Ownership Infringement Detection for Generative Adversarial Networks Against Model Stealing

Fingerprints; generative adversarial networks (GANs); model confidentiality; ownership detection; watermarks; Adversarial networks; Model confidentiality; Model extraction; Artificial Intelligence

Abstract :

[en] Generative adversarial networks (GANs) have shown remarkable success in image synthesis, making GAN models themselves commercially valuable to legitimate model owners. Therefore, it is critical to technically protect the intellectual property of GANs. Prior works need to tamper with the training set or training process to verify the ownership of a GAN. In this article, we show that these methods are not robust to emerging model extraction attacks. Then, we propose a new method GAN-Guards which utilizes the common characteristics of a target model and its stolen models for ownership infringement detection. Our method can be directly applicable to all well-trained GANs as it does not require retraining target models. Extensive experimental results show that our new method achieves superior detection performance, compared with the watermark-based and fingerprint-based methods. Finally, we demonstrate the effectiveness of our method with respect to the number of generations of model extraction attacks, the number of generated samples, and adaptive attacks.

Disciplines :

Computer science

Author, co-author :

Hu, Hailong ; University of Luxembourg, Interdisciplinary Centre for Security, Reliability and Trust, Esch-sur-Alzette, Luxembourg ; Chongqing Technology and Business University, National Research Base of Intelligent Manufacturing Service, Chongqing, China

PANG, Jun ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

External co-authors :

yes

Language :

English

Title :

Ownership Infringement Detection for Generative Adversarial Networks Against Model Stealing

Publication date :

November 2025

Journal title :

IEEE Transactions on Artificial Intelligence

ISSN :

2691-4581

eISSN :

2691-4581

Publisher :

Institute of Electrical and Electronics Engineers Inc.

Volume :

Issue :

Pages :

3018 - 3029

Peer reviewed :

Peer reviewed

Additional URL :

http://xplorestaging.ieee.org/ielx8/9078688/11224646/10966017.pdf?arnumber=10966017

Funders :

Luxembourg National Research Fund

Funding text :

Received 17 January 2025; revised 24 March 2025; accepted 10 April 2025. Date of publication 16 April 2025; date of current version 31 October 2025. This work was supported by Luxembourg National Research Fund (FNR) under Grant 13550291. This article was recommended for publication by Associate Editor Pablo Estevez upon evaluation of the reviewers\u2019 comments. (Corresponding author: Hailong Hu.) Hailong Hu was with the Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, 4365 Esch-sur-Alzette, Luxembourg. He is now with the National Research Base of Intelligent Manufacturing Service, Chongqing Technology and Business University, Chongqing 400067, China (e-mail: huhailong@ctbu.edu.cn.Jun).

Available on ORBilu :

since 06 January 2026

Statistics

Number of views

16 (1 by Unilu)

