Dear Reviewer s8Mh, thank you very much for your careful review of our paper and thoughtful comments. We are encouraged by your positive comments on our good soundness and presentation, extensive experiments, and novelty. We hope the following responses can help clarify potential misunderstandings and alleviate your concerns.

---

The Clarification of Our Main Focus

In this paper, we propose a new DOV method by introducing a new verification process without disclosing dataset-specified watermarks instead of proposing new dataset watermarks as in previous works. Our method can be incorporated to enhance existing dataset watermarks to support a privacy-preserving verification process.

---

Q1: The embedded watermark can also be removed when ZeroMark releases the original watermark pattern.

R1: We are deeply sorry to cause your misunderstanding that we want to clarify.

• As mentioned in the previous clarification, our ZeroMark is a new verification method instead of a new watermarking method. As such, our work is different from all existing DOV works, whose main focus is proposing new watermarks.
• ZeroMark does not release the original watermark pattern. Our ZeroMark queries the suspicious model with benign images and their boundary versions, instead of directly using watermarked samples.
• ZeroMark prevents information leakage for watermark patterns and resists to watermark reconstruction and unlearning attacks.
  • As shown in Tabel 2-3, ZeroMark prevents information leakage of watermark patterns for existing watermark techniques since the verification contains limited information about trigger patterns. As such, it is difficult for adversaries to reconstruct dataset-specified trigger patterns based on boundary samples.
  • As shown in Section 5.4 and Appendix J, ZeroMark resists to unlearning with boundary samples.

---

Q2: As shown in Fig.2 (d), there is no clear bond between the benign samples and target labels.

R2: Thank you for this insightful question! We distinguished between watermarked and benign models based on their similarity distributions by comparing their maximum instead of random values. Specifically, we selected the largest Q% samples within each distribution. Please kindly find more detailed explanations in Line180-188.

---

Q3: The novelty of this paper is limited. Using backdoor behaviors [1] or their distributions to protect the dataset shows similar forms.

R3: Thank you for these comments and we do understand your concern.

• As we mentioned in the clarification at the beginning, we focus on the verification process instead of watermarking process that is discussed in all previous works.
• We explore the non-disclosure requirement of the verification process for the first time.
• We empirically and theoretically discover an intrinsic property of watermarked DNNs regarding boundary samples.

---

Q4: In Eq. (5), is it correct to calculate the cosine similarity between the image x and its gradient?

R4: We are deeply sorry that we may lead you to some misunderstandings that we want to clarify here. Eq.(5) is used to illustrate the definition of cosine similarity. We never implements Eq.(5) in our method.

---

Q5: Blended use Hello Kitty or sunglasses as the trigger.

R5: Thanks your comments!

• Arguably, the main contribution of Blended is the blended strategy for generating stealthy poisoned images instead of the specific trigger patterns (e.g., Hello Kitty and sunglasses). Our settings simply follow those used in existing works.
• Random noise pattern can validate the generalizability of ZeroMark. It can validate that ZeroMark is effective and generalizable, not specific to a certain watermark pattern.
• To further alleviate your concerns, we evaluate it with Hello Kitty. As shown in Table 5-6 in the uploaded PDF, our method is still highly effective under this setting.

---

Q6: Why does the smaller MSE denote the better performance?

R6: Larger MSE indicates the better performance.

---

Q7: ZeroMark is a backdoor-based DOV method, the state-of-the-art backdoor defense methods should be included.

R7: Thank you for this insightful comment!

• Our method can also be incorporated in non-backdoor-based dataset watermarks (e.g., domain watermark).
• Even when used in backdoor-based watermarks, our method naturally escapes most backdoor detection methods because our query samples (i.e., boundary samples) are benign and do not contain trigger patterns.
• We have evaluted ZeroMark against two classical backdoor defenses (i.e., fine-tuning and pruning) in Section 5.3.
• To further alleviate your concerns, we conduct experiments on SCALE-UP, STRIP and ShrinkPad using CIFAR-10 with ResNet-18. Our method resists to them with the AUROC (0.52, 0.50, 0.52).

---

Q8: Unlearnable examples can also be used to prevent unauthorized data exploitation.

