SSCL-BW: Sample-Specific Clean-Label Backdoor Watermarking for Dataset Ownership Verification

TL;DR

SSCL-BW addresses dataset ownership verification by embedding sample specific clean-label backdoor watermarks using a U-Net based watermark generator. It introduces a three component loss $L = a L_t + b L_{nt} + c L_{lpips}$ to enforce target and non target behavior while preserving perceptual quality. The method embeds watermarks into a subset of target class samples and uses black box verification with a hypothesis test to detect unauthorized use, achieving high Delta P and low p values while remaining robust to watermark removal and model architecture changes. Experiments on CIFAR-10, Sub-ImageNet and MNIST demonstrate strong watermarking efficacy, verification reliability, and transferability, supporting practical dataset copyright protection.

Abstract

The rapid advancement of deep neural networks (DNNs) heavily relies on large-scale, high-quality datasets. However, unauthorized commercial use of these datasets severely violates the intellectual property rights of dataset owners. Existing backdoor-based dataset ownership verification methods suffer from inherent limitations: poison-label watermarks are easily detectable due to label inconsistencies, while clean-label watermarks face high technical complexity and failure on high-resolution images. Moreover, both approaches employ static watermark patterns that are vulnerable to detection and removal. To address these issues, this paper proposes a sample-specific clean-label backdoor watermarking (i.e., SSCL-BW). By training a U-Net-based watermarked sample generator, this method generates unique watermarks for each sample, fundamentally overcoming the vulnerability of static watermark patterns. The core innovation lies in designing a composite loss function with three components: target sample loss ensures watermark effectiveness, non-target sample loss guarantees trigger reliability, and perceptual similarity loss maintains visual imperceptibility. During ownership verification, black-box testing is employed to check whether suspicious models exhibit predefined backdoor behaviors. Extensive experiments on benchmark datasets demonstrate the effectiveness of the proposed method and its robustness against potential watermark removal attacks.

Figures (6)

• Figure 1: Comparison of existing backdoor watermarking approaches with SSCL-BW. $\bm{(a)}$ Existing methods include poison-label (requiring label modification and easily detectable) and clean-label (complex embedding with poor performance on high-resolution images); $\bm{(b)}$ Our SSCL-BW generates sample-specific watermarks with label consistency, achieving both stealthiness and effectiveness.
• Figure 2: The main pipeline of our SSCL-BW consists of four main steps. First, we train a watermark sample generator based on the U-Net architecture, with a loss function composed of target loss, non-target loss, and perceptual similarity loss. Second, the generator is used to embed watermarks into a subset of target-class samples, which are then combined with the remaining data to construct a watermarked dataset. Third, we simulate the user’s model training process on this dataset. Finally, we perform a hypothesis test to determine whether a suspicious model misclassifies watermarked samples from non-target classes, thereby verifying whether it was trained on the watermarked dataset.
• Figure 3: The example of samples involved in different backdoor watermarks
• Figure 4: Effects of $\gamma$ and $l_{\infty}$ limit on SSCL-BW performance.
• Figure 5: Resistance of SSCL-BW to fine-tuning and pruning