A red-green watermark intellectual property protection method and device for a recommendation system and a storage medium
By dividing the recommendation system into a set of green items and a set of red items, and adaptively adjusting the watermark injection strength, the problem of performance loss, detectability and removal, and inability to resist model extraction attacks in existing watermarking methods for recommendation systems is solved, thus achieving intellectual property protection with strong concealment and reliable verification.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHONGQING UNIV
- Filing Date
- 2026-04-21
- Publication Date
- 2026-06-19
Smart Images

Figure CN122241666A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of recommendation system security and intellectual property protection, and in particular to a method, apparatus and storage medium for protecting the ownership of recommendation system models based on a red-green watermarking mechanism. Background Technology
[0002] Recommender systems have become a core infrastructure connecting users with massive amounts of content in e-commerce, social networks, and streaming platforms, and are one of the main sources of revenue for service providers. With the rapid evolution of recommendation algorithms, more and more companies are choosing to open-source advanced algorithms to promote technology sharing. However, this trend has significantly increased the risk of intellectual property infringement in recommender systems. Unauthorized commercial deployments and license violations have increased dramatically, and recent model extraction attacks have directly exposed this risk: attackers can reconstruct a proxy model with highly similar functionality to the original model based solely on the query-response patterns of the publicly available application programming interface (API), without accessing the model's internal parameters, thereby stealing intellectual property. Therefore, developing robust ownership protection mechanisms for recommender system models has become an urgent need.
[0003] Watermarking technology, as a proactive intellectual property protection mechanism, embeds imperceptible but verifiable signals into the model, enabling the legitimate owner to assert ownership even after the model has been subjected to unauthorized use or extraction attacks. Compared to other protection strategies, watermarking technology does not require modification to the model deployment process, can achieve ownership verification in a black-box scenario, and has minimal impact on the normal user experience of recommendation services.
[0004] Existing watermarking methods for recommender systems are mainly based on the memorization paradigm: by injecting a large number of predefined triggering interaction sequences (e.g., "item A → item B → item C → item D") into the training data, the model is forced to memorize and reproduce the prediction result of a specific target (e.g., forcibly recommending item D after the item interaction sequence A → B → C) as evidence of ownership. This type of method has the following three core drawbacks:
[0005] First, it incurs significant performance overhead. Forcing the model to remember abnormal interaction sequences contradicts the model's inherent ranking capabilities, leading to items that don't align with user interests being artificially promoted to the top of the recommendation list, significantly reducing recommendation quality.
[0006] Second, it can be detected and removed. The statistical characteristics of the memorized watermark pattern deviate significantly from natural user behavior. Attackers can use anomaly detection methods to identify and delete the watermark signal, making ownership impossible to verify.
[0007] Third, it is vulnerable to model extraction attacks. Memoized watermarks are essentially embedded in the model as statistical outliers. During model distillation, they are easily filtered out as noise by the model's learning process, causing the watermark signal to disappear from the extracted model and lose its traceability. Furthermore, short trigger sequences result in low credibility of ownership claims; while longer trigger sequences require a larger amount of training data, and such watermarks are more easily filtered out by the distillation process during model extraction.
[0008] In summary, existing memoized watermarking methods have fundamental flaws in the protection of intellectual property rights in recommendation systems. There is an urgent need for a new watermarking framework that is intrinsically aligned with the decision-making process of recommendation models and can achieve covert embedding and robust verification without injecting synthetic data. Summary of the Invention
[0009] The purpose of this invention is to overcome the shortcomings of existing memory watermarking methods and provide a red-green watermarking intellectual property protection method, device and storage medium for recommendation systems, which achieves watermark embedding and black-box ownership verification without data injection, is intrinsically aligned with the recommendation decision process and is resistant to model extraction attacks.
[0010] To achieve the above objectives, the technical solution adopted by this invention is: a red-green watermarking intellectual property protection method for recommendation systems, comprising the following steps:
[0011] S1. Obtain the implicit embedding representation of the candidate items in the recommendation model at each step, and divide the candidate item space into a set of green items and a set of red items based on the private key;
[0012] S2. Obtain the predicted scores of the candidate items by the recommendation model, extract the subset of competitive items whose ranking is near the recommendation decision boundary, and take the intersection of the subset with the set of green items to generate a watermark injection mask.
[0013] S3. Based on the feedback of local prediction confidence and global hit rate of the recommendation model, the watermark injection intensity is adaptively adjusted, and a positive bias is applied to the recommendation score value of the items within the injection mask to generate a watermarked top-K item (Top-K) recommendation list.
