SoK: Dataset Copyright Auditing in Machine Learning Systems

TL;DR

This SoK systematically surveys dataset copyright auditing in ML systems, separating intrusive (watermark-based) from non-intrusive (fingerprint-based) approaches and detailing their subcategories, strengths, and weaknesses. It formalizes the auditing problem with a binary decision function $g$ over inputs and model outputs, and analyzes how data preparation, training, and deployment affect auditing effectiveness. Through empirical benchmarks on datasets like CIFAR-10/100 and PubFig with ResNet-18 and VGG-19, it shows that intrusive methods often yield higher auditing accuracy in ideal conditions but can harm normal model performance, while non-intrusive methods offer stealth but may be less robust under certain deployments. The paper identifies open challenges and proposes directions toward a holistic evaluation toolbox, copyright auditing for large multilingual multimodal models, and formal guarantees for auditing outcomes, aiming to bridge theory and real-world copyright protection in ML systems.

Abstract

As the implementation of machine learning (ML) systems becomes more widespread, especially with the introduction of larger ML models, we perceive a spring demand for massive data. However, it inevitably causes infringement and misuse problems with the data, such as using unauthorized online artworks or face images to train ML models. To address this problem, many efforts have been made to audit the copyright of the model training dataset. However, existing solutions vary in auditing assumptions and capabilities, making it difficult to compare their strengths and weaknesses. In addition, robustness evaluations usually consider only part of the ML pipeline and hardly reflect the performance of algorithms in real-world ML applications. Thus, it is essential to take a practical deployment perspective on the current dataset copyright auditing tools, examining their effectiveness and limitations. Concretely, we categorize dataset copyright auditing research into two prominent strands: intrusive methods and non-intrusive methods, depending on whether they require modifications to the original dataset. Then, we break down the intrusive methods into different watermark injection options and examine the non-intrusive methods using various fingerprints. To summarize our results, we offer detailed reference tables, highlight key points, and pinpoint unresolved issues in the current literature. By combining the pipeline in ML systems and analyzing previous studies, we highlight several future directions to make auditing tools more suitable for real-world copyright protection requirements.

Figures (8)

• Figure 1: A typical application scenario of the existing dataset copyright auditing mechanisms.
• Figure 2: A typical workflow of backdoor-based dataset auditing. The above illustrates the watermark injection process. These watermarks are extracted from the model's output in the model deployment phase. Depending on the model access permissions, the validation process can be categorized into two types: probability-based and label-only.
• Figure 3: A typical workflow of radioactive data-based auditing. The above illustrates the watermark injection process. These watermarks are extracted from the model output after training. The auditor determines if dataset infringement has occurred by detecting the shifts in the statistical characteristics of the model's outputs.
• Figure 4: A typical workflow of style transformation-based auditing. The above illustrates the watermark injection process. These watermarks are extracted from the model output post-training. The auditor conducts the audit based on the prediction of the model on the style-transferred images.
• Figure 5: A typical workflow of decision boundary-based auditing. The existing solutions can be categorized into three types by different validation processes.