PreprintPDF Available

PointNCBW: Towards Dataset Ownership Verification for Point Clouds via Negative Clean-label Backdoor Watermark

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract and Figures

Recently, point clouds have been widely used in computer vision, whereas their collection is time-consuming and expensive. As such, point cloud datasets are the valuable intellectual property of their owners and deserve protection. To detect and prevent unauthorized use of these datasets, especially for commercial or open-sourced ones that cannot be sold again or used commercially without permission, we intend to identify whether a suspicious third-party model is trained on our protected dataset under the black-box setting. We achieve this goal by designing a scalable clean-label backdoor-based dataset watermark for point clouds that ensures both effectiveness and stealthiness. Unlike existing clean-label watermark schemes, which are susceptible to the number of categories, our method could watermark samples from all classes instead of only from the target one. Accordingly, it can still preserve high effectiveness even on large-scale datasets with many classes. Specifically, we perturb selected point clouds with non-target categories in both shape-wise and point-wise manners before inserting trigger patterns without changing their labels. The features of perturbed samples are similar to those of benign samples from the target class. As such, models trained on the watermarked dataset will have a distinctive yet stealthy backdoor behavior, i.e., misclassifying samples from the target class whenever triggers appear, since the trained DNNs will treat the inserted trigger pattern as a signal to deny predicting the target label. We also design a hypothesis-test-guided dataset ownership verification based on the proposed watermark. Extensive experiments on benchmark datasets are conducted, verifying the effectiveness of our method and its resistance to potential removal methods.
Content may be subject to copyright.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
PointNCBW: Towards Dataset Ownership
Verification for Point Clouds via Negative
Clean-label Backdoor Watermark
Cheng Wei, Yang Wang, Kuofeng Gao, Shuo Shao, Yiming Li, Zhibo Wang, and Zhan Qin
Abstract—Recently, point clouds have been widely used in
computer vision, whereas their collection is time-consuming
and expensive. As such, point cloud datasets are the valuable
intellectual property of their owners and deserve protection. To
detect and prevent unauthorized use of these datasets, especially
for commercial or open-sourced ones that cannot be sold again
or used commercially without permission, we intend to iden-
tify whether a suspicious third-party model is trained on our
protected dataset under the black-box setting. We achieve this
goal by designing a scalable clean-label backdoor-based dataset
watermark for point clouds that ensures both effectiveness
and stealthiness. Unlike existing clean-label watermark schemes,
which were susceptible to the number of categories, our method
can watermark samples from all classes instead of only from the
target one. Accordingly, it can still preserve high effectiveness
even on large-scale datasets with many classes. Specifically,
we perturb selected point clouds with non-target categories
in both shape-wise and point-wise manners before inserting
trigger patterns without changing their labels. The features of
perturbed samples are similar to those of benign samples from
the target class. As such, models trained on the watermarked
dataset will have a distinctive yet stealthy backdoor behavior, i.e.,
misclassifying samples from the target class whenever triggers
appear, since the trained DNNs will treat the inserted trigger
pattern as a signal to deny predicting the target label. We also
design a hypothesis-test-guided dataset ownership verification
based on the proposed watermark. Extensive experiments on
benchmark datasets are conducted, verifying the effectiveness of
our method and its resistance to potential removal methods.
Index Terms—Dataset Ownership Verification, Backdoor Wa-
termark, Dataset Copyright Protection, 3D Point Clouds.
I. INTRODUCTION
Point clouds have been widely and successfully adopted
in many vital applications (e.g., autonomous driving [7] and
augmented reality [33]) since they can provide rich geometric,
shape, and scale information [11]. In particular, collecting
point clouds is even more time-consuming and expensive
The first two authors contributed equally to this paper.
Corresponding Author(s): Yiming Li and Zhan Qin.
Cheng Wei, Yang Wang, Shuo Shao, Zhibo Wang, and Zhan Qin are with
the State Key Laboratory of Blockchain and Data Security, Zhejiang Univer-
sity, Hangzhou 310007, China and also with Hangzhou High-Tech Zone (Bin-
jiang) Institute of Blockchain and Data Security, Hangzhou 310053, China.
(e-mail: {weiccc, Kjchz, shaoshuo ss, zhibowang, qinzhan}@zju.edu.cn)
Yiming Li is now with College of Computing and Data Science, Nanyang
Technological University, Singapore 639798. He was with the State Key
Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou
310007, China. (e-mail: liyiming.tech@gmail.com)
Kuofeng Gao is with Tsinghua Shenzhen International Graduate
School, Tsinghua University, Shenzhen 518055, China. (e-mail:
gkf21@mails.tsinghua.edu.cn).
(a) not stealthy (b) non-scalable
Fig. 1: The limitations of existing backdoor attacks that could
be used as watermarks to protect point cloud datasets. (a)
Existing poison-label backdoor watermarks (i.e., PCBA [49],
PointPBA [26], IRBA [15]) are not stealthy under human
inspection due to sample-label mismatch. (b) The only existing
clean-label backdoor watermark (i.e., PointCBA [26]) has
limited effect (measured by watermark success rate (WSR))
when the protected dataset contains many categories.
compared to classical data types (e.g., image or video). It ne-
cessitates using costly 3D sensors and intricate data processing
procedures (i.e., registration [35] and filtering [53]). As such,
point cloud datasets are valuable intellectual property.
Due to the widespread applications, point cloud datasets are
likely to be publicly released as open-sourced or commercial
datasets. However, to the best of our knowledge, almost all
existing methods cannot be directly exploited to protect their
copyright when they are publicly released. In such scenarios,
the adversaries may train their commercial models on open-
sourced datasets that are restricted to academic or research
purposes or even on commercial ones that have been illegally
redistributed. Arguably, the protection difficulty stems mainly
from the publicity of these datasets and the black-box nature of
the suspicious models, since existing traditional data protection
schemes either hinder the dataset accessibility (e.g., data
encryption [2]), requir manipulation of model training (e.g.,
differential privacy [1]), or demand accessing training samples
during the verification process (e.g., digital watermark [13]).
Currently, to the best of our knowledge, dataset ownership
verification (DOV) [20, 28, 31, 42] is the only promising
approach that can be generalized to protect the copyright of
public point cloud datasets. This method was initially and
primarily used to safeguard the copyright of image datasets.
Specifically, in existing DOV methods, dataset owners adopted
and designed backdoor attacks [29] to watermark the original
dataset before releasing it. Given a suspicious third-party
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 2
black-box model that can only be accessed via API, dataset
owners can verify whether it is trained on the protected
dataset by inspecting whether it has owner-specified backdoor
behaviors. The backdoor-based DOV successfully safeguards
publicly accessible datasets, particularly in the presence of
black-box suspicious models. As such, the key to protecting
the copyright of point cloud datasets via DOV lies in designing
a suitable backdoor watermark for them.
However, directly applying existing backdoor attacks
against 3D point clouds as watermarks faces several chal-
lenges, as shown in Figure 1. Firstly, except for PointCBA
[26], all existing point cloud backdoor methods (i.e., PCBA
[49], PointPBA [26], IRBA [15]) used poisoned labels, in
which the assigned labels of watermarked samples are different
from their ground-truth ones. Accordingly, these watermarks
lack stealthiness as they can be easily detected and removed
by malicious dataset users who scrutinize the correlation
between point clouds and their corresponding labels. Secondly,
the performance of the only existing clean-label backdoor
watermark, i.e., PointCBA, is not scalable. In other words,
its watermark performance will significantly decrease when
datasets contain many categories, preventing its application as
a watermark for large-scale point cloud datasets.
We find that the non-scalability of existing clean-label back-
door watermarks for both images and point clouds [17, 26, 43]
comes from their common poisoning paradigm, where de-
fenders can only watermark samples from a specific category
(i.e., target class). As such, the more categories of samples in
the dataset, the smaller the maximum watermarking rate (i.e.,
maximal proportion of samples for watermark), resulting in
a reduction in overall watermark effects. We argue that this
defect is primarily caused by the positive trigger effects of
existing clean-label watermarks. Specifically, these methods
have to add triggers to samples from the target class, aiming
to build a positive connection between the trigger pattern and
the target label (i.e., adding triggers to any benign sample
increases the probability of being predicted as the target label).
In this paper, motivated by the aforementioned understand-
ings, we propose to design a scalable clean-label backdoor
watermark by introducing the negative trigger effects, where
we intend to decrease the prediction confidence of water-
marked models to samples from the target class when owner-
specified trigger patterns arise. Specifically, before implanting
trigger patterns, we first perturb selected point clouds from
non-target categories so that their features lie close to those
from the target class. After that, we implant the trigger patterns
into these samples to generate the watermarked data. The
labels of these watermarked samples are different from the
target label, but they lie close to those of the target class in
feature space. Accordingly, the trained DNNs will learn to
treat the inserted trigger pattern as a signal to deny predicting
the target label. This method is called negative clean-label
backdoor watermark for point clouds (PointNCBW). Our pro-
posed PointNCBW surpasses existing backdoor-based DOV
methods in two aspects. Firstly, the watermarks generated
by PointNCBW are inherently more resistant to scrutiny by
malicious dataset users due to the consistency between point
clouds and their corresponding labels. This alignment signifi-
cantly enhances the stealthiness of the watermarks. Secondly,
negative triggers facilitate ownership verification based on
PointNCBW to work effectively in large-scale datasets with
numerous categories, leading to superior scalability. We further
substantiate this scalability claim through comparative experi-
mentation, detailed in Section V-F. In addition, we also design
a hypothesis-test-guided dataset ownership verification based
on our PointNCBW by examining whether the suspicious
model shows less confidence in point clouds containing owner-
specified triggers from the target class. It alleviates the adverse
effects of randomness introduced by sample selection.
The main contributions of this paper are four-fold:
We explore how to protect the copyright of point cloud
datasets via dataset ownership verification (DOV).
We reveal the limitations of using existing backdoor
attacks against point clouds for DOV and their reasons.
We propose the first scalable clean-label backdoor water-
mark for point cloud datasets (i.e., PointNCBW).
We conduct extensive experiments on benchmark
datasets, which verify the effectiveness of our Point-
NCBW and its resistance to potential adaptive attacks.
II. RE LATE D WORK
A. Deep Learning on 3D Point Clouds
With the advent of deep learning, point-based models have
gained significant popularity owing to their exceptional perfor-
mance in various 3D computer vision tasks. Qi et al. [37] first
proposed PointNet, which directly processes raw point cloud
data without needing data transformation or voxelization. It
adopts the symmetric function, max-pooling, to preserve the
order-invariant property of point clouds. To learn the local
features of point clouds, they further proposed a hierarchical
network PointNet++ [38], which can capture geometric struc-
tures from the neighborhood of each point better. Inspired by
them, subsequent research [27, 46, 50, 54] in point cloud-based
deep learning has emerged following similar principles.
