Evading Data Provenance in Deep Neural Networks

TL;DR

This paper presents a novel evasion framework that effectively bypasses Dataset Ownership Verification methods in deep neural networks by transferring task-relevant knowledge while removing identifiers, exposing vulnerabilities in current protections.

Contribution

It introduces a unified evasion approach using teacher-student models and large language models to improve evasion success against DOV, revealing critical weaknesses in existing methods.

Findings

Our method outperforms nine state-of-the-art evasion attacks.

It successfully removes copyright identifiers from models.

Experiments demonstrate significant evasion effectiveness across diverse datasets.

Abstract

Modern over-parameterized deep models are highly data-dependent, with large scale general-purpose and domain-specific datasets serving as the bedrock for rapid advancements. However, many datasets are proprietary or contain sensitive information, making unrestricted model training problematic. In the open world where data thefts cannot be fully prevented, Dataset Ownership Verification (DOV) has emerged as a promising method to protect copyright by detecting unauthorized model training and tracing illicit activities. Due to its diversity and superior stealth, evading DOV is considered extremely challenging. However, this paper identifies that previous studies have relied on oversimplistic evasion attacks for evaluation, leading to a false sense of security. We introduce a unified evasion framework, in which a teacher model first learns from the copyright dataset and then transfers task-relevant yet identifier-independent domain knowledge to a surrogate student using an out-of-distribution (OOD) dataset as the intermediary. Leveraging Vision-Language Models and Large Language Models, we curate the most informative and reliable subsets from the OOD gallery set as the final transfer set, and propose selectively transferring task-oriented knowledge to achieve a better trade-off between generalization and evasion effectiveness. Experiments across diverse datasets covering eleven DOV methods demonstrate our approach simultaneously eliminates all copyright identifiers and significantly outperforms nine state-of-the-art evasion attacks in both generalization and effectiveness, with moderate computational overhead. As a proof of concept, we reveal key vulnerabilities in current DOV methods, highlighting the need for long-term development to enhance practicality.