The Department of Information Science Technology’s Changqing Luo, assistant professor, has seen three recent papers accepted to top AI conferences, including the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR'26) in Denver, Colorado and the Fourteenth International Conference on Learning Representations (ICLR'26) in Rio de Janeiro, Brazil.
Though they are valuable intellectual property, as digital assets, AI models can be easily “copied, extracted, and redistributed without authorization.” This means they can just as easily be stolen by bad actors within or outside of an organization.
“This actually happens in the real world,” Luo added. “This is not just a hypothetical research problem.”
Luo’s research group “leverages multi-boundary and multi-sample behaviors” to facilitate the digital fingerprinting of models in order to verify their ownership, allowing developers to reliably identify protected models even if attempts have been made at obfuscation — in essence, a watermark for AI models.
“Building a model is not trivial,” says Luo. “It usually requires specialized AI expertise, domain-specific knowledge, a large volume of high-quality training data, and powerful computing infrastructure to design and training models. This makes trained models commercially and academically valuable.”
- “IrisFP: Adversarial-Example-based Model Fingerprinting with Enhanced Uniqueness and Robustness” by Ziye Geng, Guang Yang, Yihang Chen, and Changqing Luo will be presented at CVPR’26 in Denver this June. It proposes IrisFP, “a novel adversarial-example-based model fingerprinting framework that enhances both uniqueness and robustness by leveraging multi-boundary characteristics, multi-sample behaviors, and fingerprint discriminative power assessment to generate composite-sample fingerprints.” IrisFP exhibits key innovations in decision boundary targeting, composite-sample fingerprints, statistical separability metrics, and experimentation shows that IrisFP “consistently outperforms [other] state-of-the-art methods.”
- “Fingerprinting Deep Neural Networks for Ownership Protection: An Analytical Approach,” by Guang Yang, Ziye Geng, Yihang Chen, and Changqing Luo, was recently presented at ICLR'26 in Rio de Janeiro. It proposes AnaFP, “an analytical fingerprinting scheme that constructs fingerprints under theoretical guidance” to address the existing problem of reliance on empirical heuristics in determining fingerprint-to-decision boundary distance. Specifically, AnaFP “formulate[s] the fingerprint generation task as the problem of controlling the fingerprint-to-boundary distance through a tunable stretch factor.” Experimental results have thus far demonstrated AnaFP’s consistent outperformance over prior methods, “achieving effective and reliable ownership verification across diverse model architectures and model modification attacks.”
- “LiteGuard: Efficient Task-Agnostic Model Fingerprinting with Enhanced Generalization,” by Guang Yang, Ziye Geng, Yihang Chen, and Changqing Luo, was also presented at ICLR'26. This paper proposes LiteGuard, “an efficient task-agnostic fingerprinting framework that attains enhanced generalization while significantly lowering computational cost.” LiteGuard introduces two key innovations, including a checkpoint-based model set augmentation strategy and a local verifier architecture that pairs each fingerprint with a lightweight local verifier. Across five representative tasks, experiments show LiteGuard consistently outperforming MetaV in both generalization performance and computational efficiency.