Deep neural network (DNN) models have become a critical asset of the model owner as training them requires a large amount of resource (i.e. labeled data). Therefore, many fingerprinting schemes have been proposed to safeguard the intellectual property (IP) of the model owner against model extraction and illegal redistribution. However, previous schemes adopt unnatural images as the fingerprint, such as adversarial examples and noisy images, which can be easily perceived and rejected by the adversary. In this paper, we propose NaturalFinger which generates natural fingerprint with generative adversarial networks (GANs). Besides, our proposed NaturalFinger fingerprints the decision difference areas rather than the decision boundary, which is more robust. The application of GAN not only allows us to generate more imperceptible samples, but also enables us to generate unrestricted samples to explore the decision boundary.To demonstrate the effectiveness of our fingerprint approach, we evaluate our approach against four model modification attacks including adversarial training and two model extraction attacks. Experiments show that our approach achieves 0.91 ARUC value on the FingerBench dataset (154 models), exceeding the optimal baseline (MetaV) over 17\%.

翻译：深度神经网络（DNN）模型已成为模型所有者的关键资产，因为训练这些模型需要大量资源（例如标注数据）。因此，许多指纹方案被提出以保护模型所有者的知识产权（IP），防止模型窃取和非法再分发。然而，先前的方案采用非自然图像作为指纹，例如对抗样本和噪声图像，这些容易被攻击者察觉并拒绝。在本文中，我们提出自然指纹（NaturalFinger），它使用生成对抗网络（GAN）生成自然指纹。此外，我们提出的NaturalFinger方法对决策差异区域而非决策边界进行指纹标记，因此更加鲁棒。GAN的应用不仅使我们能够生成更不易察觉的样本，还能生成不受限制的样本以探索决策边界。为了展示我们指纹方法的有效性，我们针对四种模型修改攻击（包括对抗训练）和两种模型提取攻击进行了评估。实验表明，我们的方法在FingerBench数据集（包含154个模型）上实现了0.91的ARUC值，超过最优基线（MetaV）17%以上。