DeepTaster: Adversarial Perturbation-Based Fingerprinting to Identify Proprietary Dataset Use in Deep Neural Networks
Training deep neural networks (DNNs) requires large datasets and powerful computing resources, which has led some owners to restrict redistribution without permission. Watermarking techniques that embed confidential data into DNNs have been used to protect ownership, but these can degrade model performance and are vulnerable to watermark removal attacks. Recently, DeepJudge was introduced as an alternative approach to measuring the similarity between a suspect and a victim model. While DeepJudge shows promise in addressing the shortcomings of watermarking, it primarily addresses situations where the suspect model copies the victim’s architecture. In this study, we introduce DeepTaster, a novel DNN fingerprinting technique, to address scenarios where a victim’s data is unlawfully used to build a suspect model. DeepTaster can effectively identify such data theft attacks, even when the suspect model’s architecture deviates from the victim’s. To accomplish this, DeepTaster generates adversarial images with perturbations, transforms them into the Fourier frequency domain, and uses these transformed images to identify the dataset used in a suspect model. The underlying premise is that adversarial images can capture the unique characteristics of DNNs built with a specific dataset. To demonstrate the effectiveness of DeepTaster, we evaluated its detection accuracy on three datasets (CIFAR10, MNIST, and Tiny-ImageNet) across three model architectures (ResNet18, VGG16, and DenseNet161) under various attack scenarios, including transfer learning, pruning, fine-tuning, and data augmentation. In the Multi-Architecture Attack scenario, DeepTaster successfully identified all data theft attacks across all datasets. In contrast, DeepJudge was only able to detect the attack for Tiny-ImageNet, but failed to detect the attacks for the CIFAR10 and MNIST datasets.