Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fingerprinting Image-to-Image Generative Adversarial Networks

Guanlin Li, Guowen Xu, Han Qiu, Shangwei Guo, Run Wang, Jiwei Li, Tianwei Zhang, Rongxing Lu

TL;DR

This work tackles IP protection for image-to-image GANs by introducing a trusted-third-party fingerprinting framework that leverages a composite model combining the target GAN with a classifier. It articulates formal definitions, security goals, and three concrete designs—CFP-AE, CFP-iBDv1, and CFP-iBDv2—for generating and embedding strong fingerprints that are stealthy, persistent, and hard to rewrite. The CFP-iBDv2 design, leveraging Triplet Loss and multitask fine-grained classification, achieves the best balance of distinctness, persistence, and stealth across multiple I2I tasks (attribute editing, domain translation, super-resolution) under common model and image transformations. Through extensive experiments, the authors demonstrate high verification accuracy, robust resilience to pruning, fine-tuning, and image perturbations, as well as visual indistinguishability of verification samples. The framework thus offers a practical, scalable approach for commercial GAN IP protection with judicially acceptable evidence enabled by cryptographic commitments and third-party oversight.

Abstract

Generative Adversarial Networks (GANs) have been widely used in various application scenarios. Since the production of a commercial GAN requires substantial computational and human resources, the copyright protection of GANs is urgently needed. This paper presents a novel fingerprinting scheme for the Intellectual Property (IP) protection of image-to-image GANs based on a trusted third party. We break through the stealthiness and robustness bottlenecks suffered by previous fingerprinting methods for classification models being naively transferred to GANs. Specifically, we innovatively construct a composite deep learning model from the target GAN and a classifier. Then we generate fingerprint samples from this composite model, and embed them in the classifier for effective ownership verification. This scheme inspires some concrete methodologies to practically protect the modern image-to-image translation GANs. Theoretical analysis proves that these methods can satisfy different security requirements necessary for IP protection. We also conduct extensive experiments to show that our solutions outperform existing strategies.

Fingerprinting Image-to-Image Generative Adversarial Networks

TL;DR

This work tackles IP protection for image-to-image GANs by introducing a trusted-third-party fingerprinting framework that leverages a composite model combining the target GAN with a classifier. It articulates formal definitions, security goals, and three concrete designs—CFP-AE, CFP-iBDv1, and CFP-iBDv2—for generating and embedding strong fingerprints that are stealthy, persistent, and hard to rewrite. The CFP-iBDv2 design, leveraging Triplet Loss and multitask fine-grained classification, achieves the best balance of distinctness, persistence, and stealth across multiple I2I tasks (attribute editing, domain translation, super-resolution) under common model and image transformations. Through extensive experiments, the authors demonstrate high verification accuracy, robust resilience to pruning, fine-tuning, and image perturbations, as well as visual indistinguishability of verification samples. The framework thus offers a practical, scalable approach for commercial GAN IP protection with judicially acceptable evidence enabled by cryptographic commitments and third-party oversight.

Abstract

Generative Adversarial Networks (GANs) have been widely used in various application scenarios. Since the production of a commercial GAN requires substantial computational and human resources, the copyright protection of GANs is urgently needed. This paper presents a novel fingerprinting scheme for the Intellectual Property (IP) protection of image-to-image GANs based on a trusted third party. We break through the stealthiness and robustness bottlenecks suffered by previous fingerprinting methods for classification models being naively transferred to GANs. Specifically, we innovatively construct a composite deep learning model from the target GAN and a classifier. Then we generate fingerprint samples from this composite model, and embed them in the classifier for effective ownership verification. This scheme inspires some concrete methodologies to practically protect the modern image-to-image translation GANs. Theoretical analysis proves that these methods can satisfy different security requirements necessary for IP protection. We also conduct extensive experiments to show that our solutions outperform existing strategies.

Paper Structure

This paper contains 39 sections, 1 theorem, 12 equations, 21 figures, 12 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. DNN Fingerprinting
  4. Commitments
  5. A Novel Fingerprinting Scheme
  6. Design Insight
  7. Scheme Overview
  8. Composite Deep Learning Model
  9. Fingerprints in Composite Models
  10. Threat Model
  11. A Motivating Example
  12. Workflow of Our Fingerprinting Scheme
  13. Security Requirements
  14. Concrete Methodologies of Generating and Embedding Strong Fingerprints
  15. Assumptions for Strong Fingerprints
  16. ...and 24 more sections

Key Result

Theorem 1

Let $\bar{D}$ be of super-polynomial size in $n$. Given the commitment scheme and the strong fingerprinting algorithm, the algorithms ($\mathbf{KeyGen}$, $\mathbf{FP}$, $\mathbf{Verify}$) in Fig. Concrete Construction of fingerprinting process form a privately verifiable fingerprinting scheme, which

Figures (21)

  • Figure 1: Fingerprinting different kinds of models.
  • Figure 1: Fingerprint visualization generated from AE-I for three attribute editing GANs with five edited attributes. (a) Clean sample $x$; (b) Verification sample $v$; (c) GAN output of clean sample $G(x)$; (d) GAN output of verification sample $G(v)$.
  • Figure 2: Training a composite deep learning model.
  • Figure 2: Fingerprint visualization generated from AE-D for three attribute editing GANs with five edited attributes. Because there are no verification samples for some attributes, we leave these columns blank.
  • Figure 3: Generating a fingerprinted composite model.
  • ...and 16 more figures

Theorems & Definitions (4)

  • Definition 1
  • Definition 2
  • Definition 3
  • Theorem 1