B. Backdoor Attack
Backdoor attack is an emerging yet critical training-phase
threat to deep neural network (DNNs) [29]. In general, the
adversaries intend to implant a latent connection between the
adversary-specified trigger patterns and the malicious predic-
tion behaviors (i.e., backdoor) during the training process.
The attacked models behave normally on benign samples,
whereas their prediction will be maliciously changed whenever
the trigger pattern arises. Currently, most of the existing
backdoor attacks were designed for image classification tasks
[4, 16, 18, 32, 39, 51], although there were also a few for
others [5, 12, 14, 30, 48, 52]. These methods could be divided
into two main categories: poison-label and clean-label attacks,
depending on whether the labels of modified poisoned samples
are consistent with their ground-truth ones [44]. In particular,
clean-label attacks are significantly more stealthy than poison-
label ones since dataset users cannot identify them based on
the image-label relationship even when they can catch some
poisoned samples. However, as demonstrated in [17], clean-
label attacks are significantly more challenging to succeed due
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 3
to the antagonistic effects of ‘robust features’ related to the
target class contained in poisoned samples.
Currently, a few studies have focused on 3D point clouds
[21, 34], particularly in the context of backdoor attacks
[15, 26, 49]. Although these attacks also targeted the classifica-
tion tasks, developing effective backdoor attacks for 3D point
clouds is challenging due to inherent differences in data struc-
ture and deep learning model architectures [26]. As we will
show in our experiments, the only existing clean-label attack
(i.e., PointCBA [26]) exhibits significantly reduced efficacy
compared to its poison-label counterparts (i.e., PCBA [49],
PointPBA-Ball, PointPBA-Rotation [26], and IRBA [15]). This
difference is especially noticeable when the dataset has many
categories, revealing a lack of scalability for large datasets.
Therefore, designing effective and scalable clean-label back-
door attacks against 3D point clouds to address this issue is
still an ongoing challenge that needs more research.
C. Dataset Protection
Dataset protection is a longstanding research problem, aim-
ing to prevent the unauthorized use of datasets. Existing clas-
sical dataset protection methods involve three main categories:
data encryption, differential privacy, and digital watermarking.
Especially, data encryption [2] encrypted the protected datasets
so that only authorized users who hold a secret key for de-
cryption can use it; differential privacy [1] prevented the leak-
age of sensitive personal information during model training;
digital watermark [13] embeded an owner-specified pattern to
the protected data for post-hoc examination. However, these
methods are unable to protect publicly released datasets (e.g.,
ImageNet) from being used to train third-party commercial
models without authorization due to the public availability of
datasets and the black-box accessing nature of commercial
models [31]. Recently, unlearnable examples [22] were also
proposed to protect the datasets by directly preventing them
from being learned by DNNs. However, this method cannot
be used to protect public datasets since it usually requires the
modification of all samples and compromises dataset utilities.
Dataset ownership verification (DOV) [19, 20, 28, 31, 42]
intends to verify whether a given suspicious model is trained
on the protected dataset under the black-box setting, where
defenders can only query the suspicious model. To the best of
our knowledge, this is currently the only feasible method to
protect the copyright of public datasets. Specifically, existing
DOV methods intend to implant specific (backdoor) behaviors
in models trained on the protected dataset while not reducing
their performance on benign samples. Dataset owners can ver-
ify ownership by examining whether the suspicious model has
specific backdoor behaviors. However, existing DOV methods
are mostly designed for image classification datasets. How to
protect other types of datasets is left far behind.
III. NEG ATIV E CLE AN -LA BE L BACK DO OR WATERMARK
FO R POI NT CLOUDS (POINTNCBW)
In this section, we present a comprehensive description of
our proposed method (i.e., PointNCBW). Before we illustrate
its technical details, we first describe our threat model and
briefly review the main pipeline of backdoor watermarks.
A. Preliminaries
Threat Model. This paper focuses on backdoor watermarks
for point cloud datasets in classification tasks. Specifically,
the dataset owner can watermark some benign point clouds
before releasing the victim dataset. Dataset users will exploit
the released (watermarked) datasets to train and deploy their
DNNs but will keep their training details private. Accordingly,
dataset owners can only examine whether a suspicious model
is trained on their watermarked point cloud dataset by its
prediction behaviors under the black-box access setting.
The Main Pipeline of Existing Backdoor Watermarks
for Point Clouds. Let D={(xi, yi)}N
i=1 denotes the be-
nign dataset containing Npoint clouds. Each point cloud
xicontains Mipoints (i.e.,xiR3×Mi) whose label
yi {1,2,·· · , K}. How to generate the watermarked dataset
Dwis the cornerstone of all backdoor watermarks. Currently,
all backdoor watermarks for point clouds are targeted and
with positive trigger effects. In other words, adding triggers
increases the probability that watermarked DNNs predict
samples to the target class y(t). Specifically, Dwhas two
disjoint parts, including the modified version of a selected
subset (i.e.,Ds) of Dand remaining benign point clouds, i.e.,
Dw=Dm Db, where Db=D\Ds,Dm={(x, y(t))|x=
G(x),(x, y) Ds},G:R3×MR3×Mis the owner-
specified generator of watermarked samples. λ|Dm|
|D| is
the watermarking rate. In general, backdoor watermarks are
mainly characterized by their watermark generator G. For
example, G(x)=(Idiag δ)·x+diag δ·Γ, where δis a 0-1
vector, Iis the identity matrix, and Γis pre-defined trigger
pattern in PointPBA-Ball [26]. In particular, in existing clean-
label backdoor watermarks (e.g., PointCBA [26]), dataset
owners can only watermark samples from the target class, i.e.,
Ds D(t){(x, y)|(x, y ) D, y =y(t)}. As such, their
watermarking rate is 1
Kat most for class-balanced datasets.
This limits their performance when the number of categories
in the victim dataset is relatively large.
B. The Overview of PointNCBW
In this paper, we design a clean-label backdoor watermark
for point clouds with negative trigger effects to overcome
the limitations of existing backdoor watermarks (as demon-
strated in our introduction). We denote our watermarking
method as negative clean-label backdoor watermark for point
clouds (PointNCBW). In general, our PointNCBW consists of
two main stages: transferable feature perturbation (TFP) and
trigger implanting. Specifically, TFP perturbs selected point
clouds with non-target categories so that they lie close to those
from the target class in the hidden space defined by a pre-
trained model. After that, we insert trigger pattern Γto obtain
modified point clouds Dmvia
Dm={(x, y)|x=U(p(x),Γ),(x, y) Ds},(1)
where U(p(x),Γ)is our watermark generator, prepresents our
TFP, and Uis our trigger implanting function implemented
with random replacing function.
Since we don’t change the label of these watermark samples,
the watermarked DNNs will interpret inserted triggers as
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 4
Fig. 2: The main pipeline of dataset ownership verification based on our negative clean-label backdoor watermark for point
clouds (PointNCBW). In the watermarking stage, we generate the watermarked version of the original dataset. Specifically,
we design and exploit transferable feature perturbation (TFP) to perturb a few selected point clouds from the original dataset
with non-target categories so that they lie close to those from the target class in the feature space. Our TFP has two steps,
including shape-wise and point-wise perturbations, to ensure transferability across model structures. In the verification stage,
we verify whether a suspicious third-party model is trained on our protected dataset by examining whether it misclassifies
samples from the target class containing owner-specified trigger patterns via the hypothesis test.
signals to deny predicting the target label. The main pipeline
of our method is shown in Figure 2. We also provide a detailed
explanation of the underlying reasons behind the effectiveness
of PointNCBW through experimental analysis in Section V-J.
C. Transferable Feature Perturbation (TFP)
General Perturbation Objective. After selecting the target
category y(t)and the source sample group Ds, our objective is
to perturb each sample in Dsto bring them closer to category
y(t)in feature space. Specifically, we randomly select some
samples from category y(t)denoted as Dt, and utilize the
features of Dtas an alternative to the features of category
y(t). Let xsrepresent one sample in Ds, our general objective
of perturbation is formulated by
min
p
1
|Dt|X
xt∈Dt
E(gf(p(xs)), gf(xt)),(2)
where Eis a Eluer distance in feature space Rdand gfis
the feature extracting function of point cloud. In practice, we
implement the gfwith the second-to-last layer output of our
surrogate model gfor approximation.
However, since we employ a surrogate model for feature
extraction, it is crucial to ensure that our feature perturba-
tion remains effective under different networks beyond the
surrogate one. This raises the concern of transferability, which
refers to the ability of our watermark to work effectively across
different model structures. To enhance the transferability,
we optimize general objective function in Eq. (2) through
transferable feature perturbation (TFP). The transferability is
also empirically verified in Section V-E. Specifically, our TFP
consists of two sequential steps, including shape-wise and
point-wise perturbations, as outlined below.
Shape-wise Perturbation. Rotation is a common transforma-
tion of 3D objects. It has been empirically proven to be an
effective and inconspicuous method to conduct point cloud
perturbation with transferability in previous works since DNNs
for point cloud are sensitive to geometric transformations
[10, 55]. Arguably, the observed transferability through ro-
tation may primarily result from the commonalities in point
cloud feature processing employed by current DNNs designed
for point clouds. Specifically, the widespread application of
max-pooling operations [37, 38, 46, 50] across these architec-
tures potentially contributes to this phenomenon. While max-
pooling is effective at capturing overall features in unordered
point clouds, it has difficulty maintaining rotational invariance.
The wide application of max-pooling in current DNNs used for
point cloud not only makes the feature spaces of these models
similar, but also helps our perturbations transfer better. The
changes brought about by rotations are often misinterpreted
by different models, which supports the effectiveness of our
method. As such, we exploit it to design our shape-wise
perturbation with transformation matrix Sdefined as follows:
S(θ) = R(ψ)·R(ϕ)·R(γ),(3)
where R(ψ), R(ϕ), and R(γ)are rotation matrix with Eluer
angles ψ, ϕ, γ . Finally, we have the objective function of
shape-wise perturbation, as follows:
Ls(θ) = 1
|Dt|X
xt∈Dt
E(gf(xs·S(θ)), gf(xt)).(4)
Specifically, we employ the gradient descent to minimize
the loss function defined in Eq. (4). Besides, to alleviate the
impact of local minima, we employ a strategy of random
point sampling and choose the optimal starting point for the
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 5
Algorithm 1 Shape-wise feature perturbation.
Input: point cloud x, rotation matrix S(θ), objective func-
tion Ls, number of iterations T, step size β, number of
starting points sampling n
Output: new point cloud x
1: randomly sample {θi}n
i=1 from range (0,2π)3
2: θ0arg min Ls(θi)
3: for t= 1 to Tdo
4: obtain gradient gt=θLs(θt1)through chain rule
5: θtθt1β·gt
6: end for
7: xx·S(θT)
optimization process. We summarize the shape-wise feature
perturbation in Algorithm 1.
