分布，从而降低了暴露于对抗性攻击的风险；(2) 小幅度的多次迭代方法使脆弱样本在视觉上表现良好，在TinyImageNet上与原样本相比，峰值信噪比（PSNR）达到55 dB；(3) 即使模型整体参数变化幅度为1e-4，脆弱样本也能检测到此类变化；(4) 该方法独立于具体的模型结构和数据集。我们在多个模型和数据集上展示了该方法的有效性，并表明其性能优于当前最先进的方法。