Due　to　enormous　computing　and　storage　overhead　for　well-trained　Deep　Neural　Network　(DNN)　models,　protecting　the　intellectual　property　of　model　owners　is　a　pressing　need.　As　the　commercialization　of　deep　models　is　becoming　increasingly　popular,　the　pre-trained　models　delivered　to　users　may　suffer　from　being　illegally　copied,　redistributed,　or　abused.　In　this　paper,　we　propose　DeepDIST,　the　first　end-to-end　secure　DNNs　distribution　framework　in　a　black-box　scenario.　Specifically,　our　framework　adopts　a　dual-level　fingerprint　(FP)　mechanism　to　provide　reliable　ownership　verification,　and　proposes　two　equivalent　transformations　that　can　resist　collusion　attacks,　plus　a　newly　designed　similarity　loss　term　to　improve　the　security　of　the　transformations.　Unlike　the　existing　passive　defense　schemes　that　detect　colluding　participants,　we　introduce　an　active　defense　strategy,　namely　damaging　the　performance　of　the　model　after　the　malicious　collusion.　The　extensive　experimental　results　show　that　DeepDIST　can　maintain　the　accuracy　of　the　host　DNN　after　embedding　fingerprint　conducted　for　true　traitor　tracing,　and　is　robust　against　several　popular　model　modifications.　Furthermore,　the　anti-collusion　effect　is　evaluated　on　two　typical　classification　tasks　(10-class　and　100-class),　and　the　proposed　DeepDIST　can　drop　the　prediction　accuracy　of　the　collusion　model　to　10%　and　1%　(random　guess),　respectively.