Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data Taggants: Dataset Ownership Verification via Harmless Targeted Data Poisoning

Wassim Bouaziz, Nicolas Usunier, El-Mahdi El-Mhamdi

TL;DR

The paper tackles the problem of verifying dataset ownership without relying on backdoors. It introduces data taggants, a black-box verification method that signs data via secret key pairs using gradient-matching-based clean-label perturbations, plus a statistically principled top-k test for detection. Empirical results on ImageNet1k demonstrate high detection confidence with negligible impact on model performance and strong robustness to architectures, data augmentations, and dataset changes. The work offers practical, theoretically grounded guarantees against false positives and provides a pathway toward reliable authentication of training data usage in real-world deployments.

Abstract

Dataset ownership verification, the process of determining if a dataset is used in a model's training data, is necessary for detecting unauthorized data usage and data contamination. Existing approaches, such as backdoor watermarking, rely on inducing a detectable behavior into the trained model on a part of the data distribution. However, these approaches have limitations, as they can be harmful to the model's performances or require unpractical access to the model's internals. Most importantly, previous approaches lack guarantee against false positives. This paper introduces data taggants, a novel non-backdoor dataset ownership verification technique. Our method uses pairs of out-of-distribution samples and random labels as secret keys, and leverages clean-label targeted data poisoning to subtly alter a dataset, so that models trained on it respond to the key samples with the corresponding key labels. The keys are built as to allow for statistical certificates with black-box access only to the model. We validate our approach through comprehensive and realistic experiments on ImageNet1k using ViT and ResNet models with state-of-the-art training recipes. Our findings demonstrate that data taggants can reliably detect models trained on the protected dataset with high confidence, without compromising validation accuracy, and show their superiority over backdoor watermarking. We demonstrate the stealthiness and robustness of our method against various defense mechanisms.

Data Taggants: Dataset Ownership Verification via Harmless Targeted Data Poisoning

TL;DR

The paper tackles the problem of verifying dataset ownership without relying on backdoors. It introduces data taggants, a black-box verification method that signs data via secret key pairs using gradient-matching-based clean-label perturbations, plus a statistically principled top-k test for detection. Empirical results on ImageNet1k demonstrate high detection confidence with negligible impact on model performance and strong robustness to architectures, data augmentations, and dataset changes. The work offers practical, theoretically grounded guarantees against false positives and provides a pathway toward reliable authentication of training data usage in real-world deployments.

Abstract

Dataset ownership verification, the process of determining if a dataset is used in a model's training data, is necessary for detecting unauthorized data usage and data contamination. Existing approaches, such as backdoor watermarking, rely on inducing a detectable behavior into the trained model on a part of the data distribution. However, these approaches have limitations, as they can be harmful to the model's performances or require unpractical access to the model's internals. Most importantly, previous approaches lack guarantee against false positives. This paper introduces data taggants, a novel non-backdoor dataset ownership verification technique. Our method uses pairs of out-of-distribution samples and random labels as secret keys, and leverages clean-label targeted data poisoning to subtly alter a dataset, so that models trained on it respond to the key samples with the corresponding key labels. The keys are built as to allow for statistical certificates with black-box access only to the model. We validate our approach through comprehensive and realistic experiments on ImageNet1k using ViT and ResNet models with state-of-the-art training recipes. Our findings demonstrate that data taggants can reliably detect models trained on the protected dataset with high confidence, without compromising validation accuracy, and show their superiority over backdoor watermarking. We demonstrate the stealthiness and robustness of our method against various defense mechanisms.

Paper Structure

This paper contains 46 sections, 1 theorem, 4 equations, 9 figures, 14 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Steganography and Watermarking.
  4. Dataset ownership verification.
  5. Data poisoning.
  6. Membership inference attacks.
  7. Data Taggants
  8. Overview and technical background
  9. Signing the data in practice
  10. Generating the secret keys.
  11. Parallelized and clean-label perturbations.
  12. Taggant objective function with differentiable data augmentations.
  13. Perceptual loss.
  14. Random restarts.
  15. Detection
  16. ...and 31 more sections

Key Result

Proposition 1

Under $\mathcal{H}_{0}$, model $h$ has, in expectation, a top-$k$ accuracy of $\frac{k}{|\mathcal{Y}|}$ on the set of keys $\mathcal{D}_{K}$, where $|\mathcal{Y}|$ is the number of possible labels.

Figures (9)

  • Figure 1: Application scenario of data taggants. Signing: Alice signs her dataset (adds the taggants corresponding to the keys) before publishing it. Detection: Alice determines if Bob used her dataset by running a statistical test based on Bob's model's predictions on the keys.
  • Figure 2: Illustration of our method: Alice optimizes image-wise signatures for images in the signing set by maximizing the alignment between the gradients of the signed images $\nabla_{\theta}^{(signed)}$, and the gradient of the key $\nabla_{\theta}^{(key)}$. The resulting images and their labels are the data taggants.
  • Figure 3: Pairs of data taggants crafted without perceptual loss (left) vs with perceptual loss (right).
  • Figure 4: ROC curves for defense against data poisoning methods in the detection of data taggants.
  • Figure 5: ROC curve for DBSCAN anomaly detection method.
  • ...and 4 more figures

Theorems & Definitions (2)

  • Proposition 1
  • proof