Class-feature Watermark: A Resilient Black-box Watermark Against Model Extraction Attacks

TL;DR

This paper introduces Class-Feature Watermarks (CFW), a novel black-box watermarking method that significantly enhances resilience against model extraction and removal attacks, ensuring ownership verification without compromising model utility.

Contribution

The paper proposes CFW, a new watermarking approach leveraging class-level artifacts and out-of-domain samples to improve robustness against sophisticated attacks.

Findings

CFW maintains at least 70.15% watermark success rate under combined attacks.

WRK reduces watermark success by at least 88.79% in existing benchmarks.

CFW outperforms prior methods in resilience while preserving model utility.

Abstract

Machine learning models constitute valuable intellectual property, yet remain vulnerable to model extraction attacks (MEA), where adversaries replicate their functionality through black-box queries. Model watermarking counters MEAs by embedding forensic markers for ownership verification. Current black-box watermarks prioritize MEA survival through representation entanglement, yet inadequately explore resilience against sequential MEAs and removal attacks. Our study reveals that this risk is underestimated because existing removal methods are weakened by entanglement. To address this gap, we propose Watermark Removal attacK (WRK), which circumvents entanglement constraints by exploiting decision boundaries shaped by prevailing sample-level watermark artifacts. WRK effectively reduces watermark success rates by at least 88.79% across existing watermarking benchmarks. For robust protection, we propose Class-Feature Watermarks (CFW), which improve resilience by leveraging class-level artifacts. CFW constructs a synthetic class using out-of-domain samples, eliminating vulnerable decision boundaries between original domain samples and their artifact-modified counterparts (watermark samples). CFW concurrently optimizes both MEA transferability and post-MEA stability. Experiments across multiple domains show that CFW consistently outperforms prior methods in resilience, maintaining a watermark success rate of at least 70.15% in extracted models even under the combined MEA and WRK distortion, while preserving the utility of protected models.