defense 2026

CREDIT: Certified Ownership Verification of Deep Neural Networks Against Model Extraction Attacks

Bolin Shen 1, Zhan Cheng 2, Neil Zhenqiang Gong 3, Fan Yao 4, Yushun Dong 1

1 Florida State University

2 University of Wisconsin

3 Duke University

4 University of North Carolina at Chapel Hill

0 citations · 76 references · arXiv (Cornell University)
α

Published on arXiv

2602.20419

Model Theft

OWASP ML Top 10 — ML05

Key Finding

Achieves state-of-the-art ownership verification against model extraction attacks with certified theoretical guarantees, evaluated across multiple mainstream datasets and domains.

CREDIT

Novel technique introduced

Machine Learning as a Service (MLaaS) has emerged as a widely adopted paradigm for providing access to deep neural network (DNN) models, enabling users to conveniently leverage these models through standardized APIs. However, such services are highly vulnerable to Model Extraction Attacks (MEAs), where an adversary repeatedly queries a target model to collect input-output pairs and uses them to train a surrogate model that closely replicates its functionality. While numerous defense strategies have been proposed, verifying the ownership of a suspicious model with strict theoretical guarantees remains a challenging task. To address this gap, we introduce CREDIT, a certified ownership verification against MEAs. Specifically, we employ mutual information to quantify the similarity between DNN models, propose a practical verification threshold, and provide rigorous theoretical guarantees for ownership verification based on this threshold. We extensively evaluate our approach on several mainstream datasets across different domains and tasks, achieving state-of-the-art performance. Our implementation is publicly available at: https://github.com/LabRAI/CREDIT.

Key Contributions

  • CREDIT: a certified ownership verification framework against model extraction attacks using mutual information to quantify DNN similarity
  • A practical verification threshold with rigorous theoretical guarantees for ownership claims
  • State-of-the-art empirical performance across multiple datasets and domains

🛡️ Threat Analysis

Model Theft

CREDIT defends against model extraction attacks by providing certified ownership verification — uses mutual information to fingerprint and identify cloned surrogate models, directly protecting model intellectual property after theft via API queries.

Details

Domains
visionnlp
Model Types
cnntransformer
Threat Tags
black_boxinference_time
Datasets
CIFAR-10ImageNet
Applications
mlaas apismodel ip protectionownership verification
Read PDF arXiv DOI Code

Similar Papers

defense

Rotation, Scale, and Translation Resilient Black-box Fingerprinting for Intellectual Property Protection of EaaS Models

2025 0 cit.
Model Theft
92%
defense

Amulet: Fast TEE-Shielded Inference for On-Device Model Protection

2025 0 cit.
Model Theft
85%
defense

Defense against Unauthorized Distillation in Image Restoration via Feature Space Perturbation

2025 0 cit.
Model Theft
83%
defense

DeepTracer: Tracing Stolen Model via Deep Coupled Watermarks

2025 1 cit.
Model Theft
83%
defense

Class-feature Watermark: A Resilient Black-box Watermark Against Model Extraction Attacks

2025 0 cit.
Model Theft
77%
defense

DivQAT: Enhancing Robustness of Quantized Convolutional Neural Networks against Model Extraction Attacks

2025 0 cit.
Model Theft
75%
defense

LiteGuard: Efficient Task-Agnostic Model Fingerprinting with Enhanced Generalization

2026 0 cit.
Model Theft
75%
defense

ComMark: Covert and Robust Black-Box Model Watermarking with Compressed Samples

2025 0 cit.
Model Theft
73%