The widespread open-sourcing of advanced recommendation algorithms and the rising threat of model extraction attacks have made safeguarding the intellectual property of recommender systems an imperative task. While watermarking serves as a potent defense, existing methods primarily rely on forcing models to memorize pre-defined interaction patterns. Such memorization-based approaches often require excessive synthetic data injection and are vulnerable to removal attacks due to their detectable statistical deviations from natural user behavior. To address these limitations, we propose GREW, a novel Green-REd Watermarking framework for recommender systems. GREW leverages a secret key to partition the item space into "green" items for soft promotion and "red" items as anchors, thereby shifting the paradigm from fragile memorization to a stealthy, key-controlled output bias. By integrating watermark signals directly into the intrinsic ranking process, GREW employs three recommendation-tailored modules: (1) Semantic-Consistent Hashing, which utilizes the secret key to cluster green items for performance-aware stealthiness; (2) Decision-Aligned Masking, which confines signal injection to the competitive item subset to preserve ranking logic; and (3) Confidence-Aware Scaling, which dynamically modulates injection intensity based on model uncertainty. Ownership verification is performed via statistical hypothesis testing on aggregated black-box outputs, enabled by the keyed re-partitioning of the item space. Experiments on multiple base models demonstrate that GREW achieves strong ownership verification and robustness against extraction attacks compared to existing baselines while requiring no data injection. Our code is available at https://github.com/Loche2/GREW.

翻译：先进推荐算法的广泛开源以及模型提取攻击威胁的加剧，使得保护推荐系统的知识产权成为当务之急。虽然水印技术是一种有效的防御手段，但现有方法主要依赖于强制模型记忆预定义的交互模式。这种基于记忆的方法通常需要注入大量合成数据，并且由于其与自然用户行为存在可检测的统计偏差，容易受到移除攻击。为解决这些局限，我们提出GREW，一种新颖的绿-红水印框架。GREW利用密钥将物品空间划分为“绿色”物品（用于软性推广）和“红色”物品（作为锚点），从而将范式从脆弱的记忆转变为隐蔽的、受密钥控制的输出偏差。通过将水印信号直接嵌入内在排序过程，GREW采用了三个面向推荐的模块：（1）语义一致哈希，利用密钥对绿色物品进行聚类以实现性能感知的隐蔽性；（2）决策对齐掩码，将信号注入限制在竞争性物品子集中以保持排序逻辑；（3）置信度感知缩放，根据模型不确定性动态调节注入强度。所有权验证通过基于密钥对物品空间重新划分的聚合黑盒输出进行统计假设检验实现。在多个基模型上的实验表明，与现有基线相比，GREW在无需数据注入的情况下实现了强大的所有权验证能力和对提取攻击的鲁棒性。我们的代码见 https://github.com/Loche2/GREW。