R8: Thanks for bringing this paper to us!

• We admit that unlearnable examples can also be used to protect data, although in a different aspect (availability v.s. tracebility). We will modify this sentence to avoid potential misunderstandings or over-claims.
• To further alleviate your concern, we summarize the differences between unlearnable examples and dataset ownership verification, as follows.
  • Unlearnable examples aim to make DNNs fail to have a high accuracy trained on the protected data. It is usually used to protect data published on social media and cannot be used to detect unauthorized dataset users.
  • Unlearnable samples usually need to watermark the whole dataset or at least the majority parts of the victim dataset, whereas DOV methods only need to modify a few samples.
  • Unlearnable samples can only be used to prevent unauthorized dataset usage, whereas DOV methods can also trace/attribute unauthorized users.

---

Please allow us to thank you again for reviewing our paper and the valuable feedback, and in particular for recognizing the strengths of our paper in terms of good soundness and presentation, extensive experiments, and novelty.

We also sincerely thank you for your timely follow-up feedback. Please kindly let us know if our response have properly addressed your remaining concerns. We are more than happy to answer any additional questions during the post-rebuttal discussion period. Your feedback will be greatly appreciated.

Dear Reviewer s8Mh,

We would like to sincerely thank you for your helpful comments. We hope our response has adequately addressed your concerns. We take this as a great opportunity to improve our work. We would be very grateful if you could kindly give any feedback to our rebuttal :)

Best Regard,

Paper4797 Author(s)

Dear Reviewer s8Mh,

Thank you for your follow-up comments. We greatly appreciate your efforts to help us improve our paper. However, we find that there are still some potential misunderstandings that may significantly mislead you. We hereby provide more explanations to address them.

---

Q1: ZeroMark is indeed a verification method, however, its effectiveness is restricted to the backdoor attack methods that are employed. If malicious users adopt defense methods during the model training process, then ZeroMark cannot verify the copyright successfully, resulting in low practicality.

R1: Thank you for your comments. We are deeply sorry that our previous rebuttal may have led you to some misunderstandings that we want to clarify here.

• As we have mentioned before, our ZeroMark method is not restricted only to backdoor-based watermarks. For example, it can also be used to Domain Watermark, which is non-backdoor-based.
• To the best of our knowledge, there is no training-phase backdoor defense that can simultaneously defend against all types of backdoor attacks. As such, even just for backdoor watermarks, we can't assume that users have been able to easily remove them completely through existing backdoor defenses.
• We argue that it is unfair to completely dismiss our work simply because baseline watermarks may be removed. This is just a probability and it is out the scope of this paper (PS: it is about the robustness of dataset watermarks).

---

Q2: The main idea of ZeroMark is to employ the reconstructed backdoored samples (i.e., boundary samples) to activate the injected backdoor. This is a straightforward application of backdoor defense, such as using backdoor defense methods to reconstruct the backdoored samples first and then to initiate backdoor attacks. The important boundary samples are generated by the existing method, FAB.

R2: Thank you for your comments. We are deeply sorry that our previous rebuttal may have led you to some misunderstandings that we want to clarify here.

• Boundary samples are not backdoor samples, as shown in its definition (Eq.(1)&Eq.(3)). As such, our ZeroMark does not have any direct relation to the backdoor sample synthesis (or backdoor trigger inversion).

---

The Definition of Boundary Samples. Let the logit margin of model $f: \mathcal{X} \rightarrow [0,1]^K$ on the label $y$ is denoted by:

$

\phi_{y}(x;w) = f_{y}(x;w) - \max_{y'\neq y} f_{y'}(x;w).

$

It can be observed that $x$ can be classified as $y$ by $f(\cdot;w)$ if and only if $\phi_{y}(x;w) \geq 0$. As such, the set for boundary samples of class $y$ can be denoted by $\mathcal{B}(y;w) = \{x: \phi_{y}(x;w) = 0\}$.

---

• The core contribution of the paper is not how to compute the boundary samples, but rather the definition of this new research problem and our empirical and theoretical findings of the intrinsic property of DNNs trained on the watermarked dataset.
• We argue that it is unfair to completely dismiss our work simply because we need to use existing techniques to calculate some intermediate results. Otherwise, we can easily infer that almost all existing DL works has limited novelty, as they all require updating the model with PGD/SGD, etc.

