Watermarking Recommender Systems

TL;DR

This paper introduces Autoregressive Out-of-distribution Watermarking (AOW), a novel technique tailored specifically for recommender systems that exhibits high-confidence extraction capabilities and maintains effectiveness even in the face of distillation and fine-tuning processes.

Abstract

Recommender systems embody significant commercial value and represent crucial intellectual property. However, the integrity of these systems is constantly challenged by malicious actors seeking to steal their underlying models. Safeguarding against such threats is paramount to upholding the rights and interests of the model owner. While model watermarking has emerged as a potent defense mechanism in various domains, its direct application to recommender systems remains unexplored and non-trivial. In this paper, we address this gap by introducing Autoregressive Out-of-distribution Watermarking (AOW), a novel technique tailored specifically for recommender systems. Our approach entails selecting an initial item and querying it through the oracle model, followed by the selection of subsequent items with small prediction scores. This iterative process generates a watermark sequence autoregressively, which is then ingrained into the model's memory through training. To assess the efficacy of the watermark, the model is tasked with predicting the subsequent item given a truncated watermark sequence. Through extensive experimentation and analysis, we demonstrate the superior performance and robust properties of AOW. Notably, our watermarking technique exhibits high-confidence extraction capabilities and maintains effectiveness even in the face of distillation and fine-tuning processes.

Figures (4)

• Figure 1: An illustration of AOW. (Left) Generation process of the watermark sequence $S_{wm}$. An initial item (blue) is used to query the oracle model to obtain a ranking list, and a random item (purple) ranked at the bottom is selected as the next item. Then the new $S_{wm}$ that contains two items is used to query the oracle to obtain the third item (yellow). This process is repeated autoregressively until $S_{wm}$ reaches a predefined length. (Right) The evaluation process of AOW. The watermark sequence $S_{wm}$ is truncated into several subsequences. The model needs to predict the next item for each truncated sequence. The validity of the watermark is evaluated by the ranking position of the next item.
• Figure 2: Watermark validity vs. model utility after fine-tuning on ML-20M with the popular item as the initial item. Each point represents a model under different hyperparameters including the watermark length and the number of fine-tuning sequences. We report the NDCG@10 for the watermark validity in the y-axis, and the NDCG@10 for the model utility in the x-axis.
• Figure 3: Watermark-to-data ratio on Steam with the popular initial item and watermark length 20. The x-axis denotes the WDR ratio, which is the weight of the watermark sequence to the weight of the regular training set. The blue plot and the left y-axis denote the recall@1 of the watermark. The red plot and the right y-axis denote the NDCG@10 of the model utility.
• Figure 4: Model utility and watermark validity with different choices of M in selecting the next item from the bottom-M items. The dataset is ML-1M. The watermark length is 20 and the initial item is the cold item. For different M, the watermark validity is consistently 100%, which is represented by the red plot. Other plots represent the model utility of different M.