## Models used in the experiments

In [10]:
import torch
#from PyTorch_CIFAR10_master.cifar10_models import *
import numpy as np
from utility import *
#from datetime import datetime
#from scipy.fftpack import dct, idct
import matplotlib.pyplot as plt
import matplotlib.image as mpimg 
import csv
import random

# target models, positive suspect models, and negative suspect models
names = ['target_c10', 'target_c100', 'target_i10', 'positive_c10_r20', 'positive_c10_v11', 'positive_c10_d161', 
         'positive_c100_r20', 'positive_c100_v11', 'positive_c100_d161', 'positive_i10_r18', 'positive_i10_v11', 'positive_i10_d161',
         'negative_c10', 'negative_c100', 'negative_i10']
models = retrieve('allmodels.txt', names)

# cross application models
CAM_names = ['c10_100_r20', 'c10_100_v11', 'c10_100_d161', 'c100_10_r20', 'c100_10_v11', 'c100_10_d161', 'i1000_10_r18', 'i1000_10_v11', 'i1000_10_d161']
CAM_models = CAM_retrieve('cross_application_models.txt', CAM_names)

# imagenet models 
import torchvision.models as imagenet_models
imagenet_r18 = imagenet_models.resnet18(pretrained=True)
imagenet_v11 = imagenet_models.vgg11(pretrained=True)
imagenet_d161 = imagenet_models.densenet161(pretrained=True)

# models used in major revision phase, v11_c100 and d161_c100 are fine-tuned models from v11_c10 and d161_c10 in original manuscript
r18_c10 = models['negative_c10'][10]
v11_c100_rq = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-vgg11-192-best.pth'
d161_c100_rq = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-densenet161-183-best.pth'

## Parameter setting

In [2]:
l=1
nl = 400
a = 0.01 # SCA extraction precision

# save the experiment results to this file
#file_name = './experiment_results/major_revision/sca_weights_similarity_' + str(l) + 'layer_fixed_' + str(a) + '_'+ str(nl)+ 'nl.csv'
out_rp = int(nl*0.5) # length of the DNN fingerprint (after random projection)

if l ==3:
    nl = 399
    
owner = owner_f(12345, nl, out_rp, 'bernoulli')

## Same Application Scenarios

In [3]:
# from pytorch_resnet_cifar10_master import resnet 
#path = '/mnt/ssd1/zhengyue/Models/pytorch_resnet_cifar10_master/save_resnet20/checkpoint.th'
# path = models['target_c10'][0]
# checkpoint = torch.load(path)
# model = torch.nn.DataParallel(resnet.__dict__['resnet20']())
# model.cuda()
# model.load_state_dict(checkpoint['state_dict'])

print('===c10_r20===')
target = torch.load(models['target_c10'][0])['state_dict']
positive_models = models['positive_c10_r20']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm_0 = positive_models[i]
    pm = torch.load(pm_0)['model_state_dict']
    CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c10']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, True, True, nl,l,a)

# print('===c10_r20===')
# target = models['target_c10'][0]
# positive_models = models['positive_c10_r20']
# print('Correlation of Pirated models...')
# for i in range(len(positive_models)):
#     pm = positive_models[i]
#     CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)
# print('Correlation of Innocent models...')
# negative_models = models['negative_c10']
# for i in range(len(negative_models)):
#     nm = negative_models[i]
#     CAM_similarity(target, nm, owner,owner, True, True, nl,l,a)

===c10_r20===
Correlation of Pirated models...
Correlation: [1.0]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.996]
Correlation: [0.985]
Correlation: [0.975]
Correlation: [0.959]
Correlation: [0.94]
Correlation: [0.917]
Correlation: [0.889]
Correlation: [0.847]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.998]
Correlation: [0.996]
Correlation: [0.992]
Correlation: [0.98]
Correlation of Innocent models...
Correlation: [0.075]
Correlation: [0.045]
Correlation: [-0.049]
Correlation: [0.076]
Correlation: [0.034]
Correlation: [0.195]
Correlation: [-0.187]
Correlation: [0.043]
Correlation: [0.008]
Correlation: [0.252]
Correlation: [-0.21]
Correlation: [-0.036]
Correlation: [0.072]