---

Q3: Please find each reviewer correctly and respond to their comments.

R3: Thank you for your comments. You may have this misunderstanding because we summarized the key points of your original question in our rebuttal due to word limitations. Although we have answered your original questions in the order they were asked and have tried to maintain enough key information, we apologize for any misunderstandings we may have caused you.

Please kindly let us know if we missed any points. We are very happy to answer them before the discussion period ends.

---

Dear Reviewer RJcM, thank you very much for your careful review of our paper and thoughtful comments. We are encouraged by your positive comments on our good presentation and novel verification process. We hope the following responses can help clarify potential misunderstandings and alleviate your concerns.

---

Q1: I question whether the lengthy proof of Theorem 1 is necessary.

R1: Thank you for your insightful comment!

• The right term in Eq (6) decrease instead of increase with the increase of the number of iterations $t^{*}$. As such, this inequality is not naturally hold even if the left size may be within [0, 2] and $c$ could be large.
• This potential misunderstanding may due to the format of the right side, i.e., $c\cdot (t^*)^{q-1}$ where $q\in(\frac{1}{2},1)$. To avoid this misunderstanding, we can rewrite it as: $c \cdot \frac{1}{(t^{*})^{b}}$, where $b = 1-q \in (0,\frac{1}{2})$.
• We have also empirically verified it in Figure 5. As shown in this Figure, the cosine similarity scores increase with the increase of $t$.

We will add more details and discussions in our revision.

---

Q2: Theorem 1 suggests Lipschitz continuity, not a positively increasing relationship.

R2: Thank you for your insightful comment!

• As we mentioned in R1, we can rewrite the right side of Theorem 1. The new format can clearly suggest a a positively increasing relationship.
• We have also empirically verified it in Figure 5. As shown in this Figure, the cosine similarity scores increase with the increase of $t$.
• Arguably, the inequality does not have much to do with Lipschitz continuity since the right size is not about the rate of change of a variable.

We will add more details and discussions in our revision.

---

Q3: Zeromark needs the predicted logits for conducting verification.

R3: Thank you for your insightful comment!

• Our approach does not require logits for generating boundary samples. The potential misunderstanding may come from Eq.(10). But our gradient estimation and generation processes are consistent with previous black-box adversary attacks under the hard-label setting.
• In our released zeromark.py, Line 123-140 (function for obtaining the final predictive label), Line 194-238 (gradient estimation) and Line 253-293 (geometric search for boundary samples) verify that ZeroMark is implemented requiring only predicted labels for inputs.

We will add more details in our revision.

---

Q4: The authors should provide error bars.

R4: Thanks for your constructive suggestion! Following your suggestion, we evaluate our main experiments with four independent models and report the error bars. As shown in Table 2-4 in our uploaded PDF, the results are sufficiently consistent with a low std.

---

Q5: Whether the proposed method can work with clean-labeled data.

R5: Thanks for your insightful comment! We agree with you that clean label is highly importatnt in dataset watermarking.

• ZeroMark can perform effective with the most recent clean-label watermark (i.e., Domain Watermark).
• Following your suggestion, we have tried to combine our method to radioactive data.
  • However, it is ineffective and impractical for dataset ownership verification under our considered threat model with a small watermarking rate. We find the gap for watermark inputs yields nearly the same cross-entropy loss as benign inputs with AUROC as 0.507.
  • It requires to calculate the cross entropy, needing all logits.

---

Q6: Reconstruct the watermark pattern using the multiple boundary samples and their corresponding gradients.

R6: Thanks for this insightful comment!

• In general, ZeroMark is resillient against watermark reconstruction. Due to the page limitation, we have conducted and placed this experiment in Appendix J (Figure 21-22).
• In our experiments, we used domain watermark as an example since it is the most robust and SOTA dataset watermark. To further alleviate your concern, we evaluate ZeroMark also on BadNet, Blended, and WaNet. As shown in Figure 2 in the uploaded PDF, the adversaries cannot reconstruct the watermark pattern via boundary samples.
• Arguably, the reconstruction failure is mostly because
  • The boundary samples contain limited information of the trigger patterns, as shown in Table 2-3.
  • Boundary samples generated by ZeroMark can always stay far away from the watermark samples' distribution (as shown in Figure 9). It demonstrates ZeroMark can prevent disclosing the watermark information from the watermark samples.

