Fingerprinting Deep Neural Networks for Ownership Protection: An Analytical Approach

The paper proposes AnaFP, an analytical fingerprinting scheme that theoretically determines fingerprint-to-boundary distance through a tunable stretch factor. It resides in the 'DeepFool and Classification Boundary Fingerprinting' leaf, which contains four papers total, including the original work. This leaf sits within the broader 'Adversarial Perturbation-Based Fingerprinting' branch, indicating a moderately populated research direction focused on leveraging decision boundaries for ownership verification. The taxonomy shows this is an active but not overcrowded subfield, with sibling approaches exploring universal perturbations and adversarial trajectories in parallel.

The paper's leaf neighbors include 'Universal Adversarial Perturbation Fingerprinting' and 'Adversarial Trajectory Fingerprinting', both exploring alternative adversarial strategies for model characterization. The broader 'Fingerprinting-Based Ownership Verification' branch contrasts with 'Watermarking-Based' methods that modify training, highlighting AnaFP's non-invasive positioning. Related work in 'Membership Inference' and 'Meta-Training' fingerprinting diverges by exploiting privacy leakage or inner decision areas rather than boundary geometry. The taxonomy structure suggests AnaFP bridges theoretical analysis with practical boundary-based fingerprinting, occupying a niche between purely empirical methods and domain-agnostic frameworks.

Among twenty-three candidates examined, none clearly refute the three core contributions. The analytical distance-control framework examined ten candidates with zero refutations, suggesting limited prior work on theoretical boundary-distance guidance. The mathematical formalization of robustness-uniqueness bounds reviewed seven candidates without overlap, indicating novelty in constraint derivation. The practical generation scheme using surrogate pools assessed six candidates, also finding no direct precedents. These statistics reflect a focused search scope rather than exhaustive coverage, but within this limited examination, the theoretical framing of fingerprint placement appears distinctive compared to existing empirical heuristics in sibling papers.

Based on top-twenty-three semantic matches, the work appears to introduce theoretical rigor to a subfield previously dominated by empirical tuning. The absence of refutations across contributions suggests the analytical approach to boundary-distance control is underexplored in examined literature. However, the limited search scope means potential overlaps in broader adversarial fingerprinting research or recent preprints may exist beyond this analysis. The taxonomy context confirms the paper targets a specific gap—theoretical foundations for boundary-based fingerprinting—within an active but not saturated research area.