In [12]:
print('===c10_v11===')
target = models['target_c10'][1]
positive_models = models['positive_c10_v11']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, True, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c10']
# should remove vgg11, this is the same model as the target one
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, True, True, nl,l,a)

===c10_v11===
Correlation of Innocent models...
Correlation: [-0.056]
Correlation: [-0.054]
Correlation: [-0.129]
Correlation: [-0.002]
Correlation: [-0.032]
Correlation: [0.022]
Correlation: [-0.036]
Correlation: [-0.068]
Correlation: [-0.018]
Correlation: [0.02]
Correlation: [0.117]
Correlation: [0.009]


In [13]:
print('===c10_d161===')
target = models['target_c10'][2]
positive_models = models['positive_c10_d161']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, True, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c10']
# should remove d161, this is the same model as the target one
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, True, True, nl,l,a)

===c10_d161===
Correlation of Pirated models...
Correlation: [0.966]
Correlation: [0.974]
Correlation: [0.982]
Correlation: [0.983]
Correlation: [0.982]
Correlation: [0.984]
Correlation: [0.982]
Correlation: [0.981]
Correlation: [0.966]
Correlation: [0.966]
Correlation: [0.943]
Correlation: [0.982]
Correlation: [0.98]
Correlation: [0.983]
Correlation: [0.981]
Correlation: [0.979]
Correlation: [0.982]
Correlation: [0.983]
Correlation: [0.984]
Correlation: [0.986]
Correlation of Innocent models...
Correlation: [0.086]
Correlation: [0.088]
Correlation: [0.069]
Correlation: [-0.064]
Correlation: [-0.152]
Correlation: [0.115]
Correlation: [0.06]
Correlation: [-0.062]
Correlation: [-0.028]
Correlation: [-0.123]
Correlation: [0.088]


In [18]:
print('===c100_r20===')
target = models['target_c100'][0]
positive_models = models['positive_c100_r20']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, True, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c100']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, True, False, nl,l,a)

===c100_r20===
Correlation of Pirated models...
Correlation: [1.0]
Correlation: [1.0]
Correlation: [0.99]
Correlation: [0.981]
Correlation: [1.0]
Correlation: [1.0]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.998]
Correlation: [0.997]
Correlation of Innocent models...
Correlation: [-0.158]
Correlation: [0.186]
Correlation: [-0.002]
Correlation: [-0.016]
Correlation: [0.195]
Correlation: [-0.039]
Correlation: [-0.077]
Correlation: [-0.169]


In [19]:
print('===c100_v11===')
target = models['target_c100'][1]
positive_models = models['positive_c100_v11']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, False, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c100']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, False, False, nl,l,a)

===c100_v11===
Correlation of Pirated models...
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.997]
Correlation: [0.984]
Correlation: [0.971]
Correlation: [0.954]
Correlation: [0.929]
Correlation: [0.999]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [1.0]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation of Innocent models...
Correlation: [-0.094]
Correlation: [-0.14]
Correlation: [0.035]
Correlation: [-0.044]
Correlation: [0.116]
Correlation: [-0.102]
Correlation: [-0.07]
Correlation: [-0.139]


In [20]:
print('===c100_d161===')
target = models['target_c100'][2]
positive_models = models['positive_c100_d161']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, False, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_c100']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, False, False, nl,l,a)

===c100_d161===
Correlation of Pirated models...
Correlation: [1.0]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.992]
Correlation: [0.992]
Correlation: [0.975]
Correlation: [0.999]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [1.0]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.999]
Correlation of Innocent models...
Correlation: [-0.049]
Correlation: [0.036]
Correlation: [0.097]
Correlation: [0.036]
Correlation: [-0.233]
Correlation: [-0.021]
Correlation: [0.021]
Correlation: [-0.017]


