Deep neural networks (DNNs) have become important intellectual assets, and ownership verification for misappropriated DNNs is increasingly important in Machine Learning as a Service (MLaaS) settings. Among existing DNN watermarking methods, backdoor watermarking is a typical approach for deployed ownership verification. However, existing methods still face two limitations. When verification relies on a finite trigger set, forged ownership evidence becomes difficult to rule out once the trigger samples are leaked or closely imitated. In addition, when watermark embedding modifies the service backbone, the predictor used for routine service is directly altered rather than kept unchanged. To address these limitations, we propose a backdoor DNN watermarking framework that combines secret-key-driven trigger group construction with a plug-and-play LoRA component. The proposed method regenerates the trigger groups used for verification from benign image pairs under a valid key whenever ownership needs to be checked, so ownership verification no longer depends on a finite stored trigger set. Meanwhile, watermark embedding is carried by an external LoRA component rather than by modifying the service backbone. In addition, we further optimize the LoRA configuration through a genetic search. Experiments on five benchmark datasets show that under the intended deployment protocol, the proposed method keeps the service predictor unchanged, enables effective ownership verification, and makes it difficult for attackers without the valid key to reproduce the verification behavior of the legitimate watermark under a large number of repeated attack trials.
Hao et al. (Sat,) studied this question.