Large web-scale datasets have driven the rapid advancement of pre-trained language models (PLMs), but unauthorized data usage has raised serious copyright concerns. Existing dataset ownership verification (DOV) methods typically assume that watermarks remain stable during inference; however, this assumption often fails under natural noise and adversary-crafted perturbations. We propose the first certified dataset ownership verification method for PLMs under a gray-box setting (i.e., the defender can only query the suspicious model but is aware of its input representation module), based on dual-space smoothing (i.e., DSSmoothing). To address the challenges of text discreteness and semantic sensitivity, DSSmoothing introduces continuous perturbations in the embedding space to capture semantic robustness and applies controlled token reordering in the permutation space to capture sequential robustness. DSSmoothing consists of two stages: in the first stage, triggers are collaboratively embedded in both spaces to generate norm-constrained and robust watermarked datasets; in the second stage, randomized smoothing is applied in both spaces during verification to compute the watermark robustness (WR) of suspicious models and statistically compare it with the principal probability (PP) values of a set of benign models. Theoretically, DSSmoothing provides provable robustness guarantees for dataset ownership verification by ensuring that WR consistently exceeds PP under bounded dual-space perturbations. Extensive experiments on multiple representative web datasets demonstrate that DSSmoothing achieves stable and reliable verification performance and exhibits robustness against potential adaptive attacks. Our code is available at https://github.com/NcepuQiaoTing/DSSmoothing.

翻译：大规模网络数据集推动了预训练语言模型（PLMs）的快速发展，但未经授权的数据使用引发了严重的版权问题。现有的数据集所有权验证（DOV）方法通常假设水印在推理过程中保持稳定；然而，这一假设在自然噪声和对抗性扰动下往往失效。我们提出了首个在灰盒设置下（即防御者仅能查询可疑模型但知晓其输入表示模块）适用于PLMs的认证数据集所有权验证方法，该方法基于双空间平滑（即DSSmoothing）。为应对文本离散性和语义敏感性的挑战，DSSmoothing在嵌入空间引入连续扰动以捕获语义鲁棒性，并在置换空间应用受控的词元重排序以捕获序列鲁棒性。DSSmoothing包含两个阶段：第一阶段，在双空间协同嵌入触发器以生成范数约束且鲁棒的水印数据集；第二阶段，在验证过程中对双空间应用随机平滑，以计算可疑模型的水印鲁棒性（WR），并将其与一组良性模型的主概率（PP）值进行统计比较。理论上，DSSmoothing通过确保在有界双空间扰动下WR始终超过PP，为数据集所有权验证提供了可证明的鲁棒性保证。在多个代表性网络数据集上的大量实验表明，DSSmoothing实现了稳定可靠的验证性能，并对潜在的自适应攻击表现出鲁棒性。我们的代码发布于 https://github.com/NcepuQiaoTing/DSSmoothing。