Point-wise Perturbation. After the shape-wise perturbation
where we can obtain the optimal solution ˆ
θfor Eq. (4), we
jitter the point cloud sample on the point-wise level. We denote
the offset of coordinates as x, then the objective function of
optimization of point-wise perturbation is
Lp(∆x) = 1
|Dt|·X
xt∈Dt
E(gf(xs·S(ˆ
θ)+∆x), gf(xt))
+η· x2,
(5)
where we incorporate a regularization term x2into the
loss function to limit the magnitude of perturbation in 2norm.
To minimize the loss Lpand mitigate the problem of perturbed
samples ‘overfitting’ to the surrogate model, we incorporate
momentum [9] into the iterative optimization process to sta-
bilize updating directions and escape from ‘overfitting’ local
minima. Specifically, we compute the momentum of gradients
and perturb the coordinates of points in the opposite direction
of the momentum. The optimization process of point-wise
feature perturbation is summarized in Algorithm 2.
IV. OWNERSHIP VERIFICATI ON V IA PO IN TNCBW
Given a suspicious black-box model f(·), we can verify
whether it was trained on our protected point cloud dataset by
analyzing its predictions on samples from the target class and
their watermarked versions. To alleviate the side effects of ran-
domness, we design a hypothesis-test-guided method, inspired
by existing backdoor-based dataset ownership verification for
images [20, 28, 41], as follows.
Proposition 1. Suppose f(x)is the posterior probability of
xpredicted by the suspicious model. Let variable Xdenotes
the benign sample from the target class y(t)and variable X
is its verified version (i.e. X=U(X , Γ)). Let variable Pb=
f(X)y(t)and Pv=f(X)y(t)denote the predicted probability
of Xand Xon y(t). Given null hypothesis H0:Pb=Pv+τ
(H1:Pb> Pv+τ), where hyper-parameter τ(0,1), we
claim that the suspicious model is trained on the watermarked
dataset (with τ-certainty) if and only if H0is rejected.
In practice, we randomly sample mdifferent benign samples
to conduct the pairwise t-test [25] and calculate its p-value.
Algorithm 2 Point-wise feature perturbation.
Input: point cloud x, objective function Lp, number of
iterations T, step size β, decay factor µ
Output: new point cloud x
1: x0= 0,g0= 0
2: for t= 1 to Tdo
3: obtain the gradient g=xt1Lp(∆xt1)
4: gtgt1+µ·g
g2
5: xtxt1β·gt
6: end for
7: x=x+ xT
Additionally, we also calculate the confidence score P=
PbPvto denote the verification confidence. The larger the
P, the more confident the verification.
In particular, we can also prove that our dataset owner-
ship verification can succeed if its watermark success rate
is sufficiently large (which could be significantly lower than
100%) when sufficient verification samples exist, as shown in
Theorem 1. Its proof is in our appendix.
Theorem 1. Suppose fgenerates the posterior probability
by a suspicious model. Let variable Xdenote the benign
sample from the target class y(t)and variable Xis its verified
version. Let Pb=f(X)y(t)and Pv=f(X)y(t)denote
the predicted probability of Xand Xon y(t). Assume that
Pb> ζ, we claim that dataset owners can reject the null
hypothesis H0at the significance level α, if the watermark
success rate Wof f(with mverification samples) satisfies:
m1·(W+ζτ1) tα·pWW2>0,(6)
where tαis α-quantile of t-distribution with (m1) degrees
of freedom.
V. EXPE RI ME NT S
A. Experiment Setup
Datasets. We conduct experiments on two datasets, including
ModelNet40 [47], ShapeNetPart [6] and PartNet [36]. Follow-
ing [37], we uniformly sample 1,024 points from the original
CAD models as point clouds and normalize them into [0,1]3.
Models. We adopt PointNet [37] as the default surrogate
model for PointNCBW. We also take other common models
(e.g., PointNet++ [38], DGCNN [46], and PointASNL with
PNL [50]) into consideration. All models are trained with
default settings suggested by their original papers.
Trigger Design. To ensure the stealthiness of our watermark,
we adopt a trigger of deliberately small size. Specifically, we
use a fixed sphere as our shape of trigger Γ. We set its center
as (0.3,0.3,0.3) and its radius to 0.025. Our trigger consists
of 50 points randomly sampled from this sphere, which takes
proportion about 5% of one watermarked sample (1,024 points
in total). The examples of point cloud samples involved in
different watermarks are shown in Figure 3.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 6
Fig. 3: The example of point clouds involved in different backdoor watermarks.
TABLE I: The watermark performance of different backdoor watermarks for point clouds on the ModelNet40 dataset (having
40 categories), the ShapeNetPart dataset (having 16 categories), and the PartNet dataset (having 24 categories), respectively.
In particular, we mark the worst cases (i.e., WSR <80% or IoM >80%)inred.
DatasetTypeModel PointNet PointNet++
Method, Metric ACC (%) WSR (%) IoM (%) ACC (%) WSR (%) IoM (%)
ModelNet40
Benign No Watermark 89.2 N/A N/A 91.9 N/A N/A
Poison-label
PCBA 87.8 98.9 100 90.6 99.3 100
PointPBA-B 87.6 99.8 100 90.5 99.5 100
PointPBA-R 87.8 68.8 100 90.4 81.9 100
IRBA 87.8 80.8 100 91.0 88.7 100
Clean-label PointCBA 88.8 31.3 0.0 91.0 50.9 0.0
PointNCBW-patch 89.0 33.9 0.0 91.0 36.5 0.0
PointNCBW (Ours) 88.7 82.1 0.0 91.2 85.6 0.0
ShapeNetPart
Benign No Watermark 98.6 N/A N/A 98.9 N/A N/A
Poison-label
PCBA 98.6 98.5 100 98.8 98.9 100
PointPBA-B 98.5 100 100 98.9 99.5 100
PointPBA-R 98.3 84.0 100 98.9 89.6 100
IRBA 98.4 92.1 100 98.6 96.9 100
Clean-label PointCBA 98.4 64.8 0.0 98.4 68.6 0.0
PointNCBW-patch 98.5 45.5 0.0 98.5 51.9 0.0
PointNCBW (Ours) 98.4 93.1 0.0 98.5 97.6 0.0
PartNet
Benign No Watermark 96.3 N/A N/A 96.8 N/A N/A
Poison-label
PCBA 95.3 99.8 100 95.6 99.5 100
PointPBA-B 95.3 99.9 100 95.5 99.6 100
PointPBA-R 95.2 86.0 100 95.4 93.1 100
IRBA 95.7 85.0 100 96.5 90.4 100
Clean-label PointCBA 96.1 34.3 0.0 96.7 54.0 0.0
PointNCBW-patch 96.2 32.3 0.0 96.7 38.7 0.0
PointNCBW (Ours) 96.1 86.2 0.0 96.6 88.4 0.0
Hyper-parameter. In shape-wise TFP, we set the number of
starting points n= 30, the number of iterations T= 30.
We use Adam optimizer [23] to update angles θwith initial
learning rate lr= 0.025 and lris divided by 10 every 10
steps. In point-wise TFP, we set regularization factor η= 50
in our objective function as default, and during the process of
optimization, we set number of iterations T= 20, step size
β= 0.0025, and decay factor µ= 1.
Evaluation Metrics. Accuracy (ACC) is used to evaluate the
performance of models on benign samples. Watermark success
rate (WSR) measures the effectiveness of dataset watermarks.
Specifically, WSR is the percentage of verification samples
that are misclassified. We use P[1,1] and p-value
[0,1] for ownership verification as introduced in Section IV.
B. The Performance of Dataset Watermarking
Settings. To evaluate the effectiveness and the stealthiness
of watermarks, we compare our PointNCBW with exist-
ing poison-label and clean-label backdoor watermarks. The
poison-label methods include PCBA [49], PointPBA-Ball [26],
PointPBA-Rotation [26], and IRBA [15]. We include the only
existing clean-label backdoor watermark (i.e., PointCBA [26])
as our main baseline. For comparative analysis, we addition-
ally design perturbations utilizing a spherical patch to replace
TFP in our PointNCBW. This approach employs a spherical
patch with a radius of 0.25, where the center coordinates are
optimized to minimize the relative distance between the per-
turbed samples and the target category (dubbed ‘PointNCBW-
patch’). We randomly select ‘Keyboard’ on ModelNet40,
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 7
TABLE II: The effectiveness of point cloud dataset ownership verification via our PointNCBW watermark under the PointNet structure.
DatasetModelNet40 ShapeNetPart PartNet
Metric, ScenarioIn-T In-M Malicious In-T In-M Malicious In-T In-M Malicious
P0.01 0.02 0.87 -0.01 0.01 0.95 0.01 0.01 0.95
p-value 1.00 1.00 1057 1.00 1.00 10100 1.00 1.00 1071
TABLE III: The effectiveness of point cloud dataset ownership verification via our PointNCBW watermark under the PointNet++ structure.
DatasetModelNet40 ShapeNetPart PartNet
Metric, ScenarioIn-T In-M Malicious In-T In-M Malicious In-T In-M Malicious
P0.01 0.01 0.88 0.01 0.01 0.97 0.01 0.01 0.96
p-value 1.00 1.00 1060 1.00 1.00 10236 1.00 1.00 10108
‘Knife’ on ShapeNetPart, and ‘Door’ on PartNet as our target
label. We set the watermarking rate as 0.01. To measure
watermark stealthiness, we also calculate the percentage of
samples whose label is inconsistent with the ground-truth
category on modified samples (dubbed ‘IoM’).
Results. As shown in Table I, our PointNCBW watermark
is significantly more effective than PointCBA, especially on
the dataset containing more categories (i.e., ModelNet40). For
example, the watermark success rate of PointCBA is more
than 50% higher than that of PointCBA under the PointNet
structure on ModelNet40. In particular, the ACC and WSR of
our PointNCBW are also on par with those of poison-label
watermarks that are not stealthy under human inspection (see
the IoM). These results verify the benefits of our PointNCBW.
C. The Performance of Ownership Verification
Settings. We evaluate our proposed PointNCBW-based owner-
ship verification in three scenarios, including (1) independent
trigger (dubbed ‘In-T’), (2) independent model (dubbed ‘In-
M’), and (3) unauthorized dataset training (dubbed ‘Mali-
cious’). In the first scenario, we query the model that is trained
on the watermarked dataset with the trigger that is different
from the one used in the process of PointNCBW; In the second
scenario, we examine the benign model which is trained on
clean dataset, using the same trigger pattern in PointNCBW;
Additionally, we adopt the same trigger to query the model
that is trained on the watermarked dataset in the last scenario.
Notice that only the last scenario should be regarded as having
unauthorized dataset use. We set τ= 0.2for the hypothesis
test in all cases as the default setting.
Results. As shown in Table II and Table III, our method can
accurately identify unauthorized dataset usage (i.e., ‘Mali-
cious’) with high confidence as Pis larger than 0.8 and
p-value is nearly 0. At the same time, it avoids misjudgments
when there is no stealing as the Pis nearly 0 and p-values
are 1 under the ‘Independent-T’ and ‘Independent-M’ scenar-
ios. These results show that our method can accurately identify
dataset stealing without misjudgments under the black-box
model access setting.
