Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dataset Ownership Verification in Contrastive Pre-trained Models

Yuechen Xie, Jie Song, Mengqi Xue, Haofei Zhang, Xingen Wang, Bingde Hu, Genlang Chen, Mingli Song

TL;DR

This work tackles dataset ownership verification for self-supervised, contrastive pre-trained models under a black-box API setting. It introduces the contrastive relationship gap, built from unary and binary relationship cues in embedding space, and a three-stage workflow including a shadow encoder, multi-scale augmentation, and hypothesis testing to decide if a defender’s public dataset was used. Empirical results across CIFAR, ImageNet-scale experiments, and several contrastive methods (SimCLR, BYOL, SimSiam, MOCO v3, DINO) demonstrate statistically significant detection with $p<0.05$, outperforming existing baselines and remaining robust under privacy-preserving training and fine-tuning. The approach offers a fast, data-efficient tool for dataset protection in open-source, self-supervised regimes and has practical implications for safeguarding dataset rights in modern deep learning pipelines.

Abstract

High-quality open-source datasets, which necessitate substantial efforts for curation, has become the primary catalyst for the swift progress of deep learning. Concurrently, protecting these datasets is paramount for the well-being of the data owner. Dataset ownership verification emerges as a crucial method in this domain, but existing approaches are often limited to supervised models and cannot be directly extended to increasingly popular unsupervised pre-trained models. In this work, we propose the first dataset ownership verification method tailored specifically for self-supervised pre-trained models by contrastive learning. Its primary objective is to ascertain whether a suspicious black-box backbone has been pre-trained on a specific unlabeled dataset, aiding dataset owners in upholding their rights. The proposed approach is motivated by our empirical insights that when models are trained with the target dataset, the unary and binary instance relationships within the embedding space exhibit significant variations compared to models trained without the target dataset. We validate the efficacy of this approach across multiple contrastive pre-trained models including SimCLR, BYOL, SimSiam, MOCO v3, and DINO. The results demonstrate that our method rejects the null hypothesis with a $p$-value markedly below $0.05$, surpassing all previous methodologies. Our code is available at https://github.com/xieyc99/DOV4CL.

Dataset Ownership Verification in Contrastive Pre-trained Models

TL;DR

This work tackles dataset ownership verification for self-supervised, contrastive pre-trained models under a black-box API setting. It introduces the contrastive relationship gap, built from unary and binary relationship cues in embedding space, and a three-stage workflow including a shadow encoder, multi-scale augmentation, and hypothesis testing to decide if a defender’s public dataset was used. Empirical results across CIFAR, ImageNet-scale experiments, and several contrastive methods (SimCLR, BYOL, SimSiam, MOCO v3, DINO) demonstrate statistically significant detection with , outperforming existing baselines and remaining robust under privacy-preserving training and fine-tuning. The approach offers a fast, data-efficient tool for dataset protection in open-source, self-supervised regimes and has practical implications for safeguarding dataset rights in modern deep learning pipelines.

Abstract

High-quality open-source datasets, which necessitate substantial efforts for curation, has become the primary catalyst for the swift progress of deep learning. Concurrently, protecting these datasets is paramount for the well-being of the data owner. Dataset ownership verification emerges as a crucial method in this domain, but existing approaches are often limited to supervised models and cannot be directly extended to increasingly popular unsupervised pre-trained models. In this work, we propose the first dataset ownership verification method tailored specifically for self-supervised pre-trained models by contrastive learning. Its primary objective is to ascertain whether a suspicious black-box backbone has been pre-trained on a specific unlabeled dataset, aiding dataset owners in upholding their rights. The proposed approach is motivated by our empirical insights that when models are trained with the target dataset, the unary and binary instance relationships within the embedding space exhibit significant variations compared to models trained without the target dataset. We validate the efficacy of this approach across multiple contrastive pre-trained models including SimCLR, BYOL, SimSiam, MOCO v3, and DINO. The results demonstrate that our method rejects the null hypothesis with a -value markedly below , surpassing all previous methodologies. Our code is available at https://github.com/xieyc99/DOV4CL.

Paper Structure

This paper contains 38 sections, 11 equations, 8 figures, 18 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Data Protection.
  4. Contrastive Learning.
  5. The Proposed Method
  6. Problem Formulation
  7. Contrastive Relationship Gap
  8. Observations and Definitions
  9. The Calculation of Lg and Lg
  10. The Complete Process
  11. Experiments
  12. Experimental Setup
  13. Experimental Results
  14. The Application of Our Method on ImageNet
  15. Ablation Studies
  16. ...and 23 more sections

Figures (8)

  • Figure 1: The overview of the two key observations. The representations are visualized using t-SNE. The encoder is a ResNet18 pre-trained on CIFAR10 with BYOL grill2020bootstrap.
  • Figure 2: The overview of our method (best viewed under color conditions).
  • Figure 3: Experimental results of three methods on CIFAR10 (the first line) and ImageNette (the second line). Each value is an average of 3 trials. Each pattern represents a suspicious model trained using a specific architecture, contrastive learning method, and dataset. 'SimCLR-VGG16' represents VGG16 trained using SimCLR, and the rest follows similarly. 'CIFAR10-1' and 'CIFAR10-2' are the two non-overlapping random halves of CIFAR10 training set, similarly for 'ImageNette-1' and 'ImageNette-2'. $\mathcal{D}_{pub}$ is CIFAR10-1 and ImageNette-1 in two cases respectively. We consider illegal/legal behavior as positive/negative cases and classify each situation based on $p$-value. The datasets in parentheses on the x-axis are $\mathcal{D}_{sus}$.
  • Figure 4: The impact of the ratio of $\mathcal{D}_{pub}$ to $\mathcal{D}_{pub}\cup\mathcal{D}_{alt}$ on our method. Each point is the $p$-value (log-transformed) of the model trained on the corresponding dataset.
  • Figure 5: The $p$-values obtained using pre-trained ResNet50 on ImageNet with different $k_{pub}$ and $k_{pvt}$ values. Each heatmap corresponds to the results of different training algorithms. Figure \ref{['fig:ablation-NvNpvt-simclr']}: SimCLR, Figure \ref{['fig:ablation-NvNpvt-byol']}: BYOL, Figure \ref{['fig:ablation-NvNpvt-simsiam']}: SimSiam, and Figure \ref{['fig:ablation-NvNpvt-mocov3']}: MoCo v3..
  • ...and 3 more figures

Theorems & Definitions (3)

  • Definition 1: Contrastive Relationship Gap
  • Definition 2: Unary Relationship Similarity Set
  • Definition 3: Binary Relationship Similarity Set