SDBF: Steep-Decision-Boundary Fingerprinting for Hard-Label Tampering Detection of DNN Models

Cloud-based AI systems offer significant benefits but also introduce vulnerabilities, making deep neural network (DNN) models susceptible to malicious tampering. This tampering may involve harmful behavior injection or resource reduction, compromising model integrity and performance. To detect model tampering, hard-label fingerprinting techniques generate sensitive samples to probe and reveal tampering. Existing fingerprinting methods are mainly based on \textbf{gradient-defined sensitivity} or \textbf{decision boundary}, with the latter showing a manifest superior detection performance. However, existing decision-boundary-based fingerprinting methods remain conceptual, lacking a theoretical explanation for why samples near the decision boundary are more sensitive to tampering. Moreover, all existing fingerprinting methods either suffer from insufficient sensitivity or incur high computational costs.In this paper, we provide the first theoretical justification for why samples near the decision boundary are more sensitive to tampering-induced shifts than the faraway. Based on this, we further propose \textbf{Steep-Decision-Boundary Fingerprinting (SDBF)}, a novel lightweight approach for hard-label tampering detection. SDBF places fingerprint samples near the \textbf{steep decision boundary}, where the outputs of samples are inherently highly sensitive to tampering. We also design a \textbf{Max Boundary Coverage Strategy (MBCS)}, which enhances samples' diversity over the decision boundary. Theoretical analysis and extensive experimental results show that SDBF outperforms existing SOTA hard-label fingerprinting methods in both sensitivity and efficiency.