Invasive Fingerprinting

Invasive model fingerprinting techniques typically involve embedding information into the model's weights to construct fingerprint features. The purpose is to achieve model authentication and copyright protection. The general paradigm is to embed fingerprint information into the model and subsequently extract it from the model.

Weight Watermark As Fingerprint

Embedding watermark information into model weights is a widely used fingerprinting technique, where the watermark serves as a traceable model fingerprint. By adjusting parameters during the training phase, fingerprint information can be embedded into weights, biases, or other model parameters. By comparing the parameter fingerprints extracted from a suspicious model with those in the owner's model, the owner can verify the model's identity.

Backdoor Watermark As Fingerprint

In practical scenarios, the model parameters and network architectures in commercial services are usually kept secret, so the above methods of embedding fingerprints into model parameters and network layers are often not feasible. Therefore, the fingerprinting technique based on backdoor watermark is more suitable for black-box environments and is more widely used in practical applications. In this scenario, the backdoor watermark, as a verifiable model fingerprint, is referred to as a backdoor fingerprint. The backdoor fingerprint mainly constructs special backdoor datasets and implants them into the model, enabling the backdoored model to trigger predefined backdoor responses and extract fingerprint information when encountering backdoor triggers that meet the trigger conditions.