Number of downloads

0 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

T. Brown et al., “Language models are few-shot learners,” in Proc. Annu. Conf. Neural Inf. Process. Syst. (NeurIPS), vol. 33, Red Hook, NY, USA: Curran Associates, 2020, pp. 1877–1901.
R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer, “High-resolution image synthesis with latent diffusion models,” in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2022, pp. 10684–10695.
I. Goodfellow et al., “Generative adversarial nets,” in Proc. Annu. Conf. Neural Inf. Process. Syst. (NeurIPS), Cambridge, MA, USA: Curran Associates, Inc., 2014, pp. 2672–2680.
A. Sauer, K. Schwarz, and A. Geiger, “Stylegan-xl: Scaling Stylegan to large diverse datasets,” in Proc. ACM SIGGRAPH Conf. (SIGGRAPH), New York, NY, USA: ACM, 2022, pp. 1–10.
Y. Shen and B. Zhou, “Closed-form factorization of latent semantics in GANs,” in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2021, pp. 1532–1540.
W. Xia, Y. Zhang, Y. Yang, J.-H. Xue, B. Zhou, and M.-H. Yang, “Gan inversion: A survey,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 45, no. 3, pp. 3121–3138, Mar. 2023.
E. E. Schultz, “A framework for understanding and predicting insider attacks,” Comput. & Secur., vol. 21, no. 6, pp. 526–531, 2002.
H. Hu and J. Pang, “Stealing machine learning models: Attacks and countermeasures for generative adversarial networks,” in Proc. Annu. Comput. Secur. Appl. Conf. (ACSAC), New York, NY, USA: ACM, 2021, pp. 1–16.
D. S. Ong, C. S. Chan, K. W. Ng, L. Fan, and Q. Yang, “Protecting intellectual property of generative adversarial networks from ambiguity attacks,” in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2021, pp. 3630–3639.
J. Fei, Z. Xia, B. Tondi, and M. Barni, “Supervised GAN watermarking for intellectual property protection,” in Proc. IEEE Int. Workshop Inform. Forensics Secur. (WIFS), Piscataway, NJ, USA: IEEE Press, 2022, pp. 1–6.
T. Qiao et al., “A novel model watermarking for protecting generative adversarial network,” Comput. & Secur., vol. 127, 2023, Art. no. 103102.
N. Yu, V. Skripniuk, S. Abdelnabi, and M. Fritz, “Artificial fingerprinting for generative models: Rooting deepfake attribution in training data,” in Proc. IEEE Int. Conf. Comput. Vis. (ICCV), Piscataway, NJ, USA: IEEE Press, 2021, pp. 14448–14457.
F. Marra, D. Gragnaniello, L. Verdoliva, and G. Poggi, “Do GANs leave artificial fingerprints?” in Proc. IEEE Conf. Multimedia Inform. Process. Retrieval (MIPR), Piscataway, NJ, USA: IEEE Press, 2019, pp. 506–511.
T. Karras, T. Aila, S. Laine, and J. Lehtinen, “Progressive growing of GANs for quality, stability, and variation,” in Proc. Int. Conf. Learn. Representations (ICLR), 2018.
T. Karras, S. Laine, and T. Aila, “A style-based generator architecture for generative adversarial networks,” in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2019, pp. 4401–4410.
T. Salimans, I. Goodfellow, W. Zaremba, V. Cheung, A. Radford, and X. Chen, “Improved techniques for training GANs,” in Proc. Annu. Conf. Neural Inf. Process. Syst. (NeurIPS), Red Hook, NY, USA: Curran Associates, Inc., 2016, pp. 2234–2242.
I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin, and A. C. Courville, “Improved training of Wasserstein GANs,” in Proc. Annu. Conf. Neural Inform. Process. Syst. (NeurIPS), Red Hook, NY, USA: Curran Associates, Inc, 2017, pp. 5769–5779.
T. Miyato, T. Kataoka, M. Koyama, and Y. Yoshida, “Spectral normalization for generative adversarial networks,” in Proc. Int. Conf. Learn. Representations (ICLR), 2018.
T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehtinen, and T. Aila, “Analyzing and improving the image quality of StyleGAN,” in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2020, pp. 8107–8116.
H. Zhang, I. J. Goodfellow, D. N. Metaxas, and A. Odena, “Self-attention generative adversarial networks,” in Proc. Int. Conf. Mach. Learn. (ICML), PMLR, 2019, pp. 7354–7363.
M. Xue, Y. Zhang, J. Wang, and W. Liu, “Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations,” IEEE Trans. Artif. Intell., vol. 3, no. 6, pp. 908–923, Dec. 2022.
Y. Uchida, Y. Nagai, S. Sakazawa, and S. Satoh, “Embedding watermarks into deep neural networks,” in Proc. ACM Int. Conf. Multimedia Retrieval (ICMR), New York, NY, USA: ACM, 2017, pp. 269–277.
