Skip to main content
Nubint
QUICK REVIEW

[论文解读] X-Mark: Saliency-Guided Robust Dataset Ownership Verification for Medical Imaging

Pranav Kulkarni, Junfeng Guo|arXiv (Cornell University)|Feb 10, 2026
Adversarial Robustness in Machine Learning被引用 0
一句话总结

X-Mark 采用带有显著性引导和拉普拉斯正则化的条件 U-Net 的样本特定干净标签后门水印方法,在黑盒设置中实现鲁棒、不可察觉的所有权验证。

ABSTRACT

High-quality medical imaging datasets are essential for training deep learning models, but their unauthorized use raises serious copyright and ethical concerns. Medical imaging presents a unique challenge for existing dataset ownership verification methods designed for natural images, as static watermark patterns generated in fixed-scale images scale poorly dynamic and high-resolution scans with limited visual diversity and subtle anatomical structures, while preserving diagnostic quality. In this paper, we propose X-Mark, a sample-specific clean-label watermarking method for chest x-ray copyright protection. Specifically, X-Mark uses a conditional U-Net to generate unique perturbations within salient regions of each sample. We design a multi-component training objective to ensure watermark efficacy, robustness against dynamic scaling processes while preserving diagnostic quality and visual-distinguishability. We incorporate Laplacian regularization into our training objective to penalize high-frequency perturbations and achieve watermark scale-invariance. Ownership verification is performed in a black-box setting to detect characteristic behaviors in suspicious models. Extensive experiments on CheXpert verify the effectiveness of X-Mark, achieving WSR of 100% and reducing probability of false positives in Ind-M scenario by 12%, while demonstrating resistance to potential adaptive attacks.

研究动机与目标

  • 通过嵌入在下采样后仍能保留且不易检测的水印来保护医学影像数据集。
  • 开发适用于高分辨率胸部 X 线的样本特定清标签水印方法。
  • 当遇到可疑模型时,通过假设检验实现对数据集的黑盒所有权验证。
  • 确保水印对缩放具有鲁棒性,保持诊断质量,并抵御自适应攻击。

提出的方法

  • 使用条件残差 U-Net 作为水印生成器,产生样本特异性扰动。
  • 将扰动条件化在 EigenCAM 显著性图上,将编辑约束在显著区域。
  • 以多分量目标函数训练,包括目标损失、非目标损失、感知相似性(LPIPS)和拉普拉斯金字塔正则化,以促进尺度不变性。
  • 强制执行 L∞ 扰动预算,使编辑保持在不可觉察的水平。
  • 将有水印的样本嵌入目标类别的子集,形成可发布的水印数据集。
  • 在黑盒设置下通过对水印样本与良性样本的模型预测进行概率可用的假设检验来验证所有权。
Figure 1: The main pipeline of X-Mark. First, a conditional U-Net is trained to generate sample-specific watermarks within salient regions of the medical image. Second, the watermarked dataset is created by embedding watermarks within a subset of target class samples and combining them with the rema
Figure 1: The main pipeline of X-Mark. First, a conditional U-Net is trained to generate sample-specific watermarks within salient regions of the medical image. Second, the watermarked dataset is created by embedding watermarks within a subset of target class samples and combining them with the rema

实验结果

研究问题

  • RQ1样本特定清标签水印嵌入在胸部 X 线的显著区域后,在下采样后以及在不同模型架构下仍能保持有效吗?
  • RQ2拉普拉斯正则化是否在保持诊断质量的同时提升对下采样的水印鲁棒性?
  • RQ3在黑盒、可用概率的验证下,能否有效区分基于水印数据训练的模型与未训练的模型?
  • RQ4在自适应攻击(如模型微调和裁剪)下,X-Mark 的表现如何?
  • RQ5X-Mark 在不同分辨率与架构之间的迁移性如何?

主要发现

  • 在干净标签后门设置下,X-Mark 在 CheXpert 数据集上实现高水印有效性(水印覆盖率 WSR=100%)和强不可感知性(LPIPS 低),水印数据集效果显著。
  • 水印在不同分辨率下仍然有效,并且对模型架构无关,能在 ResNet18/34 与 VGG16/19 上维持后门行为。
  • 拉普拉斯正则化减少高频扰动并在不牺牲水印有效性的前提下提升良性准确率约4%。
  • 显著性条件化将扰动限定在胸部显著区域,提升不可察觉性并增强对下采样的鲁棒性。
  • 在恶意场景中,基于概率的验证能通过较大后验概率差(Delta P > 0.8,p < 0.001)来检测恶意使用;Ind-W 无假阳性风险,而 Ind-M 存在一定的假阳性风险(Delta P ~0.26, p ~0.41)。
  • 该方法对自适应攻击(如模型微调)抗性强(影响小),对裁剪攻击耐受性较好(BA 在高裁剪时下降,WSR 仍然较高)。
Figure 2: Example watermarked samples from SSCL-BW and X-Mark. Red box indicates region of strong perturbations, resulting in anatomically improbable structures that are easy to detect upon manual inspection. Saliency conditioning limits perturbations within salient regions (chest) while Laplacian r
Figure 2: Example watermarked samples from SSCL-BW and X-Mark. Red box indicates region of strong perturbations, resulting in anatomically improbable structures that are easy to detect upon manual inspection. Saliency conditioning limits perturbations within salient regions (chest) while Laplacian r

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。