In [21]:
print('===i10_r18===')
target = models['target_i10'][0]
positive_models = models['positive_i10_r18']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, False, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_i10']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, False, False, nl,l,a)

===i10_r18===
Correlation of Pirated models...
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.998]
Correlation: [0.998]
Correlation: [0.997]
Correlation: [0.998]
Correlation: [0.997]
Correlation of Innocent models...
Correlation: [0.048]
Correlation: [-0.082]
Correlation: [0.028]
Correlation: [-0.177]
Correlation: [-0.003]
Correlation: [0.008]
Correlation: [0.095]
Correlation: [0.146]
Correlation: [-0.218]


In [22]:
print('===i10_v11===')
target = models['target_i10'][1]
positive_models = models['positive_i10_v11']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, False, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_i10']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, False, False, nl,l,a)

===i10_v11===
Correlation of Pirated models...
Correlation: [1.0]
Correlation: [0.996]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.992]
Correlation: [0.985]
Correlation: [0.979]
Correlation: [0.978]
Correlation: [0.968]
Correlation: [0.946]
Correlation: [0.92]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.997]
Correlation of Innocent models...
Correlation: [0.105]
Correlation: [0.031]
Correlation: [-0.087]
Correlation: [0.106]
Correlation: [-0.064]
Correlation: [0.007]
Correlation: [0.213]
Correlation: [0.249]
Correlation: [-0.067]


In [24]:
print('===i10_d161===')
target = models['target_i10'][2]
positive_models = models['positive_i10_d161']
print('Correlation of Pirated models...')
for i in range(len(positive_models)):
    pm = positive_models[i]
#     pm = torch.load(pm_0)
    CAM_similarity(target, pm, owner,owner, False, False, nl,l,a)
print('Correlation of Innocent models...')
negative_models = models['negative_i10']
for i in range(len(negative_models)):
    nm = negative_models[i]
    CAM_similarity(target, nm, owner,owner, False, False, nl,l,a)

===i10_d161===
Correlation of Pirated models...
Correlation: [0.997]
Correlation: [0.997]
Correlation: [0.994]
Correlation: [0.996]
Correlation: [0.994]
Correlation: [0.996]
Correlation: [0.993]
Correlation: [0.992]
Correlation: [0.993]
Correlation: [0.991]
Correlation: [0.981]
Correlation: [0.995]
Correlation: [0.995]
Correlation: [0.993]
Correlation: [0.994]
Correlation: [0.996]
Correlation: [0.996]
Correlation: [0.994]
Correlation: [0.996]
Correlation: [0.995]
Correlation of Innocent models...
Correlation: [-0.4]
Correlation: [-0.046]
Correlation: [0.02]
Correlation: [0.01]
Correlation: [0.047]
Correlation: [0.071]
Correlation: [-0.142]
Correlation: [-0.19]
Correlation: [-0.02]


## Different Application Scenarios, pirated models obtained by fine tuning

In [30]:
# Across application performance test
print('=============ResNet20, c10 to c100=====================')
# target = models['target_c10'][0]
target = '/mnt/ssd1/zhengyue/Models/Target_models/replaced_models/Target_models/cifar10-resnet20-30abc31d.pth'
pm = CAM_models['c10_100_r20']
CAM_similarity(target, pm, owner,owner,True, False, nl,l,a)
print('=============VGG11, c10 to c100=====================')
target = models['target_c10'][1]
nm = CAM_models['c10_100_v11']
CAM_similarity(target, nm, owner,owner,True, False, nl,l,a)
print('=============DenseNet161, c10 to c100=====================')
target = models['target_c10'][2]
nm = CAM_models['c10_100_d161']
CAM_similarity(target, nm, owner,owner, True, False, nl,l,a)


print('=============c100 to c10, ResNet20 =====================')
source = models['target_c100'][0]
ft = CAM_models['c100_10_r20']
CAM_similarity(source, ft, owner,owner, True, False, nl,l,a)

print('=============c100 to c10, VGG11 =====================')
source = models['target_c100'][1]
ft = CAM_models['c100_10_v11']
CAM_similarity(source, ft, owner,owner, False, False, nl,l,a)

