In Machine Learning as a Service, a provider trains a deep neural network and
gives many users access. The hosted (source) model is susceptible to model
stealing attacks, where an adversary derives a surrogate model from API access
to the source model. For post hoc detection of such attacks, the provider needs
a robust method to determine whether a suspect model is a surrogate of their
model. We propose a fingerprinting method for deep neural network classifiers
that extracts a set of inputs from the source model so that only surrogates
agree with the source model on the classification of such inputs. These inputs
are a subclass of transferable adversarial examples which we call conferrable
adversarial examples that exclusively transfer with a target label from a
source model to its surrogates. We propose a new method to generate these
conferrable adversarial examples. We present an extensive study on the
irremovability of our fingerprint against fine-tuning, weight pruning,
retraining, retraining with different architectures, three model extraction
attacks from related work, transfer learning, adversarial training, and two new
adaptive attacks. Our fingerprint is robust against distillation, related model
extraction attacks, and even transfer learning when the attacker has no access
to the model provider's dataset. Our fingerprint is the first method that
reaches a ROC AUC of 1.0 in verifying surrogates, compared to a ROC AUC of 0.63
by previous fingerprints.

我们提出了一种基于指纹的深度神经网络分类器方法，用于检测机器学习服务中的模型盗窃攻击，该方法提取一组从源模型中提供的输入，只有代理模型能够在这些输入上与源模型一致地进行分类。