SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking.

Saved in:
Bibliographic Details
Title: SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking.
Authors: Yang, Wenyuan1 (AUTHOR) yangwy56@mail.sysu.edu.cn, Sun, Yichen2 (AUTHOR) yichensun@zju.edu.cn, Chen, Changzheng1 (AUTHOR) chenchzh23@mail2.sysu.edu.cn, Chu, Zhixuan2 (AUTHOR) chuzhixuan@zju.edu.cn, Zhang, Jiaheng3 (AUTHOR) jhzhang@nus.edu.sg, Li, Yiming4 (AUTHOR) liyiming.tech@gmail.com, Tao, Dacheng4 (AUTHOR) dacheng.tao@gmail.com
Source: International Journal of Computer Vision. Jul2026, Vol. 134 Issue 7, p1-24. 24p.
Subjects: Digital watermarking, Prompt engineering, Intellectual property, Copyright infringement
Abstract: Large-scale vision-language models, especially CLIP, have demonstrated remarkable performance across diverse downstream tasks. Soft prompts, as carefully crafted modules that efficiently adapt vision–language models to specific tasks, necessitate effective copyright protection. In this paper, we investigate model copyright protection by auditing whether suspicious third-party models incorporate protected soft prompts. While this can be viewed as a special case of model ownership auditing, our analysis shows that existing techniques are ineffective due to prompt learning's unique characteristics. Non-intrusive auditing is inherently prone to false positives when independent models share similar data distributions with victim models. Intrusive approaches also fail: backdoor methods designed for CLIP cannot embed functional triggers, while extending traditional DNN backdoor techniques to prompt learning suffers from harmfulness and ambiguity challenges. We find that these failures in intrusive auditing stem from the same fundamental reason: watermarking operates within the same decision space as the primary task yet pursues opposing objectives. Motivated by these findings, we propose sequential watermarking for soft prompts (SWAP), which implants watermarks into a different and more complex space. SWAP encodes watermarks through a specific order of defender-specified out-of-distribution classes, inspired by the zero-shot prediction capability of CLIP. This watermark, which is embedded in a more complex space, keeps the original prediction label unchanged, making it less opposed to the primary task. We further design a hypothesis-test-guided verification protocol for SWAP and provide a theoretical analysis of when verification works. Extensive experiments on 11 datasets demonstrate SWAP's effectiveness, harmlessness, and robustness against potential attacks. [ABSTRACT FROM AUTHOR]
Copyright of International Journal of Computer Vision is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
FullText Text:
  Availability: 0
Header DbId: egs
DbLabel: Engineering Source
An: 194576701
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Yang%2C+Wenyuan%22">Yang, Wenyuan</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> yangwy56@mail.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Sun%2C+Yichen%22">Sun, Yichen</searchLink><relatesTo>2</relatesTo> (AUTHOR)<i> yichensun@zju.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Chen%2C+Changzheng%22">Chen, Changzheng</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> chenchzh23@mail2.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Chu%2C+Zhixuan%22">Chu, Zhixuan</searchLink><relatesTo>2</relatesTo> (AUTHOR)<i> chuzhixuan@zju.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Zhang%2C+Jiaheng%22">Zhang, Jiaheng</searchLink><relatesTo>3</relatesTo> (AUTHOR)<i> jhzhang@nus.edu.sg</i><br /><searchLink fieldCode="AR" term="%22Li%2C+Yiming%22">Li, Yiming</searchLink><relatesTo>4</relatesTo> (AUTHOR)<i> liyiming.tech@gmail.com</i><br /><searchLink fieldCode="AR" term="%22Tao%2C+Dacheng%22">Tao, Dacheng</searchLink><relatesTo>4</relatesTo> (AUTHOR)<i> dacheng.tao@gmail.com</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22International+Journal+of+Computer+Vision%22">International Journal of Computer Vision</searchLink>. Jul2026, Vol. 134 Issue 7, p1-24. 24p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Digital+watermarking%22">Digital watermarking</searchLink><br /><searchLink fieldCode="DE" term="%22Prompt+engineering%22">Prompt engineering</searchLink><br /><searchLink fieldCode="DE" term="%22Intellectual+property%22">Intellectual property</searchLink><br /><searchLink fieldCode="DE" term="%22Copyright+infringement%22">Copyright infringement</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Large-scale vision-language models, especially CLIP, have demonstrated remarkable performance across diverse downstream tasks. Soft prompts, as carefully crafted modules that efficiently adapt vision–language models to specific tasks, necessitate effective copyright protection. In this paper, we investigate model copyright protection by auditing whether suspicious third-party models incorporate protected soft prompts. While this can be viewed as a special case of model ownership auditing, our analysis shows that existing techniques are ineffective due to prompt learning's unique characteristics. Non-intrusive auditing is inherently prone to false positives when independent models share similar data distributions with victim models. Intrusive approaches also fail: backdoor methods designed for CLIP cannot embed functional triggers, while extending traditional DNN backdoor techniques to prompt learning suffers from harmfulness and ambiguity challenges. We find that these failures in intrusive auditing stem from the same fundamental reason: watermarking operates within the same decision space as the primary task yet pursues opposing objectives. Motivated by these findings, we propose sequential watermarking for soft prompts (SWAP), which implants watermarks into a different and more complex space. SWAP encodes watermarks through a specific order of defender-specified out-of-distribution classes, inspired by the zero-shot prediction capability of CLIP. This watermark, which is embedded in a more complex space, keeps the original prediction label unchanged, making it less opposed to the primary task. We further design a hypothesis-test-guided verification protocol for SWAP and provide a theoretical analysis of when verification works. Extensive experiments on 11 datasets demonstrate SWAP's effectiveness, harmlessness, and robustness against potential attacks. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of International Journal of Computer Vision is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=194576701
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1007/s11263-026-02896-y
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 24
        StartPage: 1
    Subjects:
      – SubjectFull: Digital watermarking
        Type: general
      – SubjectFull: Prompt engineering
        Type: general
      – SubjectFull: Intellectual property
        Type: general
      – SubjectFull: Copyright infringement
        Type: general
    Titles:
      – TitleFull: SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Yang, Wenyuan
      – PersonEntity:
          Name:
            NameFull: Sun, Yichen
      – PersonEntity:
          Name:
            NameFull: Chen, Changzheng
      – PersonEntity:
          Name:
            NameFull: Chu, Zhixuan
      – PersonEntity:
          Name:
            NameFull: Zhang, Jiaheng
      – PersonEntity:
          Name:
            NameFull: Li, Yiming
      – PersonEntity:
          Name:
            NameFull: Tao, Dacheng
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 07
              Text: Jul2026
              Type: published
              Y: 2026
          Identifiers:
            – Type: issn-print
              Value: 09205691
          Numbering:
            – Type: volume
              Value: 134
            – Type: issue
              Value: 7
          Titles:
            – TitleFull: International Journal of Computer Vision
              Type: main
ResultId 1