Misclassification-driven Fingerprinting for DNNs Using Frequency-aware GANs

International Joint Conference on Artificial Intelligence (IJCAI)

Weixing Liu^1,2,  Sheng-hua Zhong^1∗

¹College of Computer Science and Software Engineering, Shenzhen University

²National Engineering Laboratory for Big Data System Computing Technology, Shenzhen University

Abstract

Deep neural networks (DNNs) have become valuable assets due to their success in various tasks, but their high training costs also make them targets for model theft. Fingerprinting techniques are commonly used to verify model ownership, but existing methods either require training many additional models, leading to increased costs, or rely on GANs to generate fingerprints near decision boundaries, which may compromise image quality. To address these challenges, we propose a GAN-based fingerprint generation method that applies frequency-domain perturbations to normal samples, effectively creating fingerprints. This approach not only resists intellectual property (IP) threats, but also improves fingerprint acquisition efficiency while maintaining high imperceptibility. Extensive experiments demonstrate that our method achieves a state-of-the-art (SOTA) AUC of 0.98 on the Tiny-ImageNet dataset under IP removal attacks, outperforming existing methods by 8%, and consistently achieves the best ABP for three types of IP detection and erasure attacks on the GTSRB dataset.

Figure 1: The illustration of our framework: We first generate misclassified set as Fingerprint set using a frequency-aware GAN. Then, we calculate the matching rate between the predicted labels of the source model MD and the suspect model Msuspect. Any model with a matching rate greater than the threshold T will be considered a stolen model.

Figure 2: The AUC of different IP protection methods when facing six IP removal attacks on three datasets. (BOLD IS THE BEST)

Figure 3-1:  CIFAR-10

Figure 3-2: GTSRB

Figure 3-3 Tiny-ImageNet

Figure 3: Detailed comparison of AUC values for different model protection methods against weight pruning attacks with pruning rates ranging from [0.01, 0.99] on three datasets.

Figure 4: Evaluation of different model protection methods before (Normal) and after three types of IP detection and erasure attacks (Query Modification, Input Smoothing, and Feature Squeeze). The value at each vertex of the polygon represents the AUC of model IP protection method against six types of IP removal attacks on three datasets. We compare the performance of different methods based on ABP. (RED IS THE BEST)

Acknowledgement

This research was funded by the National Natural Science Foundation of China (62472291), Guangdong Basic and Applied Basic Research Foundation (2025A1515012154, 2023A1515012685, 2023A1515011296), Open Fund of Na

tional Engineering Laboratory for Big Data System Computing Technology (Grant No. SZU-BDSC-OF2024-14).

Bibtex

@inproceedings{Liu2025MisclassificationdrivenFF,

  title={Misclassification-driven Fingerprinting for DNNs Using Frequency-aware GANs},

  author={Weixing Liu and Shenghua Zhong},

  booktitle={International Joint Conference on Artificial Intelligence},

  year={2025},

  url={https://api.semanticscholar.org/CorpusID:281490518}

}

Downloads