From Zero to Hero: Detecting Leaked Data through Synthetic Data Injection and Model Querying

TL;DR

This paper tackles the risk of leaked tabular data being used to train models by introducing Local Distribution Shifting Synthesis (LDSS), a model-oblivious method that injects carefully crafted synthetic data into the owner’s dataset to create local distribution shifts. By transforming data into a compact numerical space, identifying large empty local regions, and generating synthetic samples within those regions, LDSS ensures models trained on the modified data behave differently on trigger samples, enabling black-box detection through model querying. The approach maintains model fidelity on genuine data, resists removal or dilution attacks, and demonstrates strong reliability and robustness across seven classifiers and five real-world datasets, with an extension to regression tasks. Overall, LDSS offers a practical mechanism to verify dataset ownership and protect data IP in black-box ML deployment scenarios, expanding the focus from model IP to dataset IP protection.

Abstract

Safeguarding the Intellectual Property (IP) of data has become critically important as machine learning applications continue to proliferate, and their success heavily relies on the quality of training data. While various mechanisms exist to secure data during storage, transmission, and consumption, fewer studies have been developed to detect whether they are already leaked for model training without authorization. This issue is particularly challenging due to the absence of information and control over the training process conducted by potential attackers. In this paper, we concentrate on the domain of tabular data and introduce a novel methodology, Local Distribution Shifting Synthesis (\textsc{LDSS}), to detect leaked data that are used to train classification models. The core concept behind \textsc{LDSS} involves injecting a small volume of synthetic data--characterized by local shifts in class distribution--into the owner's dataset. This enables the effective identification of models trained on leaked data through model querying alone, as the synthetic data injection results in a pronounced disparity in the predictions of models trained on leaked and modified datasets. \textsc{LDSS} is \emph{model-oblivious} and hence compatible with a diverse range of classification models. We have conducted extensive experiments on seven types of classification models across five real-world datasets. The comprehensive results affirm the reliability, robustness, fidelity, security, and efficiency of \textsc{LDSS}. Extending \textsc{LDSS} to regression tasks further highlights its versatility and efficacy compared with baseline methods.

Figures (13)

• Figure 1: Overall flow of LDSS.
• Figure 2: Data transformation results using different pivot selection methods. Note that in Figure \ref{['fig:transform_random']}, both pivots come from original samples, while in Figure \ref{['fig:transform_maxfreq']}, both pivots are constructed based on value frequency. In Figure \ref{['fig:sample_transformation']}, we present the final results using random selection and value frequency, which map to Figures \ref{['fig:transform_random']} and \ref{['fig:transform_maxfreq']}, respectively.
• Figure 3: An example illustrates the injection of synthetic samples into an empty ball. By injecting four dark blue points with labels identical to the light blue ones, a model trained on this modified dataset $\mathcal{D}_{mod}$ is more likely to predict samples within the grey circle as blue rather than red.
• Figure 4: Trigger accuracy (%) of classification models trained with and without $\mathcal{D}_{inj}$.
• Figure 5: Training and testing accuracy (%) of classification models trained on $\mathcal{D}_{orig}$ and $\mathcal{D}_{mod}$.

Theorems & Definitions (2)

• Example 1
• Example 2