[0014] S4. Reproduce the red-green item division using the private key; calculate the hit rate of green items in the black-box Top-K recommendation output of the model to be verified; determine whether the hit rate significantly deviates from the watermark-free benchmark through statistical testing. If the test result reaches the preset confidence threshold, then ownership is determined to be established. The beneficial effects of the present invention include
[0015] (1) No data injection required: The watermark signal is directly embedded in the ranking logic value of the recommendation model during the inference stage. No synthetic user interaction sequence needs to be injected into the training dataset. The model parameters are not changed and the impact on model performance is negligible.
[0016] (2) Strong concealment: The watermark signal is aligned with the semantic distribution of the items. The appearance of green items in the recommendation list conforms to the user's interest pattern. The individual recommendation output is statistically indistinguishable from the watermark-free model. Only through the aggregation statistics of a large number of outputs can the existence of the watermark be detected.
[0017] (3) Verification reliability: Through aggregated statistics of the hit rate of green items in thousands of recommended outputs, the Z statistic reached an extremely high level (Z > 4, false positive rate P < 10⁻). 5 (This can provide legally valid proof of ownership.)
[0018] (4) Robust resistance to model extraction attacks: The watermark signal is encoded in the semantic distribution of the recommendation model. The model distillation process is essentially designed to replicate the semantic output distribution of the target model. Therefore, the watermark signal is retained rather than filtered out during the distillation process. Even in heterogeneous model extraction scenarios, the confidence of ownership verification can still be maintained at 100% within the experimental range.
[0019] (5) Plug and play: This invention integrates with existing recommendation models (including RNN, Transformer and bidirectional attention architectures) in a plug-in manner, without the need to modify the model structure or retrain, making deployment convenient and the increase in inference latency negligible. Attached Figure Description
[0020] Figure 1 This is a flowchart of the red-green watermark intellectual property protection method of the present invention.
[0021] Figure 2 This is a schematic diagram of the overall architecture of the watermarking framework of the present invention, including the complete process of watermark injection (including semantically consistent hash submodule, decision alignment mask submodule, confidence adaptive scaling submodule) and ownership verification process.
[0022] Figure 3 This is a performance analysis diagram of key hyperparameters in an embodiment of the present invention, showing the size of the candidate item pool. With basic injection amplitude The impact patterns on recommended performance metrics and watermark verifiability metrics.
[0023] Figure 4 The diagram shows the ablation experiment results in this embodiment of the invention, illustrating the impact of each module on the overall performance. Detailed Implementation
[0024] The following is in conjunction with the appendix Figure 1 The red-green watermarking intellectual property protection method and embodiments for recommendation systems shown herein provide a further detailed description of the specific implementation of the present invention.
[0025] I. Definition of Sequence Recommendation Task
[0026] Let U and V be the user set and the item set, respectively. For users... Its historical interaction sequence is represented as ,in Sequence recommendation models model the next item under historical interaction conditions. The probability of occurrence is formalized as In typical black-box model extraction or watermark verification scenarios, the system only returns a list of the top K recommended items for a given query sequence.
[0027] II. Watermark Injection Process
[0028] As attached Figure 2 As shown, the watermark injection stage consists of three core modules that work together to directly embed the watermark signal into the item rating logic value of the recommendation model without modifying the model parameters.
[0029] (a) Semantic Consistent Hash Module
[0030] The goal of the semantically consistent hashing module is to be based on private keys. This module generates green item masks in a manner consistent with the semantic distribution of items, ensuring that green items form semantically coherent clusters rather than being randomly scattered in the item ID space. The module includes the following three sub-steps:
[0031] Sub-step 1: Semantic alignment projection. Utilizing the private key A projection vector initialized randomly Numbered Implicit embedding vectors of items Projected onto one-dimensional semantic coordinates The calculation formula is:
[0032]
[0033] In the formula Let be the dimension of the embedding vector. According to the Johnson-Lindenstrauss lemma, the relative distances between items in the original implicit embedding space are approximately preserved in this low-dimensional projection, ensuring that items in the same semantic cluster remain close along the coordinate axes. Projection vector By private key The only certainty is that the watermark owner's private credentials will not be disclosed during deployment to ensure the confidentiality of the red-green division.
[0034] Sub-step 2: Sequential hash mapping. In each recommended step... The red-green color separation randomizes the hash values of users' historical interaction sequences to avoid persistent preferences for fixed subsets of items, thus reducing the risk of detection. Each step of the recommendation output uses a random seed. The calculation formula is:
[0035]
[0036] In the formula The hash constant is the multiplicative hash value. Up to the current step The user's historical interaction sequence. For numerical stability, the seed is normalized to a unit interval. And it is calculated in double precision.
