ML Security PapersRotation, Scale, and Translation Resilient Black-box Fingerprinting for Intellectual Property Protection of EaaS Models
Hongjie Zhang 1, Zhiqi Zhao 1, Hanzhou Wu 2, Zhihua Xia 3, Athanasios V. Vasilakos 4,5
Published on arXiv
2510.16706
Model Theft
OWASP ML Top 10 — ML05
Key Finding
The point-cloud-based fingerprinting framework verifies EaaS model ownership under black-box conditions and is resilient to RST geometric transformation attacks that defeat existing watermarking methods.
Point Cloud Fingerprinting
Novel technique introduced
Feature embedding has become a cornerstone technology for processing high-dimensional and complex data, which results in that Embedding as a Service (EaaS) models have been widely deployed in the cloud. To protect the intellectual property of EaaS models, existing methods apply digital watermarking to inject specific backdoor triggers into EaaS models by modifying training samples or network parameters. However, these methods inevitably produce detectable patterns through semantic analysis and exhibit susceptibility to geometric transformations including rotation, scaling, and translation (RST). To address this problem, we propose a fingerprinting framework for EaaS models, rather than merely refining existing watermarking techniques. Different from watermarking techniques, the proposed method establishes EaaS model ownership through geometric analysis of embedding space's topological structure, rather than relying on the modified training samples or triggers. The key innovation lies in modeling the victim and suspicious embeddings as point clouds, allowing us to perform robust spatial alignment and similarity measurement, which inherently resists RST attacks. Experimental results evaluated on visual and textual embedding tasks verify the superiority and applicability. This research reveals inherent characteristics of EaaS models and provides a promising solution for ownership verification of EaaS models under the black-box scenario.
Key Contributions
- A fingerprinting framework for EaaS models that verifies ownership through geometric analysis of embedding space topology rather than backdoor triggers or modified training samples
- Modeling victim and suspicious embeddings as point clouds, enabling robust spatial alignment and similarity measurement that inherently resists RST (rotation, scale, translation) transformations
- Black-box ownership verification that operates without access to model internals, evaluated on both visual and textual embedding tasks
🛡️ Threat Analysis
The paper's primary contribution is a black-box ownership verification method for EaaS models stolen via model extraction attacks. The fingerprinting framework establishes model IP ownership by analyzing the topological structure of the embedding space — a direct model theft defense. This is model-level IP protection (ML05), not content watermarking (ML09), since the fingerprint characterizes the model's functional behavior rather than marking generated outputs.