Dataset ownership verification with invisible backdoors

Dataset ownership verification (DOV) enables an individual to confirm their ownership of the training dataset for an AI model. DOV is particularly valuable in situations where a model is believed to have used copyrighted datasets for training without obtaining permission. Invisible backdoor watermarking provides proof of ownership through human-invisible backdoors. However, real-world AI environments like MLaaS may deploy defense models that deactivate both adversarial backdoors and useful watermarks. In this paper, we propose a noble DOV method that improves the stealthiness of invisible backdoors. Specifically, invisible backdoors with high attack success rate (ASR) are typically detected, whereas those with low ASR are undetectable. In our scheme, we prove how to employ backdoors with low ASR but at the same time achieve significantly higher DOV success rates. This is accomplished through the training of two distinct models: a watermarked model and a verification model. The verification model is trained and tested using the differences between the output confidence vectors, where these vectors are obtained by inputting watermarked and clean image pairs into watermarked models. With this approach, we achieve on average a high DOV success rate, 94.61% in four representative image datasets, the CIFAR10, CIFAR100, GTSRB, and Tiny ImageNet dataset.