Securing the Physical AI Brain: Jiangxing Intelligence’s Encoder Fingerprinting Accepted by ICML 2026
As AI models evolve into enterprises’ core assets, how can companies prevent these high-value encoders from being stolen? Jiangxing Intelligence’s latest research delivers a brand-new solution to this challenge.
Recently, the research team at Jiangxing Intelligence has achieved a major breakthrough in AI model security. Its research paper Fingerprinting Pre-trained Encoders under Arbitrary Downstream Fine-Tuning via Adversarial Shifting has been accepted by ICML 2026, the top international conference on machine learning. For the first time, this work realizes downstream-task-agnostic, black-box label-only ownership verification for pre-trained encoders, offering a reliable technical approach to protect high-value AI model assets.
An Urgent Growing Concern: Who Has Stolen My Model?
Against the backdrop of the mainstream pre-training-and-fine-tuning paradigm, pre-trained encoders have become core components of AI systems. Taking vision encoders as an example: an encoder trained on hundreds of millions of images can be fine-tuned to adapt to dozens of diverse downstream scenarios, ranging from industrial defect detection to environmental perception for autonomous driving.
Nevertheless, this trend brings severe challenges to intellectual property protection:
- Model Theft: Attackers may illegally obtain encoders, train task-specific heads on top of them, and deploy services in the form of black-box APIs. Since downstream fine-tuning thoroughly reshapes the semantic outputs of encoders, traditional model watermarking and fingerprinting techniques largely fail to work.
- Verification Dilemma: Existing solutions either require modifications to the training pipeline (which degrades model performance), rely on internal embeddings inaccessible under black-box settings, or demand identical output spaces between the victim and suspicious models — a condition rarely satisfied in real-world industrial applications.
The scenario is analogous to facial recognition failing after plastic surgery. We need an identification mechanism that remains effective even after such drastic modifications.
Technical Breakthrough: Building Feature Islands via Adversarial Shifting
The core idea behind Jiangxing Intelligence’s Encoder Fingerprinting technique is to embed an indelible fingerprint within an encoder’s feature space.
Key Discovery: Stability of Deep Features
The team observed a critical phenomenon: adversarial samples exhibit drastically different propagation behaviors across network layers. Adversarial perturbations induce negligible distribution bias in shallow layers; as networks deepen, however, such bias gradually amplifies and peaks at the encoder’s output layer. This explains why conventional output-dependent fingerprinting methods fail: shallow features lack identifiable stable patterns. Based on this insight, the team pioneered a native fingerprinting mechanism constructed directly within feature spaces.
Adversarial Shifting: The Three-Step Pipeline
- Feature Space Characterization: Spectral clustering partitions embeddings of an auxiliary dataset within the encoder’s feature space into multiple clusters. High-density, semantically stable clusters are selected as fingerprint anchor points.
- Adversarial Shifting: Baseline samples from other clusters are perturbed adversarially and shifted toward the pre-defined anchor clusters to form compact, isolated feature islands.
- Majority Voting Verification: Thanks to the tight clustering of fingerprint samples, these inputs will consistently be predicted into the same category regardless of downstream task changes or reconstructed classification boundaries. By querying the suspicious model’s API and checking prediction consistency across the fingerprint sample set, we can determine whether the protected encoder has been misappropriated.
Empirical Results: An AUC Score of 0.96, Outperforming All State-of-the-Art Methods
Comprehensive evaluations were conducted across benchmark datasets including CIFAR-10/100, STL-10, GTSRB and ImageNet, covering supervised learning as well as self-supervised pre-training frameworks such as SimCLR, MoCoV2 and SigLIP.
Key Quantitative Results
Our method achieves an outstanding AUC of 0.96, far exceeding the previous state-of-the-art baseline of 0.84.
Robustness tests across five attack scenarios including model fine-tuning, pruning, model extraction, input perturbation and embedding perturbation all yield significantly higher matching rates than baseline approaches:
- Fine-tuning Attacks: On the GTSRB dataset, the matching rate remains above 0.7 even after 50 fine-tuning epochs.
- Pruning Attacks: The matching rate stays higher than 0.9 even when 60%–70% of model parameters are pruned.
- Model Extraction Attacks: The embedded fingerprint can still be reliably detected even if adversaries retrain the stolen encoder via knowledge distillation.
Industrial Value: Securing Physical AI Model Assets
Encoder Fingerprinting and related model asset protection technologies deliver critical security guarantees for the commercialization and monetization of Physical AI models.
In the Model-as-a-Service era, Jiangxing Intelligence deploys its proprietary Physical AI models on client premises. Preventing unauthorized theft and replication of these high-value models lays the foundation for sustainable commercial operations.
This technology functions as a unique digital ID for each model. No matter how downstream tasks evolve or how extensively models are fine-tuned, ownership can be definitively traced via this embedded fingerprint. It plays a vital role in safeguarding the company’s core technological assets and protecting the legitimate interests of enterprise clients.
Related Publication
Fingerprinting Pre-trained Encoders under Arbitrary Downstream Fine-Tuning via Adversarial Shifting, ICML 2026.
Jiangxing Intelligence will continue to advance cutting-edge research in Physical AI, boosting model performance while building robust security safeguards for proprietary AI model assets.