print('=============c100 to c10, DenseNet161 =====================')
source = models['target_c100'][2]
ft = CAM_models['c100_10_d161']
CAM_similarity(source, ft, owner,owner, False, False, nl,l,a)

import torchvision.models as imagenet_models
imagenet_r18 = imagenet_models.resnet18(pretrained=True)
imagenet_v11 = imagenet_models.vgg11(pretrained=True)
imagenet_d161 = imagenet_models.densenet161(pretrained=True)

print('============ imagenet to i10, ResNet18 =====================')
source = imagenet_r18
ft = CAM_models['i1000_10_r18']
CAM_similarity(source, ft,  owner,owner, False, False, nl,l,a)

print('============= imagenet to i10, VGG11 =====================')
source = imagenet_v11
ft = CAM_models['i1000_10_v11']
CAM_similarity(source, ft,  owner,owner, False, False, nl,l,a)

print('============= imagenet to i10, DenseNet161 =====================')
source = imagenet_d161
ft = CAM_models['i1000_10_d161']
CAM_similarity(source, ft,  owner,owner, False, False, nl,l,a)

Correlation: [0.991]
Correlation: [0.919]
Correlation: [0.918]
Correlation: [0.998]
Correlation: [0.999]
Correlation: [0.999]
Correlation: [0.997]
Correlation: [1.0]
Correlation: [0.995]


## Different application scenarios, same-architecture innocent models

In [9]:
target = models['target_c10'][0] # r20_c10
# r20_c10_pretrained = '/mnt/ssd1/zhengyue/Models/Target_models/models_major_revision/r20_c10_pretrained.pth'
# r20_c10_pretrained = '/mnt/ssd1/zhengyue/Models/Target_models/cifar10_resnet20_checkpoint.th'
# target=r20_c10_pretrained
pm = models['target_c100'][0] # r20_c100
CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)

v11_c100_rq = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-vgg11-192-best.pth'
target = models['target_c10'][1] # v11_c10
pm = v11_c100_rq # v11_c100_pretrained
CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)

d161_c100_rq = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-densenet161-183-best.pth'
target = models['target_c10'][2] # d161_c10
pm = d161_c100_rq # d161_c100_pretrained
CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)

the target model is the cifar10-resnet20 model used in the revised manuscript!
Correlation: [-0.263]
Correlation: [-0.075]
Correlation: [-0.008]


In [8]:
target = models['target_c100'][0] #r20_c100
# target = '/mnt/ssd1/zhengyue/Models/Target_models/replaced_models/Target_models/cifar10-resnet20-30abc31d.pth'
# pm = models['target_c10'][0] #r20_c10
pm = models['target_c10'][0]
CAM_similarity(target, pm, owner,owner, True, True, nl,l,a)
target = v11_c100_rq
CAM_similarity(target, imagenet_v11, owner,owner, True, False, nl,l,a)
target = v11_c100_rq
CAM_similarity(target, imagenet_d161, owner,owner, True, False, nl,l,a)

the suspect model is the cifar10-resnet20 model used in the revised manuscript!
Correlation: [-0.261]
Correlation: [0.206]
Correlation: [-0.016]


In [13]:
CAM_similarity(imagenet_r18, r18_c10, owner,owner,False, True, nl,l,a)
CAM_similarity(imagenet_v11, models['target_c10'][1], owner,owner,False, True, nl,l,a)
CAM_similarity(imagenet_d161, models['target_c10'][2], owner,owner,False, True, nl,l,a)

Correlation: [-0.177]
Correlation: [-0.054]
Correlation: [-0.101]


## Irrovocability test

In [15]:
fp = True # True: filter pruning; False: weight pruning

In [17]:
# r20_c10_rq = '/mnt/ssd1/zhengyue/Models/pytorch_resnet_cifar10_master/save_resnet20/checkpoint.th'
# target = torch.load(r20_c10_rq) # c10_r20
target = models['target_c10'][0]
if fp:
    test = './major_revision/saved_models/cifar10_resnet20_fp/fp12_checkpoint_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar10_resnet20_wp/wp9_checkpoint_0_99.pth' 

