Sample Correlation for Fingerprinting Deep Face Recognition

Information Science Artificial Intelligence Automation Computer Science
sample correlation deep face recognition model fingerprinting model stealing attacks JPEG compression intellectual property protection knowledge distillation

Report on Academic Paper: “Sample Correlation for Fingerprinting Deep Face Recognition”

Background and Research Problem

In recent years, the rapid advancements in deep learning technologies have significantly propelled the development of face recognition. However, commercial face recognition models face increasing intellectual property (IP) threats due to model stealing attacks. These attacks allow adversaries to replicate functionally equivalent models with either black-box or white-box access to the original models, bypassing the model owner’s detection. This not only infringes on the model owner’s IP but also poses risks to commercial interests and privacy.

To address these challenges, model fingerprinting has emerged as a critical tool for detecting theft. Traditional methods rely on transferable adversarial examples to generate model fingerprints, yet they exhibit vulnerabilities when encountering adversarial training or transfer learning. To overcome these limitations, this study introduces a novel Sample Correlation (SAC)-based model fingerprinting method, aiming to improve robustness and efficiency in detecting model theft.

Research Source

The research was conducted collaboratively by scholars from the Institute of Automation at the Chinese Academy of Sciences and the School of Artificial Intelligence at the University of Chinese Academy of Sciences. Authors include Jiyang Guan, Jian Liang, Yanbo Wang, and Ran He. The paper is published in the International Journal of Computer Vision by Springer.

Research Methodology

Framework Overview

The proposed SAC method focuses on pairwise correlation between sample outputs instead of single-point output differences, capturing subtler relational features between the source and suspect models. Specifically, the study introduces the JPEG Compression Enhanced Sample (SAC-JC) method, which amplifies differences between models using data augmentation. To address the challenge of unavailable label outputs in face verification tasks, the study proposes the Feature from Reference Images (FRI) generation method.

Experimental Design

  1. Data Processing and Augmentation
    JPEG compression is applied to input samples to reduce shared knowledge influence and amplify output differences between models.

  2. Correlation Matrix Computation
    Pairwise correlations between sample outputs are computed using cosine similarity or Gaussian kernel functions to generate model-specific correlation matrices.

  3. Fingerprinting Metric
    The L1 distance between correlation matrices of the source and suspect models is used as a fingerprinting indicator.

  4. FRI for Face Verification
    For face verification, where label outputs are unavailable, the FRI method generates specific features from reference images to calculate correlations.

Experimental Setup

The study evaluates SAC-JC across multiple datasets and tasks, including: - Face verification - Face emotion recognition - Object classification with CIFAR-10 and Tiny-ImageNet

Five types of model stealing attacks are tested: - Fine-tuning (full-layer and last-layer) - Pruning - Model extraction (label-based and probability-based) - Adversarial training - Transfer learning

Research Results

Experimental Data

The results demonstrate the efficacy of SAC-JC: - Achieves an average AUC of 0.97 for face emotion recognition tasks. - Reaches an AUC of 0.98 in face verification tasks through the combination of JPEG-compressed samples and FRI.

Comparative Analysis

Compared to traditional methods such as IPGuard and CAE, SAC-JC shows higher robustness, particularly against adversarial training and transfer learning: - Outperforms in terms of AUC, p-values, and F1 scores across various model architectures (e.g., VGG, ResNet, MobileNet). - Reduces computation time by approximately 34,393 times compared to CAE.

Advantages of SAC-JC

  • Efficiency: Eliminates the need for adversarial sample generation or surrogate model training, significantly reducing computational overhead.
  • Broad Applicability: Effective across multiple tasks, including classification and verification.
  • High Robustness: Successfully counters diverse model stealing attacks, especially adversarial training and transfer learning scenarios.

Significance of the Research

This study is the first to highlight the threats of model stealing in deep face recognition and propose an innovative protection method. By introducing sample correlation and JPEG compression enhancement, SAC-JC offers a new perspective on model fingerprinting, improving detection accuracy and efficiency significantly.

From an application standpoint, SAC-JC not only holds academic significance but also provides practical solutions for protecting IP in commercial models. Given the rising demand for AI model IP protection, SAC-JC sets a new benchmark for the industry.

Future Directions

Further exploration could focus on applying SAC-JC to other domains, such as speech recognition or natural language processing. Additionally, integrating other data augmentation techniques could optimize fingerprinting for more complex attack scenarios.