Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sample Correlation for Fingerprinting Deep Face Recognition

Jiyang Guan, Jian Liang, Yanbo Wang, Ran He

TL;DR

This work tackles model stealing threats in deep face recognition by introducing SAC, a correlation-based fingerprinting method that shifts focus from point-wise outputs to pairwise output relationships. SAC-JC employs JPEG-based data augmentation to magnify model-specific correlations and uses FRI to enable fingerprinting in face verification tasks where labels are unavailable. Empirical results show SAC-JC achieves superior AUC and p-values across face recognition and object classification benchmarks, while delivering orders of magnitude faster fingerprinting than prior methods and avoiding surrogate model training. The approach provides a practical IP-protection tool that remains robust under adversarial training, transfer learning, and various model architectures, with broad applicability to real-world deployment.

Abstract

Face recognition has witnessed remarkable advancements in recent years, thanks to the development of deep learning techniques.However, an off-the-shelf face recognition model as a commercial service could be stolen by model stealing attacks, posing great threats to the rights of the model owner.Model fingerprinting, as a model stealing detection method, aims to verify whether a suspect model is stolen from the victim model, gaining more and more attention nowadays.Previous methods always utilize transferable adversarial examples as the model fingerprint, but this method is known to be sensitive to adversarial defense and transfer learning techniques.To address this issue, we consider the pairwise relationship between samples instead and propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC).Specifically, we present SAC-JC that selects JPEG compressed samples as model inputs and calculates the correlation matrix among their model outputs.Extensive results validate that SAC successfully defends against various model stealing attacks in deep face recognition, encompassing face verification and face emotion recognition, exhibiting the highest performance in terms of AUC, p-value and F1 score.Furthermore, we extend our evaluation of SAC-JC to object recognition datasets including Tiny-ImageNet and CIFAR10, which also demonstrates the superior performance of SAC-JC to previous methods.The code will be available at \url{https://github.com/guanjiyang/SAC_JC}.

Sample Correlation for Fingerprinting Deep Face Recognition

TL;DR

This work tackles model stealing threats in deep face recognition by introducing SAC, a correlation-based fingerprinting method that shifts focus from point-wise outputs to pairwise output relationships. SAC-JC employs JPEG-based data augmentation to magnify model-specific correlations and uses FRI to enable fingerprinting in face verification tasks where labels are unavailable. Empirical results show SAC-JC achieves superior AUC and p-values across face recognition and object classification benchmarks, while delivering orders of magnitude faster fingerprinting than prior methods and avoiding surrogate model training. The approach provides a practical IP-protection tool that remains robust under adversarial training, transfer learning, and various model architectures, with broad applicability to real-world deployment.

Abstract

Face recognition has witnessed remarkable advancements in recent years, thanks to the development of deep learning techniques.However, an off-the-shelf face recognition model as a commercial service could be stolen by model stealing attacks, posing great threats to the rights of the model owner.Model fingerprinting, as a model stealing detection method, aims to verify whether a suspect model is stolen from the victim model, gaining more and more attention nowadays.Previous methods always utilize transferable adversarial examples as the model fingerprint, but this method is known to be sensitive to adversarial defense and transfer learning techniques.To address this issue, we consider the pairwise relationship between samples instead and propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC).Specifically, we present SAC-JC that selects JPEG compressed samples as model inputs and calculates the correlation matrix among their model outputs.Extensive results validate that SAC successfully defends against various model stealing attacks in deep face recognition, encompassing face verification and face emotion recognition, exhibiting the highest performance in terms of AUC, p-value and F1 score.Furthermore, we extend our evaluation of SAC-JC to object recognition datasets including Tiny-ImageNet and CIFAR10, which also demonstrates the superior performance of SAC-JC to previous methods.The code will be available at \url{https://github.com/guanjiyang/SAC_JC}.
Paper Structure (27 sections, 6 equations, 5 figures, 11 tables, 1 algorithm)

This paper contains 27 sections, 6 equations, 5 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Deep IP Protection
  4. Watermarking Methods
  5. Fingerprinting Methods
  6. Model Fingerprinting on Deep Face Recognition
  7. Method
  8. Problem Definition
  9. Sample Correlation for Neural Network Fingerprinting
  10. How to Find Suitable Samples?
  11. Fingerprinting with JPEG Compressed Samples
  12. Calculating Image Feature in Face Verification
  13. Experiment
  14. Setup
  15. Model Architecture.
  16. ...and 12 more sections

Figures (5)

  • Figure 1: Framework of SAC-JC. We first generate JPEG compressed samples as model inputs, represented by the colored balls. For the face verification model, we leverage FRI to calculate the inputs' model-specific features from the reference-target pairs. Then we calculate the correlation difference and any suspect model with a similar correlation will be recognized as a stolen model.
  • Figure 2: Different image corruption methods for SAC. The results are demonstrated in terms of the average AUC across different kinds of model stealing attacks.
  • Figure 3: Images used for model fingerprinting in KDEF.
  • Figure 4: Performance change of SAC-JC with different data amounts.
  • Figure 5: Average F1 score of SAC-JC on different source model architectures with different thresholds calculated from other source model architectures.