We will provide more discussions in our revision and further explore it in our future works.

---

Q7: Effects for the data augmentation techniques (random flip) and dropout during the training phase of suspicious model.

R7: Thanks for your construstive suggestions!

-- ZeroMark is resillient to data augmentation and random dropout during the training phase. We have already trained all evaluated models with data augmentation tenciques and random dropout. Our results show that ZeroMark performs resillient against the data augmentation techniques. -- Random Flip does not cause "mirror patterns" of watermark for suspicious model.

• Following your suggestion, we evaluate the suspicious model built with RandomHorizonFlip against inputs attached with the watermark pattern and its mirror pattern for BadNets on CIFAR-10. We find that the suspicious model can achieve a 99.9% VSR on inputs containing watermark but only a 9.95% VSR on inputs with the mirror one.
• It indicates the random flip will not affect the boundary gradient correlated to the original watermark pattern.
• We speculate it mostly because the watermark pattern correlated to the semantic feature of inputs rather than the relative position.

We will add more details and discussions in the appendix of our revision.

---

Please allow us to thank you again for reviewing our paper and the valuable feedback, and in particular for recognizing the strengths of our paper in terms of good presentation and novel verification process.

Kindly let us know if our response and the new experiments have properly addressed your concerns. We are more than happy to answer any additional questions during the post-rebuttal discussion period. Your feedback will be greatly appreciated.

Dear Reviewer RHDz, thank you very much for your careful review of our paper and thoughtful comments. We are encouraged by your positive comments on our great significance, intriguing phenomenon with theoretical analysis, novel and interesting method, simple and effective method,, good presentation, and good soundness. We hope the following responses can help clarify potential misunderstandings and alleviate your concerns.

---

Q1: More explanations about the motivation of ZeroMark?

R1: Thank you for this insightful question! In general, our approach is motivated by previous works on model fingerprints to some extent, where we can use decision boundary properties to attribute DNNs. We think the trigger pattern is simply a straightforward method to probe the decision boundary of the suspicious model.

---

Q2: The authors should justify the phenomenon in Figure 2 is not exists in benign models.

R2: Thank your for this contrusctive suggestion! During the rebuttal period, we plot the distribution for cosine similarity under benign models on the Tiny ImageNet dataset in our loaded PDF (Figure 1). It shows that this phenomenon does not exist in benign models.

---

Q3: It would be better to explain more about how Theorem 1 relates to the proposed method.

R3: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient information, which we want to clarify here.

• Therom 1 discusses the error for the consine similarity computed over boundary samples and the corresponding watermark pattern during the optmization process of Eq.(4).
• During the procedure of optimizing Eq.(4), when $t^{*}$ becomes large, the error for the consine similarity computed over boundary samples and the corresponding watermark pattern gets smaller.
• Motivated by that, we seek the closest boundary samples with a large $t^{*}$ to minimize the error in our ZeroMark method.

We will provide more details and discussions in our revision.

---

Q4: It would be better have evaluation for non-patch-based watermarks.

R4: Thank you for this insightful comment!

• We have evaluated ZeroMark for non-patch-based watermarks (e.g., WaNet and Domain Watermark) in our experiments. Due to the space limitation, we put them in our appendix (Section C).
• In general, their results are consistent with those of BadNets, i.e., this phenomenon is universal. We will add more details and discussions in our revision.

We will provide more details and discussions in our revision.

---

Q5: The effect for the normalization process.

R5: Thank you for this insightful comment!

• Following your suggestions, we conduct an ablations study on the TinyImageNet dataset to show the effectiveness of the normalization process. The results are shown in our uploaded PDF (Figure 1).
• The results show that it is hard to identify the benign and watermark models' distributions on cosine similarity without normalization. It verifies the effectiveness of this process.

We will provide more details and discussions in the appendix of our revision.

