Deep neural networks (DNNs) have demonstrated their superiority in practice. Arguably, the rapid development of DNNs is largely benefited from high-quality (open-sourced) datasets, based on which researchers and developers can easily evaluate and improve their learning methods. Since the data collection is usually time-consuming or even expensive, how to protect their copyrights is of great significance and worth further exploration. In this paper, we revisit dataset ownership verification. We find that existing verification methods introduced new security risks in DNNs trained on the protected dataset, due to the targeted nature of poison-only backdoor watermarks. To alleviate this problem, in this work, we explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. Specifically, we introduce two dispersibilities and prove their correlation, based on which we design the untargeted backdoor watermark under both poisoned-label and clean-label settings. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification. Experiments on benchmark datasets verify the effectiveness of our methods and their resistance to existing backdoor defenses. Our codes are available at \url{https://github.com/THUYimingLi/Untargeted_Backdoor_Watermark}.

翻译：深度神经网络（DNN）已在实践中展现出优越性。可以说，DNN的快速发展很大程度上得益于高质量（开源）数据集，研究者与开发者可基于这些数据集轻松评估和改进其学习方法。由于数据收集通常耗时甚至昂贵，如何保护其版权具有重大意义且值得深入探究。本文重新审视了数据集所有权验证问题。我们发现，由于仅投毒后门水印具有目标导向特性，现有验证方法在基于受保护数据集训练的DNN中引入了新的安全风险。为缓解此问题，本研究探索了无目标后门水印方案，其中异常模型行为具有非确定性。具体而言，我们引入了两种离散性指标并证明其相关性，基于此设计了适用于投毒标签和干净标签两种场景的无目标后门水印。我们还讨论了如何利用所提出的无目标后门水印进行数据集所有权验证。在基准数据集上的实验验证了我们方法的有效性及其对现有后门防御的抵抗能力。我们的代码开源在 \url{https://github.com/THUYimingLi/Untargeted_Backdoor_Watermark}。