Unveiling the Achilles' Heel: Backdoor Watermarking Forgery Attack in Public Dataset Protection

Zhiying Li,Zhi Liu,Dongjie Liu,Shengda Zhuo,Guanggang Geng,Jian Weng,Shanxiang Lyu,Xiaobo Jin
2024-11-23
Abstract:High-quality datasets can greatly promote the development of technology. However, dataset construction is expensive and time-consuming, and public datasets are easily exploited by opportunists who are greedy for quick gains, which seriously infringes the rights and interests of dataset owners. At present, backdoor watermarks redefine dataset protection as proof of ownership and become a popular method to protect the copyright of public datasets, which effectively safeguards the rights of owners and promotes the development of open source communities. In this paper, we question the reliability of backdoor watermarks and re-examine them from the perspective of attackers. On the one hand, we refine the process of backdoor watermarks by introducing a third-party judicial agency to enhance its practical applicability in real-world scenarios. On the other hand, by exploring the problem of forgery attacks, we reveal the inherent flaws of the dataset ownership verification process. Specifically, we design a Forgery Watermark Generator (FW-Gen) to generate forged watermarks and define a distillation loss between the original watermark and the forged watermark to transfer the information in the original watermark to the forged watermark. Extensive experiments show that forged watermarks have the same statistical significance as original watermarks in copyright verification tests under various conditions and scenarios, indicating that dataset ownership verification results are insufficient to determine infringement. These findings highlight the unreliability of backdoor watermarking methods for dataset ownership verification and suggest new directions for enhancing methods for protecting public datasets.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the reliability and robustness of existing backdoor watermarking methods in the protection of public datasets. Specifically: 1. **Imperfect process**: Existing backdoor watermarking methods are overly simplified in practical applications and lack the participation of third - party judicial institutions (such as courts), so they cannot effectively verify infringement in real - world scenarios. 2. **Non - robust copyright verification**: Existing backdoor watermarking methods have significant security risks when facing forgery attacks, that is, different watermarks can produce the same verification result, which makes the existing copyright verification methods not reliable enough. To meet these challenges, the author proposes the following improvement measures: 1. **Introducing third - party judicial institutions**: By introducing third - party institutions such as courts, the copyright verification process becomes more fair and legally effective. 2. **Proposing a forged watermark generator**: A forged watermark generator (FW - Gen) is designed, which can generate forged watermarks with the same function as the original watermark but different styles, thereby revealing the vulnerability of existing backdoor watermarking methods. Through these improvements, the paper aims to improve the reliability and robustness of public dataset protection methods and promote the development of the open - source community.