D. Ablation Study
We hereby discuss the effects of key hyper-parameters and
modules of our PointNCBW. Unless otherwise specified, we
exploit ModelNet40 as an example for our discussion.
(a) watermarking rate λ(b) size of verification set m
Fig. 4: Effects of watermarking rate λand size of verification
set mon the performance of PointNCBW-based dataset own-
ership verification on the ModelNet40 dataset.
Fig. 5: Effects of regularization hyper-parameter ηon the
magnitude of point-wise perturbation measured by Chamfer
distance (Dch). In general, the smaller the distance, the more
imperceptible the point-wise perturbations.
Effects of Watermarking Rate λ.We conduct an experiment
to analyze the relationship between WSR and varying water-
marking rates λ. As depicted in Figure 4a, our WSR can reach
above 80% when watermarking rate is about 0.01. Besides, a
higher watermarking rate can bring a better WSR.
Effects of Size of Verification Set m.As shown in Figure 4b,
using more verification samples can significantly enhance the
performance of dataset ownership verification, i.e., the p-value
for verification becomes smaller as the size of the verification
set gets larger. The result is also consistent to our Theorem 1.
Effects of Regularization Hyper-parameter η.To evaluate
the effects of regularization hyper-parameter ηin our point-
wise perturbation objective function, we use Chamfer Distance
[3] to measure the magnitude of perturbation related to varying
η. As shown in Figure 5, a larger ηleads to more imperceptible
point-wise perturbations.
Effects of Starting Points Number n.In shape-wise per-
turbation, we adopt numerous starting points to alleviate the
impact of local minima during optimization. To verify its
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 8
Fig. 6: Effects of starting points number during shape-wise
perturbation on the relative distance between final perturbed
samples and target category.
Fig. 7: Effects of decay factor µin shape-wise optimization
on the transferability of PointNCBW when adopting PointNet
as the surrogate network structure.
effectiveness, we measure the relative distance (defined in
Section V-J) between perturbed samples and target category
with different numbers of starting points during shape-wise
optimization. As Figure 6 shows, a larger number of starting
points during shape-wise optimization can alleviate the impact
of local minima, bringing the optimized perturbed samples
closer to the target category with a smaller relative distance.
Effects of Decay Factor µ.We hereby analyze the impact of
the decay factor µin shape-wise optimization on the trans-
ferability of PointNCBW. In this study, we employ PointNet
as the surrogate model and generate multiple versions of
watermarked ModelNet40 dataset. Each of them corresponds
to a different decay factor µin the shape-wise optimization
process. We train various network architectures on these
watermarked datasets to assess transferability. As illustrated in
Figure 7, optimal transferability is achieved when the decay
factor µis set to 1. This setting corresponds to a cumulative
gradient approach, where all previous gradients are combined
to guide the optimization updates in the current iteration.
Effects of Number of Iterations T.We assess the impact
of the number of iterations Tin shape-wise optimization on
the transferability of PointNCBW. In this study, we employ
PointNet as the surrogate model and generate multiple wa-
termarked datasets, each corresponding to a different number
of iterations used in the shape-wise optimization process.
Subsequently, we train various network architectures on these
watermarked datasets to evaluate transferability. As shown in
Fig. 8: Effects of the number of iterations Tin shape-
wise optimization on the transferability of PointNCBW when
adopting PointNet as the surrogate network structure.
TABLE IV: The p-value of PointNCBW-based dataset ownership
verification w.r.t. the verification certainty τon ModelNet40 dataset.
In particular, we mark failed verification cases in red.
Scenario,τ0.00 0.05 0.10 0.15 0.20
Independent-T 1070.98 1.0 1.0 1.0
Independent-M 1011 0.47 1.0 1.0 1.0
Malicious 1071 1068 1065 1060 1057
Figure 8, increasing the number of iterations Tin shape-
wise optimization generally enhances transferability. However,
our findings indicate that T= 20 iterations are sufficient
to achieve optimal transferability, with minimal additional
benefits observed beyond this point.
Effects of Verification Certainty τ.To measure the effects
of verification certainty τin PointNCBW-based dataset own-
ership verification, we choose different values of the τfor
ownership verification after the same watermarking process.
As shown in Table IV, the p-value increases as the verification
certainty τincreases across all scenarios. In particular, when τ
is smaller than 0.05, our proposed PointNCBW may misjudge
the cases of Independent-T or Independent-M. In addition, the
larger the τ, the more unlikely the misjudgments happen and
the more likely that the dataset stealing is ignored. Therefore,
τshould be assigned based on specific requirements.
Effects of Target Category y(t).We hereby discuss whether
our PointNCBW is still effective under various target labels.
We randomly choose one class as the target label while
keeping all other settings unchanged. The results, as presented
in Table V, demonstrate that although the watermark perfor-
mance exhibits slight variations across different target classes,
our PointNCBW consistently maintains high effectiveness.
Effects of Trigger Patterns Γ.We conduct experiments on the
ModelNet40 dataset to discuss the effects of trigger patterns
in our PointNCBW. Specifically, we hereby discuss four main
trigger settings, including (a) trigger pattern with different
shapes, (b) trigger pattern with different sizes, (c) trigger
pattern on different positions, and (d) trigger pattern with
different number of points. In the first scenario, we sample 50
points from a cube centered at (0.3, 0.3, 0.3) with a side length
of 0.05. In the second scenario, we sample 50 points from a
sphere also centered at (0.3, 0.3, 0.3), but with a radius of 0.05.
In the third scenario, we relocate the same default trigger to
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 9
TABLE V: The performance of our PointNCBW with different target classes under the PointNet structure.
Dataset ModelNet40 ShapeNetPart
target class Bottle Curtain Door Guitar Wardrobe Lamp Guitar Pistol Rocket Skateboard
ACC 88.7 88.8 88.7 88.7 88.8 98.3 98.5 98.3 98.4 98.4
WSR 80.2 79.5 81.3 83.2 79.7 90.5 95.2 90.8 92.9 93.6
p-value 1061 1056 1057 1066 1056 1078 10116 1081 1097 10105
TABLE VI: The performance of PointNCBW with different trigger
patterns used in the watermarking process.
Trigger Setting, MetricsACC WSR p-value
Original 88.7 82.1 1057
(a) 88.7 83.0 1057
(b) 88.6 85.1 1060
(c) 88.7 82.8 1055
(d) 88.7 80.4 1049
(a) (b) (c) (d)
Fig. 9: The different trigger patterns used in ablation study. In
particular, we have also marked the coordinates of the center
point of the trigger at the top of each image.
(0.3,0.3,0.3). In the last scenario, we only sample 20 points
from the same sphere center at (0.3, 0.3, 0.3) with a radius of
0.025. The example of watermarked point clouds is shown in
Figure 9. As shown in Table VI, by comparing the results of
setting (a) & (c), we know that both the shape and position
of the trigger pattern used for watermarking have mild effects
on the final performance. Besides, the results of setting (b)
suggest that a larger trigger size leads to better watermarking
and verification performance, although it may decrease the
watermark’s stealthiness. Furthermore, the results of setting (d)
demonstrate the watermark performance may slightly decrease
if the trigger contains fewer points. Nevertheless, our method
obtains promising verification results across all settings.
Effects of Feature Perturbation. Our TFP contains shape-
wise and point-wise perturbations. To verify effectiveness of
TFP, we watermark the ModelNet40 dataset following the
process of our PointNCBW under six scenarios, including
(1) no perturbation before inserting trigger, (2) TFP with
solely shape-wise part (TFP-S), (3) TFP with solely point-
wise part (TFP-P), (4) TFP without momentum in shape-
wise optimization (TFP-NM) and (5) the vanilla TFP proposed
in this paper. After the processes of watermarking, we train
different networks on the watermarked ModelNet40 to mea-
sure the performance of ownership verification. As shown in
Table VII, both shape-wise and point-wise perturbations are
critical for the watermark and the verification performance of
our PointNCBW based on TFP.
E. The Model Transferability of PointNCBW
Recall that our PointNCBW requires a surrogate model gto
generate feature perturbations, as illustrated in Eq. (2). In our
main experiments, we test our method under the same model
structure used for generating the PointNCBW-watermarked
dataset. However, the suspicious model may have a different
structure compared to the one used for dataset generation in
practice, since the dataset owner lacks information about the
model used by dataset users. In this section, we verify that our
method has model transferability and, therefore, can be used
to protect dataset copyright.
Settings. We exploit PointNet [37], PointNet++ [38], DGCNN
[46], and PointASNL [50] on the ModelNet40 dataset for
discussion. Specifically, we first use one of them as the
surrogate model to generate the PointNCBW-watermarked
dataset. After that, we also use one of them as the training
model structure to train the malicious model on the generated
dataset. We report the watermark and copyright verification
performance of our PointNCBW on these trained models.
Results. As shown in Table VIII, our method remains highly
effective even when the training model is different from
the surrogate one in all cases. Training networks, including
PointNet [37], PointNet++ [38], and PointASNL [50] exhibit
both high WSR and low p-value. Although training network
DGCNN [46] may lead to a relatively low WSR, it is still
highly effective for copyright verification (i.e., p-value
0.01). These results verify the transferability of our method.
We also observe that the accuracy of TFP is relatively lower
compared to other variants. This is primarily because TFP
reduces the relative distance between selected samples and the
target category in feature space more than the other variants,
causing the trained model to become more confused about the
true classification decision boundary.
F. The Scalability of PointNCBW
As we demonstrated in our introduction, the performance
of the only existing clean-label backdoor watermark (i.e.,
PointCBA [26]) is not scalable, where its watermark per-
formance will significantly decrease when datasets contain
many categories. This limitation prevents its application as a
watermark for large-scale point cloud datasets. In this section,
we verify the scalability of our PointNCBW.
Settings. We construct a series of subsets of different sizes
of the original ModelNet40 dataset by randomly selecting
samples from various numbers of categories ModelNet40.
After that, we watermark them through our PointNCBW and
train a PointNet under the same settings used in Section V-B.
Results. We compare the scalability between PointCBA and
our PointNCBW in Figure 10. The results indicate that the
WSR of PointCBA is significantly degraded when the dataset
contains more categories. For example, the WSR drops even
below 40% when the number of categories exceeds 30. In
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 10
TABLE VII: The performance of PointNCBW-based dataset copyright verification with different perturbations on ModelNet40.
ModelPointNet PointNet++ DGCNN PointASNL
VariantACC WSR p-value ACC WSR p-value ACC WSR p-value ACC WSR p-value
None 89.2 0.0 1.00 91.9 0.0 1.00 91.7 0.0 1.00 90.1 0.0 1.00
TFP-P 89.0 18.4 0.01 91.7 6.2 0.99 91.5 2.1 1.00 89.9 10.6 0.37
TFP-S 88.8 78.8 1045 91.7 80.2 1049 91.1 62.1 1046 89.2 90.1 1071
TFP-NM 88.7 81.3 1055 91.5 80.4 1055 91.0 62.4 1056 89.2 93.2 1095
Ours 88.7 82.1 1057 91.5 81.4 1058 91.0 65.5 1061 89.2 95.8 10100
TABLE VIII: The transferability performance of our PointNCBW and PointNCBW-based dataset watermarking and ownership verification
with different surrogate and training model structures on ModelNet40.
