Large web-scale datasets have driven the rapid advancement of pre-trained language models (PLMs), but unauthorized data usage has raised serious copyright concerns. Existing dataset ownership verification (DOV) methods typically assume that watermarks remain stable during inference; however, this assumption often fails under natural noise and adversary-crafted perturbations. We propose the first certified dataset ownership verification method for PLMs based on dual-space smoothing (i.e., DSSmoothing). To address the challenges of text discreteness and semantic sensitivity, DSSmoothing introduces continuous perturbations in the embedding space to capture semantic robustness and applies controlled token reordering in the permutation space to capture sequential robustness. DSSmoothing consists of two stages: in the first stage, triggers are collaboratively embedded in both spaces to generate norm-constrained and robust watermarked datasets; in the second stage, randomized smoothing is applied in both spaces during verification to compute the watermark robustness (WR) of suspicious models and statistically compare it with the principal probability (PP) values of a set of benign models. Theoretically, DSSmoothing provides provable robustness guarantees for dataset ownership verification by ensuring that WR consistently exceeds PP under bounded dual-space perturbations. Extensive experiments on multiple representative web datasets demonstrate that DSSmoothing achieves stable and reliable verification performance and exhibits robustness against potential adaptive attacks.

翻译：大规模网络数据集推动了预训练语言模型（PLMs）的快速发展，但未经授权的数据使用引发了严重的版权问题。现有的数据集所有权验证（DOV）方法通常假设水印在推理过程中保持稳定；然而，这一假设在自然噪声和对抗性扰动下往往失效。我们提出了首个基于双空间平滑（即DSSmoothing）的预训练语言模型数据集所有权认证验证方法。针对文本离散性和语义敏感性的挑战，DSSmoothing在嵌入空间中引入连续扰动以捕获语义鲁棒性，并在置换空间中应用受控的标记重排序以捕获序列鲁棒性。DSSmoothing包含两个阶段：在第一阶段，触发器被协同嵌入到两个空间中以生成范数约束且鲁棒的水印数据集；在第二阶段，验证过程中在两个空间同时应用随机平滑，以计算可疑模型的水印鲁棒性（WR），并将其与一组良性模型的主概率（PP）值进行统计比较。理论上，DSSmoothing通过确保在有界的双空间扰动下WR始终超过PP，为数据集所有权验证提供了可证明的鲁棒性保证。在多个代表性网络数据集上的大量实验表明，DSSmoothing实现了稳定可靠的验证性能，并对潜在的自适应攻击表现出鲁棒性。