CAM_similarity(target, test, owner,owner,True, True, nl,l,a)

the target model is the cifar10-resnet20 model used in the revised manuscript!
the suspect model is the cifar10-resnet20 model used in the revised manuscript!
Correlation: [0.573]


In [19]:
target = models['target_c10'][1] #c10_v11
if fp:
    test = './major_revision/saved_models/cifar10_vgg11_fp/fp12_model_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar10_vgg11_wp/wp9_model_0_99.pth' 
CAM_similarity(target, test, owner,owner,True, False, nl,l,a)

Correlation: [0.533]


In [20]:
target = models['target_c10'][2] #c10_d161

if fp:
    test = './major_revision/saved_models/cifar10_densenet161_fp/fp13_model_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar10_densenet161_wp/wp9_model_0_99.pth' 

CAM_similarity(target, test, owner,owner,True, False, nl,l,a)

Correlation: [0.526]


In [32]:
target = models['target_c100'][0] #c100_r20

if fp:
    test = './major_revision/saved_models/cifar100_resnet20_fp/fp11_model_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar100_resnet20_wp/wp9_model_0_99.pth' 

CAM_similarity(target, test, owner,owner,True, False, nl,l,a)

Correlation: [0.478]


In [35]:
import sys
sys.path.append('/mnt/ssd1/zhengyue/Models/pytorch-cifar100-master')

# vgg11_cifar100, densenet161_cifar100, revised manuscript
v11_c100_rq_path = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-vgg11-192-best.pth'

from models.vgg import vgg11_bn
v11_c100_rq = vgg11_bn()
v11_c100_rq.load_state_dict(torch.load(v11_c100_rq_path)) # c100_v11

if fp:
    test = './major_revision/saved_models/cifar100_vgg11_fp/fp13_model_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar100_vgg11_wp/wp9_model_0_99.pth' 

CAM_similarity(v11_c100_rq, test, owner,owner,False, False, nl,l,a)

Correlation: [0.463]


In [36]:
d161_c100_rq_path = '/mnt/ssd1/zhengyue/Models/Target_models/cifar100-densenet161-183-best.pth'
from models.densenet import densenet161
d161_c100_rq = densenet161()
d161_c100_rq.load_state_dict(torch.load(d161_c100_rq_path)) #c100_d161

if fp:
    test = './major_revision/saved_models/cifar100_densenet161_fp/fp12_model_0_99.pth' 
else:
    test = './major_revision/saved_models/cifar100_densenet161_wp/wp9_model_0_99.pth' 

CAM_similarity(d161_c100_rq, test, owner,owner,False, False, nl,l,a)

Correlation: [0.525]


In [37]:
target = models['target_i10'][0] #i10_resnet18

if fp:
    test = './major_revision/saved_models/imagenet10_resnet18_fp/fp15_model_0_99.pth' 
else:
    test = './major_revision/saved_models/imagenet10_resnet18_wp/wp9_model_0_99.pth'     
    
CAM_similarity(target, test, owner,owner,False, False, nl,l,a)

Correlation: [0.869]


In [38]:
target = models['target_i10'][1] #i10_vgg11
if fp:
    test = './major_revision/saved_models/imagenet10_vgg11_fp/fp13_model_0_99.pth' 
else:
    test = './major_revision/saved_models/imagenet10_vgg11_wp/wp9_model_0_99.pth' 
    
CAM_similarity(target, test, owner,owner,False, False, nl,l,a)

Correlation: [0.459]


In [39]:
target = models['target_i10'][2] #i10_densenet161

if fp:
    test = './major_revision/saved_models/imagenet10_densenet161_fp/fp15_model_0_99.pth' 
else:
    test = './major_revision/saved_models/imagenet10_densenet161_wp/wp9_model_0_99.pth' 

CAM_similarity(target, test, owner,owner,False, False, nl,l,a)

Correlation: [0.677]