---

Q6: Missing setting details used for the zero-order gradient estimation (i.e., N and \beta_t).

R6: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient setting information, which we want to clarify here. Fllowing the classical zero-order optimization process, we set $N$ as 200. The $\beta_{t}$ is calcualted following Theorem 1. We will add more details in our revision.

---

Q7: Analysis on the visual similarities between the optimized verification samples and their benign version, as well as with the ground-truth dataset watermark, w.r.t. to the optimization process.

R7: Thanks for your constructive suggestions. We evaluate the visual similarities between optimized verification samples and their benign version and their benign version in our uploaded PDF. The results show that the visual similarity between boundary and benign samples increases and then becomes stable during the optimization procedure, indicating the stealthiness and non-disclosure property of our ZeroMark.

---

Q8: The authors should also conduct experiments on methods with non-compact watermarks.

R8: Thank you for this constructive suggestion! We are deeply sorry that our submission may lead you to some potential misunderstandings that we want to clarify here.

• In our paper, we have conducted experiments on non-compact wateramarks, including WaNet and Domain Watermark. Their watermarks are all over the whole watermarked images.
• As shown in Table 1-4 of our main manuscript, our method is highly effective on them.

We will add more details in our revision.

---

Q9: The authors should provide more explanations in Section 5.5.

R9: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient explanations.

• As ZeroMark obtained the closest boundary samples by optimizing Eq.(4), we thus evaluate the effectiveness of ZeroMark during the optimization procedure of Eq.(4) with varying steps $t$.
• As shown in Figure 9, ZeroMark is consistently separated from watermark samples during the optimization procedure of Eq.(4) with varying steps $t$.
• As such, ZeroMark can prevent the disclosure of watermark information from the watermark samples.

We will add the details in the appendix of our revision.

---

I would like to thank the authors for providing a detailed rebuttal containing additional experiments. It addressed all my concerns. Well done!

I have also carefully read the comments from other reviewers, especially Reviewer RJcM and Reviewer s8Mh, since they have different judgments of this paper. After reading their comments and the rebuttal, I think their negative opinions are mostly due to misunderstandings, which are caused by the loss of some technical details or explanations. I believe the authors did a good job of clearing up these misunderstandings in their rebuttal. In addition, other expert reviewers raised some concerns that I had not thought of. But I think the authors also addressed them in the rebuttal, at least to me.

Given all these considerations, as well as insightful motivation, novelty, and potential impact on this field, I slightly increase my score. I would also be happy to hear from other reviewers and participate in discussions :)

Dear Reviewer VV25, thank you very much for your careful review of our paper and thoughtful comments. We are encouraged by your positive comments on our novel and interesting research problem, interesting observation, method flexibility, and extensive and solid experiments. We hope the following responses can help clarify potential misunderstandings and alleviate your concerns.

---

Q1: It would be better to add a discussion on how ZeroMark extends to other data formats or model architectures.

R1: Thank you for these insightful comments! We do agree with you that generalizability and flexibility are also important for a method.

• Generalizability to Other Model Architectures.
  • In general, the success of our approach on other model structures depends on two factors: (1) whether the studied dataset watermarking method (e.g., BadNets) can successfully watermark these models and (2) whether we can conduct effective 'adversarial attacks' to find boundary samples on these models. Based on existing work related to backdoor attacks/dataset watermarking [1,2] and adversarial attacks [3,4], these factors are all met. As such, our method can fundamentally generalize to other models (e.g., transformer) as well.
  • To further alleviate your concern, as you suggested, we hereby also evaluate our ZeroMark on the transformer archietecture. We empirically evaluate the effectiveness of ZeroMark on the TinyImageNet dataset using SwinTransformer with a patch size of 4. Other settings are consistent with our main experiments. As shown in Table 1 in our uploaded PDF, our method is highly effective with verification efficacy.
• Generalizability to Other (Discrete) Data Formats.
  • We conduct experiments only on image datasets simply following existing works [2, 5]. Due to the limitation of paper length, it is also difficult for us to provide a comprehensive evaluation on other data types.
  • However, we do understand your concern. Arguably, the main challenge lies in how to design effective adversarial attacks to discrete data formats for finding the closest boundary samples (as in Eq.(10)). In particular, there are already some relevant works [6, 7] confirming its feasibility. Accordingly, our ZeroMark can be naturally adapted to other discrete data formats (e.g., tabular or text). Due to the limitation of time, we cannot provide sufficient experiments to verify it in our rebuttal. We will further discuss it in our future works.