Training PointNet PointNet++ DGCNN PointASNL
SurrogateACC WSR p-value ACC WSR p-value ACC WSR p-value ACC WSR p-value
PointNet 88.7 82.1 1057 91.5 81.4 1058 91.0 65.5 1061 89.2 95.8 10100
PointNet++ 88.8 81.4 1059 91.3 92.4 1089 90.9 64.8 1062 88.9 100 10267
DGCNN 89.2 72.4 1069 91.1 79.3 1047 91.0 88.2 1083 89.8 84.8 1074
PointASNL 88.9 95.2 10120 91.2 100 10221 90.1 68.9 1093 89.2 100 10213
TABLE IX: The performance of PointNCBW-based dataset ownership verification under transfer-learning.
FintuneModelNet ModelNet-Part (75%) ModelNet-Part (50%) ModelNet-Part (25%)
PretrainACC WSR p-value ACC WSR p-value ACC WSR p-value ACC WSR p-value
ShapeNetPart 88.8 61.3 1036 88.4 55.5 1030 85.3 48.3 1021 83.5 38.1 1019
PartNet 88.7 53.1 1029 88.4 43.2 1024 86.5 34.6 1015 83.8 25.1 108
(a) PointCBA (b) PointNCBW (Ours)
Fig. 10: The scalability comparison between PointCBA and
PointNCBW. It is measured by the watermark success rate
w.r.t. the number of categories contained in the victim dataset.
contrast, our PointNCBW can maintain a high WSR (>80%)
with the increase of the number of categories. These results
verify the effectiveness of our negative trigger design proposed
in PointNCBW for its scalability.
G. PointNCBW under Transfer Learning
In previous parts, we focused only on scenarios where ad-
versaries directly exploit the protected dataset to train a model
from scratch. As transfer learning [56] becomes increasingly
common in model training, we discuss whether our method is
still effective in the transfer learning scenario.
Settings. We hereby conduct experiments on ShapeNetPart
[6], PartNet [36], and ModelNet40 [47] datasets with PointNet
[37] as the model architecture. We implement a two-stage
training process. Specifically, we first pre-train PointNet on
ShapeNetPart and PartNet datasets. After that, we fine-tune
these pre-trained models using our watermarked ModelNet40
dataset. This fine-tuning is conducted on both the complete
ModelNet40 dataset and its various subsets with different
sample proportions. Unless otherwise specified, all settings are
the same as those stated in Section V-A.
Results. As shown in Table IX, although the watermark suc-
cess rate (WSR) of our PointNCBW may decrease under trans-
fer learning conditions, it remains highly effective for dataset
copyright verification. We note that the partial ModelNet40
dataset may not be adequate for the model to fully capture
the distinguishing features of different categories, leading to
comparatively lower accuracy for PointNet when trained on
ModelNet subsets. For instance, the accuracy on ModelNet is
88.8%, while on ModelNet-Part (25%) it is 83.5%. Besides, we
observe that our method has better performance on models pre-
trained on the PartNet dataset demonstrate greater compared
to those pre-trained on ShapeNetPart, as the model pre-trained
on PartNet achieves a relatively higher WSR than the one pre-
trained on ShapeNetPart. This phenomenon may be attributed
to the larger scale of PartNet, which enables the acquisition
of more comprehensive prior knowledge during pre-training.
H. Stealthiness and Watermark Performance
Compared to poison-label backdoor methods, our proposed
PointNCBW is more hidden and harder to detect by humans,
as it maintains the consistency between point clouds and their
labels. However, we acknowledge that the watermark created
by PointNCBW may still be detectable under extremely de-
tailed human inspection. However, we believe that in practice,
detailed detection is nearly impossible on large-scale datasets
because of the high cost and time required. In this section, we
analyze the trade-off between the stealthiness and performance
of the watermark in our PointNCBW method.
Settings. To control the magnitude of perturbation, we im-
plement a systematic approach utilizing two key parameters:
varying the starting points nin shape-wise perturbation op-
timization and the regularization hyper-parameter ηin point-
wise perturbation for the generation of watermarked samples.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 11
Fig. 11: The watermark sample of ’Bottle’ generated by varying magnitude of perturbation.
TABLE X: The performance of PointNCBW with varying magnitudes
of the perturbation.
n0 0 15 15 30 30
η10 50 10 50 10 50
WSR 26.2 17.9 67.5 58.0 86.2 82.1
p-value 1028 1019 1045 1038 1063 1057
Dch 0.012 0.004 0.011 0.004 0.012 0.004
In our experimental setup, we employ PointNet as the surro-
gate model. We then generate a series of watermarked versions
of the ModelNet40 dataset based on our PointNCBW, each
corresponding to different combinations of nand ηvalues.
Subsequently, we train separate instances of PointNet on these
watermarked datasets to evaluate the watermark performance
under varying perturbation conditions.
Results. As evidenced by the results presented in Table X,
an increased magnitude of perturbation, characterized by
larger values of nand lower values of η, correlates with
enhanced watermark performance. Visual representations of
the watermarked samples are provided in Figure 11 for
qualitative assessment. It is noteworthy that larger values of
nmay still remain inconspicuous, as the resultant rotations
are inherently subtle. Conversely, lower values of ηresult in
more noticeable perturbations, as evidenced by the increasing
Chamfer Distance (Dch) [3] between the samples after shape-
wise perturbation and their subsequent point-wise perturbed
counterparts. The choice of perturbation magnitude depends
on the specific needs and constraints of the dataset owner.
I. The Resistance to Potential Watermark-removal Attacks
Once malicious dataset users learn that the owners may
watermark their dataset via our PointNCBW, they may design
watermark-removal attacks to bypass our watermark. This sec-
tion exploits ModelNet40 as an example to evaluate whether
our method resists them. We consider the most widely used
and representative watermark-removal methods, including data
augmentation [24], outlier detection [40], and model fine-
tuning [8], for discussion. We also design an adaptive method
to further evaluate it under the setting that adversaries know
our watermarking method but do not know specific settings.
Data Augmentation. Data augmentation is a widely used
technique to enhance the diversity and richness of training
data by applying random transformations or expansions to
the original data. It aims to improve the generalization ability
and performance of models. Our data augmentation methods
consist of (1) randomly rotating the point cloud sample along-
side the Eluer angles ranging (180°, 180°) and (2) adding
(a) threshold=0.5 (b) threshold=1.0
(c) threshold=1.5 (d) threshold=2.0
Fig. 12: The results of statistical outlier removal on a water-
marked sample. The detected outlier points are marked in red.
Gaussian noise with mean µ= 0, variance σ= 0.01 to point
cloud sample. The results in Table XI demonstrate that our
PointNCBW can resist common augmentation methods.
Outlier Removal. Statistical outlier removal aims to identify
and eliminate data points that significantly deviate from the
expected or typical pattern in a dataset. Outliers are notably
distant from the majority of the data, which may be used to
detect trigger patterns. We perform statistical outlier removal
(SOR) [40] on the generated watermarked dataset. Specifically,
we compute the average distance for a given point using its
20 nearest neighbors and set a threshold based on the standard
deviation of these average distances. It can be observed from
Figure 12 that no matter the threshold ranging from 0.5 to
2.0, the SOR fails to detect and remove our trigger sphere.
This is mostly because the density of the trigger pattern is
approximate with or less than the remaining parts.
Fine-tuning. We hereby evaluate the PointNCBW-
watermarked model after fine-tuning, which is also a
common strategy for removing potential watermarks. Initially,
we train PointNet on the watermarked ModelNet40 dataset
for 200 epochs. Subsequently, we randomly select 20% of
the benign samples to continue training the model for an
additional 200 epochs. As shown in Table XI, our method
is still highly effective (p-value 0.01), although FT can
slightly increase the p-value.
Adaptive Adversarial Removal. We assume that malicious
dataset users have prior knowledge of the existence of the
PointNCBW watermark in the dataset. Specifically, they un-
derstand how our PointNCBW works but lack access to
the exact target labels, the trigger pattern, and the specific
watermarked samples employed by the dataset owners in
PointNCBW. In this scenario, we design an adaptive re-
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 12
TABLE XI: The performance of our PointNCBW under different potential watermark-removal attacks on the ModelNet40 dataset.
Metric, MethodNo Attack Augmentation (Rotation) Augmentation (Noise) Outlier Removal Fine-tuning Adaptive Removal
ACC 88.7 88.2 88.4 88.7 88.8 88.5
WSR 82.1 78.2 79.4 82.0 81.5 75.6
p-value 1057 1041 1045 1057 1055 1039
(a) before watermarking (b) after watermarking
Fig. 13: The t-SNE visualization. (a) and (b) depict the
feature space of samples during our PointNCBW. The selected
samples for modification are marked in red.
Fig. 14: Effects of the relative distance between the modified
samples and the target label on WSR.
moval method that might be used by malicious dataset users.
The truth is that our PointNCBW relies much on feature
perturbation, and we have experimentally proved that the
closer feature distance between selected non-target samples
and target category can lead to better watermark performance
in Section V-J, and the reverse is also true. Consequently, we
design to disentangle the features of each sample adversarially
during the training process. Specifically, we train PointNet [37]
on watermarked ModelNet40 [47] with 200 epochs, and on
every 10 epochs, we rotate each sample in the training dataset
to bring its feature away from the current feature as far as
possible. Let xtr denotes one sample during training phase,
we rotate xtr with rotation matrix S(θ), where
θ= arg max
θE(gf(xtr ·S(θ)), gf(xtr)).(7)
We approximately optimize Eq. (7) in a method similar to
Algorithm 1, except that the θis updated in the same
direction as the gradient. The results in Table XI show that the
adaptive method is significantly more effective compared to
other watermark-removal attacks. However, our method is still
highly effective with a high WSR and low p-value. In other
words, our PointNCBW-based dataset ownership verification
is also resistant to this adaptive attack.
J. Why Is Our PointNCBW Highly Effective?
To investigate why our method is highly effective, we first
visualize the features of samples before and after watermark-
ing. Specifically, we randomly select some samples from ve
different categories, including y(t), and project their features
into 2D space by the t-SNE method [45]. As shown in Figure
13, features of selected samples (marked in red) were dis-
tributed over all categories before watermarking. In contrast,
they move closer to category y(t)after our PointNCBW.
Based on the feature shift, the trained models can discover
that all these samples share the same part (i.e., trigger Γ).
Accordingly, the models will explain the reason why these
samples have similar features as category y(t), but different
true labels might be attributed to the existence of trigger Γ.