Y. Adi, C. Baum, M. Cisse, B. Pinkas, and J. Keshet, “Turning your weakness into a strength: Watermarking deep neural networks by backdooring,” in Proc. USENIX Secur. Symp. (USENIX Secur.). USENIX Assoc., 2018, pp. 1615–1631.
P. Maini, M. Yaghini, and N. Papernot, “Dataset inference: Ownership resolution in machine learning,” in Proc. Int. Conf. Learn. Representations (ICLR), 2020, pp. 1–12.
J. Chen et al., “Copy, right? A testing framework for copyright protection of deep learning models,” in Proc. IEEE Symp. Secur. Privacy (S&P), Piscataway, NJ, USA: IEEE Press, 2022, pp. 1013–1030.
H. Nie, S. Lu, J. Wu, and J. Zhu, “Deep model intellectual property protection with compression-resistant model watermarking,” IEEE Trans. Artif. Intell., vol. 5, no. 7, pp. 3362–3373, Jul. 2024.
M. Xue et al., “An explainable intellectual property protection method for deep neural networks based on intrinsic features,” IEEE Trans. Artif. Intell., vol. 5, no. 9, pp. 4649–4659, Sep. 2024.
H. Nie and S. Lu, “Fedcrmw: Federated model ownership verification with compression-resistant model watermarking,” Expert Syst. Appl., vol. 249, 2024, Art. no. 123776.
H. Nie and S. Lu, “Persistverify: Federated model ownership verification with spatial attention and boundary sampling,” Knowl.-Based Syst., vol. 293, 2024, Art. no. 111675.
H. Nie and S. Lu, “Securing IP in edge AI: Neural network watermarking for multimodal models,” Appl. Intell., vol. 54, no. 21, pp. 10455–10472, 2024.
Z. Huang et al., “What can discriminator do? Towards box-free ownership verification of generative adversarial networks,” in Proc. IEEE Int. Conf. Comput. Vis. (ICCV), Piscataway, NJ, USA: IEEE Press, 2023, pp. 5009–5019.
N. Yu, V. Skripniuk, D. Chen, L. S. Davis, and M. Fritz, “Responsible disclosure of generative models using scalable fingerprinting,” in Proc. Int. Conf. Learn. Representations (ICLR), 2022, pp. 1–13.
N. Yu, L. S. Davis, and M. Fritz, “Attributing fake images to GANs: Learning and analyzing GAN fingerprints,” in Proc. IEEE Int. Conf. Comput. Vis. (ICCV), Piscataway, NJ, USA: IEEE Press, 2019, pp. 7556–7566.
Y. Ding, N. Thakur, and B. Li, “Does a GAN leave distinct model-specific fingerprints,” in Proc. BMVC, 2021.
F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing machine learning models via prediction APIs,” in Proc. USENIX Secur. Symp. (USENIX Secur.), Berkeley, CA, USA: USENIX Assoc., 2016, pp. 601–618.
Y. Bahri, J. Kadmon, J. Pennington, S. S. Schoenholz, J. Sohl-Dickstein, and S. Ganguli, “Statistical mechanics of deep learning,” Annu. Rev. Condens. Matter Phys., vol. 11, no. 1, pp. 501–528, 2020.
K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proc. of IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), Piscataway, NJ, USA: IEEE Press, 2016, pp. 770–778.
F. Yu, A. Seff, Y. Zhang, S. Song, T. Funkhouser, and J. Xiao, “LSUN: Construction of a large-scale image dataset using deep learning with humans in the loop,” 2015, arXiv:1506.03365.
Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild,” in Proc. IEEE Int. Conf. Comput. Vis. (ICCV), Piscataway, NJ, USA: IEEE Press, 2015, pp. 3730–3738.
M. Heusel, H. Ramsauer, T. Unterthiner, B. Nessler, and S. Hochreiter, “GANs trained by a two time-scale update rule converge to a local Nash equilibrium,” in Proc. Annu. Conf. Neural Inf. Process. Syst. (NeurIPS), Red Hook, NY, USA: Curran Associates, Inc., 2017, pp. 6626–6637.
Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, “Image quality assessment: From error visibility to structural similarity,” IEEE Trans. Image Process., vol. 13, no. 4, pp. 600–612, Apr. 2004.
O. Russakovsky et al., “Imagenet large scale visual recognition challenge,” Int. J. Comput. Vis., vol. 115, no. 3, pp. 211–252, 2015.
R. M. French, “Catastrophic forgetting in connectionist networks,” Trends Cogn. Sci., vol. 3, no. 4, pp. 128–135, 1999.
I. Goodfellow, M. Mirza, D. Xiao, A. Courville, and Y. Bengio, “An empirical investigation of catastrophic forgetting in gradient-based neural networks,” 2013, arXiv:1312.6211.
F. Pedregosa et al., “Scikit-learn: Machine learning in Python,” J. Mach. Learn. Res., vol. 12, pp. 2825–2830, 2011.