Ref

1. You Are Catching My Attention: Are Vision Transformers Bad Learners under Backdoor Attacks?
2. Domain Watermark: Effective and Harmless Dataset Copyright Protection is Closed at Hand.
3. On the robustness of vision transformers to adversarial examples.
4. On the Adversarial Robustness of Vision Transformers.
5. Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection.
6. TextCheater: A Query-Efficient Textual Adversarial Attack in the Hard-Label Setting.
7. Query-Efficient and Scalable Black-Box Adversarial Attacks on Discrete Sequential Data via Bayesian Optimization.

---

Q2: Lacks some details for the adversary's setup (e.g., steps for recovering the watermark pattern, or hyper-parameters for unlearning the watermark).

R2: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient setting information that we want to clarify here.

• Setups for Recovering the Watermark Pattern. As ZeroMark sends several (e.g., 200) boundary samples attached with random perturbations $\lbrace\bar{x}+\mu_{I}\rbrace_{i=1}^{n}$ for gradient estimation purposes, the adversary would aggregate the queried boundary samples $\lbrace\bar{x}+\mu_{I}\rbrace_{i=1}^{n}$ to recover the trigger pattern following $\frac{1}{n}\sum_{i=1}^{n} (\bar{x}+\mu_{i})$.
• Setups for Machine Unlearning. For a watermarked model $f(\cdot;\theta)$, we fine-tune the watermarked model with collected boundary samples $\lbrace\bar{x}+\mu_{I}\rbrace_{i=1}^{n}$ labeling with its ground truth label $y$. Specifically, we unlearn the watermarked model following: min $E_{\bar{x}} [\frac{1}{n}\sum_{i=1}^{n}\ell(f(\bar{x}+\mu_{i};\theta),y)]$. We collect 500 pairs of boundary samples for unleanring. The learning rate is set as 0.001 and we fine-tune the model 100 epochs.

---

Q3: Does this Q has a specific value in the experiments?

R3: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient setting information, which we want to clarify here. We set Q as 10 in our experiments (Section 5.1-5.2), i.e., we select the largest 10% cosine similarity out of m (500) cosine similarity to perform a t-test. We have also performed an ablation study to understand the performance with varying Q in Section 5.3 (Figure 6). The results show that our method can still have a promising cosine similarity with various Qs.

---

Q4 How the cosine similarity is computed seems confusing.

R4: We are deeply sorry that our submission may lead you to some misunderstandings that we want to clarify. We compute the cosine similarity on the watermark pattern $\delta$ and the estimated gradients located within the watermark pattern's region. We will clarify and detail this process in our revision.

---

Q5 What's the differences among the 5 samples in Fig.4 for ZeroMark.

R5: Thank you for pointing it out! We are deeply sorry that our submission failed to provide sufficient information, which we want to clarify here.

• The five ZeroMark samples in Fig.4 are the boundary samples with different optimization iterations for a given sample during the procedure of optimizing Eq.(10).
• Notably, ZeroMark uses all these figures to query the suspicious model, but only the last one is the closet boundary sample.

We will clarify and explain this with more details in our revision.

Please allow us to thank you again for reviewing our paper and the valuable feedback, and in particular for recognizing the strengths of our paper in terms of novel and interesting research problem, interesting observation, method flexibility, and extensive and solid experiments.

Kindly let us know if our response and the new experiments have properly addressed your concerns. We are more than happy to answer any additional questions during the post-rebuttal discussion period. Your feedback will be greatly appreciated.

Dear Reviewer VV25,

We would like to sincerely thank you for your helpful comments. We hope our response has adequately addressed your concerns. We take this as a great opportunity to improve our work. We would be very grateful if you could kindly give any feedback to our rebuttal :)

Best Regard,

Paper4797 Author(s)