Consequently, the trained model will interpret our trigger as
one key component to deny predicting label y(t).
For further study, we also calculate the relative distance
(i.e.,Dr) between watermarked sample xmand target samples
in feature space, as follows:
Dr=¯gf(xm)¯gf(xt)2
¯gf(xt)2
,(8)
where ¯gfis mean of feature representations. As shown in
Figure 14, the WSR increases with the decrease of Dr. It
verifies the effectiveness of our TFP.
Besides, we hereby also present more examples of wa-
termarked samples of our PointNCBW to further verify our
watermark stealthiness, as shown in Figure 15. Note that
dataset owners can also exploit other trigger patterns to further
increase the stealthiness based on the characteristics of their
victim dataset. It is out of the scope of this paper.
K. The Analysis of Computational Complexity
In this section, we analyze the computational complexity of
our PointNCBW. We hereby discuss the computational com-
plexity of dataset watermarking and verification, respectively.
The Complexity of Dataset Watermarking. Let Ndenote
the size of the original dataset, our computational complexity
is O(λ·N)since PointNCBW only needs to watermark a
few selected samples (Ntimes watermarking rate λ). Besides,
PointNCBW supports parallel processing, as the TFP on
the selected samples is independent. For example, to apply
PointNCBW-based watermark on each selected sample when
using PointNet as the surrogate model, it takes about one
second and 1GB memory on NVIDIA GeForce RTX 3090.
As such, the additional time required by our method in the
watermarking phase is negligible to a large extent.
The Complexity of Dataset Verification. After obtaining the
API of one suspicious black-box model, we use mverifi-
cation samples to test whether the model is trained on our
watermarked dataset. The computational complexity of this
step is O(m), and it also supports parallel processing. For
example, it takes about 50ms to use 100 verification samples
(in batch mode) for ownership verification. Accordingly, the
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 13
Fig. 15: The example of watermarked samples generated by our PointNCBW.
additional time our method requires in the verification phase
is also negligible to a large extent.
VI. POT EN TI AL LIMITATIONS AND FUTURE DIRECTIONS
In our PointNCBW, we design transferable feature pertur-
bation (TFP) to bring selected non-target samples closer to
the target category in the feature space. We have empirically
proven that our PointNCBW-based verification succeeds only
when the feature distances between selected perturbed non-
target samples and the target category are close enough.
However, TFP heavily relies on rotation transformation and
is effective only on models that exhibit sensitivity to rota-
tion. Current point cloud models are sensitive to geometric
transformations, primarily due to the use of max-pooling
operations [37, 38, 46, 50], which contributes to the efficacy
of our PointNCBW. Nevertheless, our approach could be less
effective if future point cloud model architectures achieve
greater robustness to rotation transformations. To address this,
we aim to develop adaptive perturbation mechanisms that do
not rely on rotational sensitivity. We will investigate more
powerful mechanisms in our future work.
Secondly, our work is primarily centered on digital envi-
ronments, whereas point cloud models are increasingly likely
to be deployed in complex real-world scenarios, such as
autonomous driving. Verification in such real-world contexts
may pose greater challenges, as the placement and scale of
the trigger may not be optimally configured. We will further
explore it in our future work.
Thirdly, our PointNCBW will implant distinctive yet
stealthy backdoor behaviors into the trained model. Similar to
all existing dataset ownership verification (DOV) methods, the
embedded backdoors may be maliciously used by adversaries,
although our PointNCBW intends to protect dataset copyright
instead of for attack. However, since we adopt a negative
trigger pattern that aims only to misclassify samples from
the target class, PointNCBW has minor threats due to its
untargeted nature and limited misclassification behaviors. We
will explore how to design purely harmless DOV methods for
point clouds in our future work.
VII. CONCLUSION
In this paper, we conducted the first attempt to protect the
copyright of point cloud datasets by backdoor-based dataset
ownership verification (DOV). We revealed that existing back-
door watermarks were either conspicuous or not scalable to
large datasets due to their positive trigger effects. To alleviate
this problem, we proposed a simple yet effective clean-label
backdoor watermark for point clouds by introducing negative
trigger effects. Specifically, we performed transferable feature
perturbation (TFP) on non-target samples before implanting
the trigger, aiming to bring perturbed non-target samples
closer to the target category in feature space. Consequently,
the trained model will view our trigger as a signal to deny
predicting the target category. We also designed a hypothesis-
test-guided dataset ownership verification via our watermark
and provided its theoretical analyses. We hope our work
provides a new angle for creating backdoor watermarks to
facilitate trustworthy dataset sharing and trading.
ACKNOWLEDGMENT
This research is supported in part by the National Key
Research and Development Program of China under Grant
2021YFB3100300, the National Natural Science Foundation
of China under Grants (62072395 and U20A20178), and the
Key Research and Development Program of Zhejiang under
Grant 2024C01164. This work was mostly done when Yiming
Li was a Research Professor at the State Key Laboratory
of Blockchain and Data Security, Zhejiang University. He is
currently at Nanyang Technological University.
REFERENCES
[1] Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan
McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang.
Deep learning with differential privacy. In CCS, 2016.
[2] Abbas Acar, Hidayet Aksu, A Selcuk Uluagac, and
Mauro Conti. A survey on homomorphic encryption
schemes: Theory and implementation. ACM Computing
Surveys, 51(4):1–35, 2018.
[3] Panos Achlioptas, Olga Diamanti, Ioannis Mitliagkas,
and Leonidas Guibas. Learning representations and
generative models for 3d point clouds. In ICML, 2018.
[4] Jiawang Bai, Kuofeng Gao, Shaobo Min, Shu-Tao Xia,
Zhifeng Li, and Wei Liu. Badclip: Trigger-aware prompt
learning for backdoor attacks on clip. In CVPR, 2024.
[5] Hanbo Cai, Pengcheng Zhang, Hai Dong, Yan Xiao,
Stefanos Koffas, and Yiming Li. Towards stealthy back-
door attacks against speech recognition via elements of
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 14
sound. IEEE Transactions on Information Forensics and
Security, 2024.
[6] Angel X Chang, Thomas Funkhouser, Leonidas Guibas,
Pat Hanrahan, Qixing Huang, Zimo Li, Silvio Savarese,
Manolis Savva, Shuran Song, Hao Su, et al. Shapenet:
An information-rich 3d model repository. arXiv preprint
arXiv:1512.03012, 2015.
[7] Siheng Chen, Baoan Liu, Chen Feng, Carlos Vallespi-
Gonzalez, and Carl Wellington. 3d point cloud pro-
cessing and learning for autonomous driving: Impacting
map creation, localization, and perception. IEEE Signal
Processing Magazine, 38(1):68–86, 2020.
[8] Jacob Devlin, Ming-Wei Chang, Kenton Lee, and
Kristina Toutanova. Bert: Pre-training of deep bidirec-
tional transformers for language understanding. arXiv
preprint arXiv:1810.04805, 2018.
[9] Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su,
Jun Zhu, Xiaolin Hu, and Jianguo Li. Boosting adver-
sarial attacks with momentum. In CVPR, 2018.
[10] Linkun Fan, Fazhi He, Qing Guo, Wei Tang, Xiaolin
Hong, and Bing Li. Be careful with rotation: A uni-
form backdoor pattern for 3d shape. arXiv preprint
arXiv:2211.16192, 2022.
[11] Linkun Fan, Fazhi He, Tongzhen Si, Rubin Fan, Chuan-
long Ye, and Bing Li. Mba: Backdoor attacks against
3d mesh classifier. IEEE Transactions on Information
Forensics and Security, 2023.
[12] Wenshu Fan, Hongwei Li, Wenbo Jiang, Meng Hao,
Shui Yu, and Xiao Zhang. Stealthy targeted backdoor
attacks against image captioning. IEEE Transactions on
Information Forensics and Security, 2024.
[13] Felipe ABS Ferreira and Juliano B Lima. A robust 3d
point cloud watermarking method based on the graph
fourier transform. Multimedia Tools and Applications,
79(3):1921–1950, 2020.
[14] Kuofeng Gao, Jiawang Bai, Bin Chen, Dongxian Wu,
and Shu-Tao Xia. Backdoor attack on hash-based image
retrieval via clean-label data poisoning. In BMVC, 2023.
[15] Kuofeng Gao, Jiawang Bai, Baoyuan Wu, Mengxi Ya,
and Shu-Tao Xia. Imperceptible and robust backdoor at-
tack in 3d point cloud. IEEE Transactions on Information
Forensics and Security, 2023.
[16] Kuofeng Gao, Yang Bai, Jindong Gu, Yong Yang, and
Shu-Tao Xia. Backdoor defense via adaptively splitting
poisoned dataset. In CVPR, 2023.
[17] Yinghua Gao, Yiming Li, Linghui Zhu, Dongxian Wu,
Yong Jiang, and Shu-Tao Xia. Not all samples are born
equal: Towards effective clean-label backdoor attacks.
Pattern Recognition, 139:109512, 2023.
[18] Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Sid-
dharth Garg. Badnets: Evaluating backdooring attacks
on deep neural networks. IEEE Access, 7:47230–47244,
2019.
[19] Junfeng Guo, Yiming Li, Ruibo Chen, Yihan Wu, Chenxi
Liu, and Heng Huang. Zeromark: Towards dataset
ownership verification without disclosing watermarks. In
NeurIPS, 2024.
[20] Junfeng Guo, Yiming Li, Lixu Wang, Shu-Tao Xia, Heng
Huang, Cong Liu, and Bo Li. Domain watermark:
Effective and harmless dataset copyright protection is
closed at hand. In NeurIPS, 2023.
[21] Bangyan He, Jian Liu, Yiming Li, Siyuan Liang, Jingzhi
Li, Xiaojun Jia, and Xiaochun Cao. Generating transfer-
able 3d adversarial point cloud via random perturbation
factorization. In AAAI, 2023.
[22] Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani,
James Bailey, and Yisen Wang. Unlearnable examples:
Making personal data unexploitable. In ICLR, 2021.
[23] Diederik P Kingma and Jimmy Ba. Adam: A method for
stochastic optimization. arXiv preprint arXiv:1412.6980,
2014.
[24] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton.
Imagenet classification with deep convolutional neural
networks. NeurIPS, 2012.
[25] Richard J Larsen and Morris L Marx. An introduction
to mathematical statistics. Prentice Hall Hoboken, NJ,
2005.
[26] Xinke Li, Zhirui Chen, Yue Zhao, Zekun Tong, Yabang
Zhao, Andrew Lim, and Joey Tianyi Zhou. Pointba:
Towards backdoor attacks in 3d point cloud. In ICCV,
2021.
[27] Yangyan Li, Rui Bu, Mingchao Sun, Wei Wu, Xinhan
Di, and Baoquan Chen. Pointcnn: Convolution on x-
transformed points. In NeurIPS, 2018.
[28] Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao
Xia, and Bo Li. Untargeted backdoor watermark: To-
wards harmless and stealthy dataset copyright protection.
