ML Security PapersDSSmoothing: Toward Certified Dataset Ownership Verification for Pre-trained Language Models via Dual-Space Smoothing
Ting Qiao 1, Xing Liu 2, Wenke Huang 3, Jianbin Li 1, Zhaoxin Fan 4, Yiming Li 5
Published on arXiv
2510.15303
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
DSSmoothing achieves stable and reliable dataset ownership verification for PLMs with provable certified robustness under bounded dual-space perturbations and resistance to adaptive attacks.
DSSmoothing
Novel technique introduced
Large web-scale datasets have driven the rapid advancement of pre-trained language models (PLMs), but unauthorized data usage has raised serious copyright concerns. Existing dataset ownership verification (DOV) methods typically assume that watermarks remain stable during inference; however, this assumption often fails under natural noise and adversary-crafted perturbations. We propose the first certified dataset ownership verification method for PLMs under a gray-box setting (i.e., the defender can only query the suspicious model but is aware of its input representation module), based on dual-space smoothing (i.e., DSSmoothing). To address the challenges of text discreteness and semantic sensitivity, DSSmoothing introduces continuous perturbations in the embedding space to capture semantic robustness and applies controlled token reordering in the permutation space to capture sequential robustness. DSSmoothing consists of two stages: in the first stage, triggers are collaboratively embedded in both spaces to generate norm-constrained and robust watermarked datasets; in the second stage, randomized smoothing is applied in both spaces during verification to compute the watermark robustness (WR) of suspicious models and statistically compare it with the principal probability (PP) values of a set of benign models. Theoretically, DSSmoothing provides provable robustness guarantees for dataset ownership verification by ensuring that WR consistently exceeds PP under bounded dual-space perturbations. Extensive experiments on multiple representative web datasets demonstrate that DSSmoothing achieves stable and reliable verification performance and exhibits robustness against potential adaptive attacks. Our code is available at https://github.com/NcepuQiaoTing/DSSmoothing.
Key Contributions
- First certified dataset ownership verification (DOV) method for PLMs in a gray-box setting, using randomized smoothing across two complementary spaces
- Dual-space trigger embedding: continuous perturbations in the embedding space (semantic robustness) and token reordering in the permutation space (sequential robustness)
- Provable robustness guarantees ensuring watermark robustness (WR) statistically exceeds principal probability (PP) of benign models under bounded dual-space perturbations
🛡️ Threat Analysis
Watermarks are embedded in TRAINING DATA (not model weights) to detect unauthorized use — this is data provenance and content integrity, not model IP theft. Per classification rules, training data watermarking to detect misappropriation maps to ML09.