Abstract:Generative Adversarial Networks (GANs) have been widely used in various application scenarios. Since the production of a commercial GAN requires substantial computational and human resources, the copyright protection of GANs is urgently needed. This paper presents a novel fingerprinting scheme for the Intellectual Property (IP) protection of image-to-image GANs based on a trusted third party. We break through the stealthiness and robustness bottlenecks suffered by previous fingerprinting methods for classification models being naively transferred to GANs. Specifically, we innovatively construct a composite deep learning model from the target GAN and a classifier. Then we generate fingerprint samples from this composite model, and embed them in the classifier for effective ownership verification. This scheme inspires some concrete methodologies to practically protect the modern image-to-image translation GANs. Theoretical analysis proves that these methods can satisfy different security requirements necessary for IP protection. We also conduct extensive experiments to show that our solutions outperform existing strategies.

What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to solve the intellectual property (IP) protection problem of image - to - image (I2I) generative adversarial networks (GANs). Specifically, the authors propose a new fingerprinting scheme to prevent unauthorized GAN model copying, misuse or redistribution. #### Background and problem description 1. **Importance of GAN models**: - Modern I2I GAN models are becoming more and more complex when dealing with complex tasks and datasets. For example, CycleGAN and StyleGAN require a large amount of computing resources and expertise for training. - These models are of great value in many commercial applications, such as the image/video filter functions in TikTok, Prisma and Photoleap. 2. **Limitations of existing IP protection methods**: - **Watermarking**: Embed watermarks into the model through parameter regularization or backdoor data poisoning, but these methods may affect the model performance. - **Fingerprinting**: Verify model ownership by generating unique sample - label pairs without modifying the target model, so it can better preserve the model performance. However, directly applying the fingerprinting technology of classification models to GANs has the following problems: - **Persistency**: The images generated by GANs are more sensitive to changes in the model or input - output, and are easily tampered with. - **Stealthiness**: The unique images generated by GANs may be abnormal, and are easily detected and manipulate the verification results. #### Proposed solutions To overcome the above problems, the authors propose a new fingerprinting scheme based on a trusted third party, especially for I2I GAN models. The key innovation points include: 1. **Composite deep - learning model**: - Combine the target GAN model with a classifier into a composite model, making the input and output of fingerprint samples visually indistinguishable from the normal situation. - The classifier is used to identify the output from the target model and assign a unique label to it, thus achieving effective ownership verification. 2. **Specific fingerprint design**: - **CFP - AE**: Generate a set of fingerprint samples, making the output of the target model an adversarial sample of the classifier, so that it gives a specific label with a higher probability. - **CFP - iBDv1 and CFP - iBDv2**: Design the response of the target model to fingerprint samples as invisible backdoor samples, activate the backdoor in the classifier to generate a unique label. 3. **Security and robustness evaluation**: - Prove through theoretical analysis that this scheme meets four important security requirements: function preservation, non - removability, non - rewritability. - Experimental results show that this method exhibits high versatility and robustness in major I2I tasks such as attribute editing, domain transformation and super - resolution. In conclusion, this paper solves the deficiencies of existing methods in I2I GAN model IP protection by introducing a new fingerprinting scheme, providing a more effective, more concealed and more robust solution.

Fingerprinting Image-to-Image Generative Adversarial Networks

No One Can Escape: A General Approach to Detect Tampered and Generated Image

GanFinger: GAN-Based Fingerprint Generation for Deep Neural Network Ownership Verification

Learning to Disentangle GAN Fingerprint for Fake Image Attribution

Robust Retraining-free GAN Fingerprinting via Personalized Normalization

Attributing Fake Images to GANs: Learning and Analyzing GAN Fingerprints

NaturalFinger: Generating Natural Fingerprint with Generative Adversarial Networks

Protecting Intellectual Property of Generative Adversarial Networks from Ambiguity Attack

A Novel Model Watermarking for Protecting Generative Adversarial Network

Ownership Protection of Generative Adversarial Networks

Copyright Protection and Accountability of Generative AI:Attack, Watermarking and Attribution

Attributing Image Generative Models using Latent Fingerprints

Misleading Deep-Fake Detection with GAN Fingerprints

Protect-Your-IP: Scalable Source-Tracing and Attribution Against Personalized Generation

RFDforFin: Robust Deep Forgery Detection for GAN-generated Fingerprint Images

ExS-GAN: Synthesizing Anti-Forensics Images via Extra Supervised GAN

Enhancing Fingerprint Image Synthesis with GANs, Diffusion Models, and Style Transfer Techniques

Learning Robust Representations Of Generative Models Using Set-Based Artificial Fingerprints

General GAN-generated image detection by data augmentation in fingerprint domain

Privacy preservation for image data: A GAN‐based method

Protecting the Intellectual Properties of Deep Neural Networks with an Additional Class and Steganographic Images