ML Security PapersArmSSL: Adversarial Robust Black-Box Watermarking for Self-Supervised Learning Pre-trained Encoders
Yongqi Jiang 1, Yansong Gao 2, Boyu Kuang 1, Chunyi Zhou 3, Anmin Fu 1, Liquan Chen 4
Published on arXiv
2604.22550
Model Theft
OWASP ML Top 10 — ML05
Key Finding
Achieves superior ownership verification with negligible utility degradation and robustness against adversarial watermark detection/removal across 5 SSL frameworks and 9 benchmark datasets
ArmSSL
Novel technique introduced
Self-supervised learning (SSL) encoders are invaluable intellectual property (IP). However, no existing SSL watermarking for IP protection can concurrently satisfy the following two practical requirements: (1) provide ownership verification capability under black-box suspect model access once the stolen encoders are used in downstream tasks; (2) be robust under adversarial watermark detection or removal, because the watermark samples form a distinguishable out-of-distribution (OOD) cluster. We propose ArmSSL, an SSL watermarking framework that assures black-box verifiability and adversarial robustness while preserving utility. For verification, we introduce paired discrepancy enlargement, enforcing feature-space orthogonality between the clean and its watermark counterpart to produce a reliable verification signal in black-box against the suspect model. For adversarial robustness, ArmSSL integrates latent representation entanglement and distribution alignment to suppress the OOD clustering. The former entangles watermark representations with clean representations (i.e., from non-source-class) to avoid forming a dense cluster of watermark samples, while the latter minimizes the distributional discrepancy between watermark and clean representations, thereby disguising watermark samples as natural in-distribution data. For utility, a reference-guided watermark tuning strategy is designed to allow the watermark to be learned as a small side task without affecting the main task by aligning the watermarked encoder's outputs with those of the original clean encoder on normal data. Extensive experiments across five mainstream SSL frameworks and nine benchmark datasets, along with end-to-end comparisons with SOTAs, demonstrate that ArmSSL achieves superior ownership verification, negligible utility degradation, and strong robustness against various adversarial detection and removal.
Key Contributions
- Black-box watermark verification for SSL encoders in downstream MLaaS scenarios
- Adversarial robustness against watermark detection via latent representation entanglement and distribution alignment to suppress OOD clustering
- Reference-guided watermark tuning that preserves SSL encoder utility on clean data
🛡️ Threat Analysis
Watermark is embedded IN THE MODEL WEIGHTS (SSL encoder) to prove ownership when the encoder is stolen and deployed in downstream tasks — this is model IP protection against model theft, not content provenance.