Rethinking the Fragility and Robustness of Fingerprints of Deep Neural Networks

摘要

Fingerprints characterize deep neural networks that are deployed as black-boxes. To achieve copyright tracing and integrity verification, fingerprints are categorized into robust fingerprints and fragile fingerprints. Despite of their distinct motivations, we show that both kinds of neural network fingerprints can be evaluated under a modification-scalable framework, which gives rise to a duality between their key metrics. These observations lead to a simultaneous scheme that reduces the cost of netural network intellectual property protection, with a controllable false negative rate. We implemented eleven representative families of modifications to evaluate fingerprints regarding both fragility and robustness, and verified the advantage of the simultaneous solution. Codes for reproducibility are available at https://github.com/solour-lfq/Fragile-and-Robust-Curves-of-DNN-Fingerprint.