DeepTracer: Tracing Stolen Model via Deep Coupled Watermarks

Authors

  • Yunfei Yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China State Key Laboratory of Cyberspace Security Defense, Beijing, China School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
  • Xiaojun Chen Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China State Key Laboratory of Cyberspace Security Defense, Beijing, China School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
  • Yuexin Xuan PetroChina (Beijing) Digital Intelligent Research Institute Co., Ltd., Beijing, China
  • Zhendong Zhao Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China State Key Laboratory of Cyberspace Security Defense, Beijing, China
  • Xin Zhao Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China State Key Laboratory of Cyberspace Security Defense, Beijing, China School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
  • He Li Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China State Key Laboratory of Cyberspace Security Defense, Beijing, China School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

DOI:

https://doi.org/10.1609/aaai.v40i33.39992

Abstract

Model watermarking techniques can embed watermark information into the protected model for ownership declaration by constructing specific input-output pairs. However, existing watermarks are easily removed when facing model stealing attacks, and make it difficult for model owners to effectively verify the copyright of stolen models. In this paper, we analyze the root cause of the failure of current watermarking methods under model stealing scenarios and then explore potential solutions. Specifically, we introduce a robust watermarking framework, DeepTracer, which leverages a novel watermark samples construction method and a same-class coupling loss constraint. DeepTracer can incur a high-coupling model between watermark task and primary task that makes adversaries inevitably learn the hidden watermark task when stealing the primary task functionality. Furthermore, we propose an effective watermark samples filtering mechanism that elaborately select watermark key samples used in model ownership verification to enhance the reliability of watermarks. Extensive experiments across multiple datasets and models demonstrate that our method surpasses existing approaches in defending against various model stealing attacks, as well as watermark attacks, and achieves new state-of-the-art effectiveness and robustness.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

Yang, Y., Chen, X., Xuan, Y., Zhao, Z., Zhao, X., & Li, H. (2026). DeepTracer: Tracing Stolen Model via Deep Coupled Watermarks. Proceedings of the AAAI Conference on Artificial Intelligence, 40(33), 27711–27718. https://doi.org/10.1609/aaai.v40i33.39992

Issue

Vol. 40 No. 33: AAAI-26 Technical Tracks 33

Section

AAAI Technical Track on Machine Learning X