In NeurIPS, 2022.
[29] Yiming Li, Yong Jiang, Zhifeng Li, and Shu-Tao Xia.
Backdoor learning: A survey. IEEE Transactions on
Neural Networks and Learning Systems, 2022.
[30] Yiming Li, Haoxiang Zhong, Xingjun Ma, Yong Jiang,
and Shu-Tao Xia. Few-shot backdoor attacks on visual
object tracking. In ICLR, 2022.
[31] Yiming Li, Mingyan Zhu, Xue Yang, Yong Jiang, Tao
Wei, and Shu-Tao Xia. Black-box dataset ownership ver-
ification via backdoor watermarking. IEEE Transactions
on Information Forensics and Security, 2023.
[32] Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran
He, and Siwei Lyu. Invisible backdoor attack with
sample-specific triggers. In ICCV, 2021.
[33] Sohee Lim, Minwoo Shin, and Joonki Paik. Point cloud
generation using deep adversarial local features for aug-
mented and mixed reality contents. IEEE Transactions
on Consumer Electronics, 68(1):69–76, 2022.
[34] Daniel Liu, Ronald Yu, and Hao Su. Extending adversar-
ial attacks and defenses to deep 3d point cloud classifiers.
In ICIP, pages 2279–2283, 2019.
[35] Chenlei Lv, Weisi Lin, and Baoquan Zhao. Kss-icp: point
cloud registration based on kendall shape space. IEEE
Transactions on Image Processing, 32:1681–1693, 2023.
[36] Kaichun Mo, Shilin Zhu, Angel X Chang, Li Yi, Subarna
Tripathi, Leonidas J Guibas, and Hao Su. Partnet: A
large-scale benchmark for fine-grained and hierarchical
part-level 3d object understanding. In CVPR, pages 909–
918, 2019.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 15
[37] Charles R Qi, Hao Su, Kaichun Mo, and Leonidas J
Guibas. Pointnet: Deep learning on point sets for 3d
classification and segmentation. In CVPR, 2017.
[38] Charles Ruizhongtai Qi, Li Yi, Hao Su, and Leonidas J
Guibas. Pointnet++: Deep hierarchical feature learning
on point sets in a metric space. In NeurIPS, 2017.
[39] Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar,
and Prateek Mittal. Revisiting the assumption of latent
separability for backdoor defenses. In ICLR, 2023.
[40] Peter J Rousseeuw and Annick M Leroy. Robust regres-
sion and outlier detection. John wiley & sons, 2005.
[41] Shuo Shao, Yiming Li, Hongwei Yao, Yiling He, Zhan
Qin, and Kui Ren. Explanation as a watermark: Towards
harmless and multi-bit model ownership verification via
watermarking feature attribution. In NDSS, 2025.
[42] Ruixiang Tang, Qizhang Feng, Ninghao Liu, Fan Yang,
and Xia Hu. Did you train on my dataset? towards public
dataset protection with clean-label backdoor watermark-
ing. ACM SIGKDD Explorations Newsletter, 2023.
[43] Alexander Turner, Dimitris Tsipras, and Aleksander
Madry. Label-consistent backdoor attacks. arXiv preprint
arXiv:1912.02771, 2019.
[44] Alexander Turner, Dimitris Tsipras, and Aleksander
Madry. Label-consistent backdoor attacks. arXiv preprint
arXiv:1912.02771, 2019.
[45] Laurens Van der Maaten and Geoffrey Hinton. Visu-
alizing data using t-sne. Journal of machine learning
research, 9(11), 2008.
[46] Yue Wang, Yongbin Sun, Ziwei Liu, Sanjay E Sarma,
Michael M Bronstein, and Justin M Solomon. Dynamic
graph cnn for learning on point clouds. ACM Transac-
tions On Graphics, 38(5):1–12, 2019.
[47] Zhirong Wu, Shuran Song, Aditya Khosla, Fisher Yu,
Linguang Zhang, Xiaoou Tang, and Jianxiong Xiao. 3d
shapenets: A deep representation for volumetric shapes.
In CVPR, 2015.
[48] Zhen Xiang, Fengqing Jiang, Zidi Xiong, Bhaskar Rama-
subramanian, Radha Poovendran, and Bo Li. Badchain:
Backdoor chain-of-thought prompting for large language
models. In ICLR, 2024.
[49] Zhen Xiang, David J Miller, Siheng Chen, Xi Li, and
George Kesidis. A backdoor attack against 3d point cloud
classifiers. In ICCV, 2021.
[50] Xu Yan, Chaoda Zheng, Zhen Li, Sheng Wang, and
Shuguang Cui. Pointasnl: Robust point clouds processing
using nonlocal neural networks with adaptive sampling.
In CVPR, 2020.
[51] Sheng Yang, Jiawang Bai, Kuofeng Gao, Yong Yang,
Yiming Li, and Shu-Tao Xia. Not all prompts are secure:
A switchable backdoor attack against pre-trained vision
transfomers. In CVPR, 2024.
[52] Tongqing Zhai, Yiming Li, Ziqi Zhang, Baoyuan Wu,
Yong Jiang, and Shu-Tao Xia. Backdoor attack against
speaker verification. In ICASSP, pages 2560–2564, 2021.
[53] Dongbo Zhang, Xuequan Lu, Hong Qin, and Ying
He. Pointfilter: Point cloud filtering via encoder-decoder
modeling. IEEE Transactions on Visualization and Com-
puter Graphics, 27(3):2015–2027, 2020.
[54] Hengshuang Zhao, Li Jiang, Jiaya Jia, Philip HS Torr,
and Vladlen Koltun. Point transformer. In ICCV, 2021.
[55] Yue Zhao, Yuwei Wu, Caihua Chen, and Andrew Lim.
On isometry robustness of deep 3d point cloud models
under adversarial attacks. In CVPR, 2020.
[56] Fuzhen Zhuang, Zhiyuan Qi, Keyu Duan, Dongbo Xi,
Yongchun Zhu, Hengshu Zhu, Hui Xiong, and Qing He.
A comprehensive survey on transfer learning. Proceed-
ings of the IEEE, 109(1):43–76, 2020.
APPENDIX
Theorem 1. Suppose fgenerates the posterior probability
by a suspicious model. Let variable Xdenote the benign
sample from the target class y(t)and variable Xis its verified
version. Let Pb=f(X)y(t)and Pv=f(X)y(t)denote
the predicted probability of Xand Xon y(t). Assume that
Pb> ζ, we claim that dataset owners can reject the null
hypothesis H0at the significance level α, if the watermark
success rate Wof f(with mverification samples) satisfies:
m1·(W+ζτ1) tα·pWW2>0,(9)
where tαis α-quantile of t-distribution with (m1) degrees
of freedom.
Proof. Since Pb> ζ, the original hypothesis H1can be
converted to
H
1: (1 Pv)+(ζτ1) >0.(10)
Suppose Cis the classifier of f,i.e.,C= arg max f. Let E
denote the event of whether the suspect model fpredicts a wa-
termark sample as the target label y(t). As such, EB(1, p),
where 1p= 1 Pr C(X) = y(t)= Pr C(X)=y(t)
indicates the verification success probability and Bis the
Binomial distribution.
Let ˆ
x1,·· · ,ˆ
xmdenotes mwatermarked samples used for
dataset verification via our PointNCBW and E1,·· · , Em
denote their prediction events, we know that the Wsatisfies
W=1
m
m
X
i=1
(1 Ei),
W1
mB(m, 1p).
(11)
According to the central limit theorem, the
watermark success rate Wfollows Gaussian distribution
N1p, p(1p)
mwhen mis sufficiently large. Similarly,
[(1 Pv)+(ζτ1)] also satisfies Gaussian distribution.
Accordingly, we can construct the t-statistic as follows:
Tm·(W+ζτ1)
st(m1),(12)
where sis the standard deviation of W+ζτ1and W,
i.e.,
s2=1
m1
m
X
i=1
(EiW)2=1
m1m·Wm·W2.
(13)
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 16
To reject H0at the significance level α, we have:
m·(W+ζτ1)
s> tα,(14)
where tαis the α-quantile of t-distribution with (m1)
degrees of freedom. According to Eq. (12)&Eq. (13), we have
m1·(W+ζτ1) tα·pWW2>0.(15)
Cheng Wei received the bachelor’s degree from
the School of Computer Science and Technology,
Harbin Engineering University in 2022. He is cur-
rently pursuing a Master’s degree with the School
of Cyber Science and Technology, at Zhejiang Uni-
versity. His research interests include trustworthy AI
and computer vision.
Yang Wang received his B.S. degree in commu-
nication engineering from Zhejiang University and
Master degree in System on chip from KTH. He
is currently a senior engineer in Hangzhou Institute
for Advanced Study, UCAS, and working toward
the PhD degree in Zhejiang University. His research
interests include data security and privacy.
Kuofeng Gao received the bachelor’s degree from
the School of Cyber Science and Engineering,
Wuhan University, Wuhan, China, in 2021. He
is currently pursuing the Ph.D. degree with the
Shenzhen International Graduate School, Tsinghua
University, Guangdong, China. His research interest
generally includes trustworthy and responsible AI.
Shuo Shao received the B.Eng. degree from the
School of Computer Science and Technology, Cen-
tral South University in 2022. He is currently pursu-
ing a Ph.D. degree with the School of Cyber Science
and Technology and the State Key Laboratory of
Blockchain and Data Security, Zhejiang University.
His research interests include copyright protection in
AI, backdoor attack and defense, and AI security.
Yiming Li (Member, IEEE) received the B.S. degree
(Hons.) in mathematics from Ningbo University in
2018 and the Ph.D. degree (Hons.) in computer
science and technology from Tsinghua University in
2023. He is currently a Research Fellow with the
College of Computing and Data Science, Nanyang
Technological University. Before that, he was a
Research Professor with the State Key Laboratory of
Blockchain and Data Security, Zhejiang University,
and HIC-ZJU. His research has been published in
multiple top-tier conferences and journals, such as
IEEE S&P, NDSS, ICLR, NeurIPS, ICML, and IEEE TRANSACTIONS
ON INFORMATION FORENSICS AND SECURITY. His research interests
include the domain of trustworthy ML and responsible AI. His research has
been featured by major media outlets, such as IEEE Spectrum. He was a
recipient of the Best Paper Award at PAKDD in 2023 and the Rising Star
Award at WAIC in 2023. He served as the Area Chair for ACM MM and the
Senior Program Committee Member for AAAI.
Zhibo Wang received the B.E. degree in Au-
tomation from Zhejiang University, China, in 2007,
and his Ph.D degree in Electrical Engineering and
Computer Science from University of Tennessee,
Knoxville, in 2014. He is currently a Professor
with the School of Cyber Science and Technology,
Zhejiang University, China. His currently research
interests include AI security, Internet of Things, data
security and privacy. He is a Senior Member of IEEE
and ACM.
Zhan Qin is currently a ZJU100 Young Professor
with both the College of Computer Science and
the School of Cyber Science and Technology at
Zhejiang University, China. He was an assistant
professor at the Department of Electrical and Com-
puter Engineering in the University of Texas at San
Antonio after receiving the Ph.D. degree from the
Computer Science and Engineering department at
State University of New York at Buffalo in 2017. His
current research interests include data security and
privacy, secure computation outsourcing, artificial
intelligence security, and cyber-physical security in the context of the Internet
of Things. His works explore and develop novel security sensitive algorithms
and protocols for computation and communication on the general context of
Cloud and Internet devices. He is the associate editor of IEEE TDSC.
ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Contrastive Vision-Language Pre-training, known as CLIP, has shown promising effectiveness in addressing downstream image recognition tasks. However, recent works revealed that the CLIP model can be implanted with a downstream-oriented backdoor. On downstream tasks, one victim model performs well on clean samples but predicts a specific target class whenever a specific trigger is present. For injecting a backdoor, existing attacks depend on a large amount of additional data to maliciously fine-tune the entire pre-trained CLIP model, which makes them inapplicable to data-limited scenarios. In this work, motivated by the recent success of learnable prompts, we address this problem by injecting a backdoor into the CLIP model in the prompt learning stage. Our method named BadCLIP is built on a novel and effective mechanism in backdoor attacks on CLIP, i.e., influencing both the image and text encoders with the trigger. It consists of a learnable trigger applied to images and a trigger-aware context generator, such that the trigger can change text features via trigger-aware prompts, resulting in a powerful and generalizable attack. Extensive experiments conducted on 11 datasets verify that the clean accuracy of BadCLIP is similar to those of advanced prompt learning methods and the attack success rate is higher than 99% in most cases. BadCLIP is also generalizable to unseen classes, and shows a strong generalization capability under cross-dataset and cross-domain settings. The code is available at https://github.com/jiawangbai/BadCLIP.
Conference Paper
Full-text available
The prosperity of deep neural networks (DNNs) is largely benefited from open-source datasets, based on which users can evaluate and improve their methods. In this paper, we revisit backdoor-based dataset ownership verification (DOV), which is currently the only feasible approach to protect the copyright of open-source datasets. We reveal that these methods are fundamentally harmful given that they could introduce malicious misclassification behaviors to watermarked DNNs by the adversaries. In this paper, we design DOV from another perspective by making watermarked models (trained on the protected dataset) correctly classify some `hard' samples that will be misclassified by the benign model. Our method is inspired by the generalization property of DNNs, where we find a \emph{hardly-generalized domain} for the original dataset (as its \emph{domain watermark}). It can be easily learned with the protected dataset containing modified samples. Specifically, we formulate the domain generation as a bi-level optimization and propose to optimize a set of visually-indistinguishable clean-label modified data with similar effects to domain-watermarked samples from the hardly-generalized domain to ensure watermark stealthiness. We also design a hypothesis-test-guided ownership verification via our domain watermark and provide the theoretical analyses of our method. Extensive experiments on three benchmark datasets are conducted, which verify the effectiveness of our method and its resistance to potential adaptive methods. The code for reproducing main experiments is available at \url{https://github.com/JunfengGo/Domain-Watermark}.
Article
Full-text available
Deep learning, especially deep neural networks (DNNs), has been widely and successfully adopted in many critical applications for its high effectiveness and efficiency. The rapid development of DNNs has benefited from the existence of some high-quality datasets ( e.g ., ImageNet), which allow researchers and developers to easily verify the performance of their methods. Currently, almost all existing released datasets require that they can only be adopted for academic or educational purposes rather than commercial purposes without permission. However, there is still no good way to ensure that. In this paper, we formulate the protection of released datasets as verifying whether they are adopted for training a (suspicious) third-party model, where defenders can only query the model while having no information about its parameters and training details. Based on this formulation, we propose to embed external patterns via backdoor watermarking for the ownership verification to protect them. Our method contains two main parts, including dataset watermarking and dataset verification. Specifically, we exploit poison-only backdoor attacks ( e.g ., BadNets) for dataset watermarking and design a hypothesis-test-guided method for dataset verification. We also provide some theoretical analyses of our methods. Experiments on multiple benchmark datasets of different tasks are conducted, which verify the effectiveness of our method. The code for reproducing main experiments is available at https://github.com/THUYimingLi/DVBW.
Article
Deep neural networks (DNNs) have been widely and successfully adopted and deployed in various applications of speech recognition. Recently, a few works revealed that these models are vulnerable to backdoor attacks, where the adversaries can implant malicious prediction behaviors into victim models by poisoning their training process. In this paper, we revisit poison-only backdoor attacks against speech recognition. We reveal that existing methods are not stealthy since their trigger patterns are perceptible to humans or machine detection. This limitation is mostly because their trigger patterns are simple noises or separable and distinctive clips. Motivated by these findings, we propose to exploit elements of sound ( e.g ., pitch and timbre) to design more stealthy yet effective poison-only backdoor attacks. Specifically, we insert a short-duration high-pitched signal as the trigger and increase the pitch of remaining audio clips to ‘mask’ it for designing stealthy pitch-based triggers. We manipulate timbre features of victim audio to design the stealthy timbre-based attack and design a voiceprint selection module to facilitate the multi-backdoor attack. Our attacks can generate more ‘natural’ poisoned samples and therefore are more stealthy. Extensive experiments are conducted on benchmark datasets, which verify the effectiveness of our attacks under different settings ( e.g ., all-to-one, all-to-all, clean-label, physical, and multi-backdoor settings) and their stealthiness. Our methods achieve attack success rates of over 95% in most cases and are nearly undetectable. The code for reproducing main experiments are available at https://github.com/HanboCai/BadSpeech_SoE.
Article
In recent years, there is an explosive growth in multimodal learning. Image captioning, a classical multimodal task, has demonstrated promising applications and attracted extensive research attention. However, recent studies have shown that image caption models are vulnerable to some security threats such as backdoor attacks. Existing backdoor attacks against image captioning typically pair a trigger either with a predefined sentence or a single word as the targeted output, yet they are unrelated to the image content, making them easily noticeable as anomalies by humans. In this paper, we present a novel method to craft targeted backdoor attacks against image caption models, which are designed to be stealthier than prior attacks. Specifically, our method first learns a special trigger by leveraging universal perturbation techniques for object detection, then places the learned trigger in the center of some specific source object and modifies the corresponding object name in the output caption to a predefined target name. During the prediction phase, the caption produced by the backdoored model for input images with the trigger can accurately convey the semantic information of the rest of the whole image, while incorrectly recognizing the source object as the predefined target. Extensive experiments demonstrate that our approach can achieve a high attack success rate while having a negligible impact on model clean performance. In addition, we show our method is stealthy in that the produced backdoor samples are indistinguishable from clean samples in both image and text domains, which can successfully bypass existing backdoor defenses, highlighting the need for better defensive mechanisms against such stealthy backdoor attacks.
Article
3D mesh classification deep neural network (3D DNN) has been widely applied in many safety-critical domains. Backdoor attack is a serious threat that occurs during the training stage. Previous backdoor attacks from 2D image and 3D point cloud domains are not suitable for 3D mesh due to data structure restrictions. Therefore, in a pioneering effort, this paper presents two types of backdoor attacks on 3D mesh. Specifically, the first attack is a Mesh Geometrical Feature guided 3D Mesh Backdoor Attack named MGF-MBA . Most 3D DNNs have to convert 3D mesh to a regular matrix (mesh geometrical feature), which is a refinement of the input 3D mesh. The 3D DNN directly learns the 3D shape from the mesh geometrical feature, which enables attackers to implant backdoor through it. Hence, the proposed MGF-MBA generates a backdoored 3D mesh under the guidance of mesh geometrical feature. The second attack is a Remeshing based 3D Mesh Backdoor Attack named ReMBA . The quality of samples backdoored by exiting backdoor attacks always decrease. Although many efforts have been made to reduce the descent in quality in return for stealthiness, the descent persists. For better stealthiness, we regard the backdoor implantation process as a way to increase the quality of backdoored sample rather than a way to reduce it. Specifically, ReMBA designs a new isotropic remeshing method that attempts to represent a 3D mesh by equilateral triangles while keeping the number of vertices, edges and faces unchanged. Numerous experimental results show that both MGF-MBA and ReMBA achieve guaranteed attack performance on 3D DNNs. Furthermore, transferability experiments demonstrate that ReMBA can even attack 3D point cloud networks with an increased ability to resist defenses.
Article
With the thriving of deep learning in processing point cloud data, recent works show that backdoor attacks pose a severe security threat to 3D vision applications. The attacker injects the backdoor into the 3D model by poisoning a few training samples with trigger, such that the backdoored model performs well on clean samples but behaves maliciously when the trigger pattern appears. Existing attacks often insert some additional points into the point cloud as the trigger, or utilize a linear transformation ( e.g ., rotation) to construct the poisoned point cloud. However, the effects of these poisoned samples are likely to be weakened or even eliminated by some commonly used pre-processing techniques for 3D point cloud, e.g ., outlier removal or rotation augmentation. In this paper, we propose a novel imperceptible and robust backdoor attack (IRBA) to tackle this challenge. We utilize a nonlinear and local transformation, called weighted local transformation (WLT), to construct poisoned samples with unique transformations. As there are several hyper-parameters and randomness in WLT, it is difficult to produce two similar transformations. Consequently, poisoned samples with unique transformations are likely to be resistant to aforementioned pre-processing techniques. Besides, the distortion caused by a fixed WLT is both controllable and smooth, resulting in the generated poisoned samples that are imperceptible to human inspection. Extensive experiments on three benchmark datasets and four models show that IRBA achieves 80%+ attack success rate (ASR) in most cases even with pre-processing techniques, which is significantly higher than previous state-of-the-art attacks.
Article
The huge supporting training data on the Internet has been a key factor in the success of deep learning models. However, this abundance of public-available data also raises concerns about the unauthorized exploitation of datasets for commercial purposes, which is forbidden by dataset licenses. In this paper, we propose a backdoor-based watermarking approach that serves as a general framework for safeguarding publicavailable data. By inserting a small number of watermarking samples into the dataset, our approach enables the learning model to implicitly learn a secret function set by defenders. This hidden function can then be used as a watermark to track down third-party models that use the dataset illegally. Unfortunately, existing backdoor insertion methods often entail adding arbitrary and mislabeled data to the training set, leading to a significant drop in performance and easy detection by anomaly detection algorithms. To overcome this challenge, we introduce a clean-label backdoor watermarking framework that uses imperceptible perturbations to replace mislabeled samples. As a result, the watermarking samples remain consistent with the original labels, making them difficult to detect. Our experiments on text, image, and audio datasets demonstrate that the proposed framework effectively safeguards datasets with minimal impact on original task performance. We also show that adding just 1% of watermarking samples can inject a traceable watermarking function and that our watermarking samples are stealthy and look benign upon visual inspection.