[0037] By using the sine mapping of random Fourier features, semantic coordinates are... Convert to pseudo-random continuous hash values:
[0038]
[0039] In the formula This is a frequency scaling factor that controls the semantic granularity; smaller ones... Large, continuous green areas are generated in the implicitly embedded space.
[0040] Sub-step 3: Green item mask generation. Combine the consecutive hash values with the preset green item density. Perform threshold comparison to generate a green item mask. :
[0041]
[0042] (ii) Decision Alignment Mask Module
[0043] The goal of the decision alignment mask module is to limit the watermark injection range to a subset of competing items near the decision boundary of the recommendation model, preventing the artificial boosting of last-place items that are not of interest to the user, thereby maintaining high-fidelity recommendation ranking quality while achieving watermark embedding.
[0044] For the predicted logical value vector Determine the first The scores of the named items are used as candidate thresholds: .
[0045] Boundary mask The construction rule is: when an item Predicted score hour, Otherwise, it is 0. The final injection mask is the Hadamard product of the boundary mask and the green item mask:
[0046]
[0047] This construction ensures that the watermark signal is applied only when an item simultaneously meets both the conditions of "semantic consistency" (belonging to the set of green items) and "decision competitiveness" (located near the sorting boundary), fundamentally eliminating the risk of false pushes and the potential performance degradation.
[0048] (iii) Confidence Adaptive Scaling Module
[0049] The confidence-adaptive scaling module achieves an adaptive balance between watermark concealment and verifiability by dynamically adjusting the injection strength. This module includes two sub-mechanisms: local confidence scaling and global feedback control.
[0050] Local confidence scaling: Calculating the local SoftMax probability of the predicted scores for Top-K items. :
[0051]
[0052] Local injection intensity coefficient calculated based on normalized Shannon entropy. :
[0053]
[0054] When the model has high confidence in the recommendation results (low entropy). The watermark disturbance is automatically reduced accordingly, protecting high-confidence recommendations from interference; when the model uncertainty is high (high entropy), the watermark signal is enhanced to guide the final ranking in a way that breaks the tie.
[0055] Global feedback control: dynamically adjusts the global intensity coefficient during training. To ensure that the green product aggregation hit rate of the verification batch remains stable at the preset target. nearby:
[0056]
[0057] In the formula To adjust the step size, To verify the moving average of the batch green item hit rate. When the current hit rate is lower than the target... hour, It automatically increases the size to enhance the watermark signal; conversely, it decreases the size to maintain concealment.
[0058] Considering both local confidence and global stability, the final logical value of the watermarked item is calculated as follows:
[0059]
[0060] In the formula Based on the injection amplitude, For injection masking. Watermarked logical values. Used to generate the final watermarked Top-K recommendation list.
[0061] III. Ownership Verification Stage
[0062] When a recommendation model is suspected of being used without authorization, the model owner can assert ownership through the following statistical validation framework. (See attached) Figure 2 As shown, the verification process only requires statistical analysis of the black-box Top-K recommendation output of the suspected model, without needing to access the model's internal parameters or structure.
[0063] (I) Reproduction of Green Items
[0064] Using private key The red-green item space partitioning is reproduced using the exact same process described above to obtain the green item mask. This reproduction process can only be performed by the person holding the private key. The model owner completes the process, and any third party without this key cannot reproduce the division or forge the ownership claim.
[0065] (II) Statistics on the hit rate of green items
[0066] set up This represents the total number of items detected in the recommendation lists of all users in the test set. It also includes the total number of times green items appear in the Top-K recommendation lists of all users.
[0067]
[0068] in For indicator functions, For users The Top-K recommendation list. Calculating empirical hit rate:
[0069] (iii) Aggregate Z-test
[0070] Based on the normal approximation of the binomial distribution, the Z-statistic is calculated to measure the observation hit rate. Compared with the recommended benchmark value for watermark-free Deviation between:
[0071]
[0072] The Z-statistic represents the observation hit rate. Under the null hypothesis H0 (the tested model contains no watermark, and the hit rate of green items follows natural density), The number of standard deviations from the given value. The corresponding p-value is calculated using the standard normal cumulative distribution function: .
[0073] When Z > 4, the corresponding false alarm rate P < 10⁻ 5 The test model was found to carry a watermark, thus establishing ownership.
[0074] The aggregated verification design stems from the protection of recommendation ranking quality: instead of requiring a single recommendation output to include green items, it accumulates evidence through aggregated statistics of a large number of outputs across users, achieving robust ownership verification while maintaining the core utility of the recommendation system.
[0075] IV. Experimental Examples
[0076] To verify the effectiveness of this invention, experiments were conducted on three publicly available recommendation datasets and three sequence recommendation model architectures.
[0077] The datasets used in the experiments included: MovieLens-1M, containing 6,040 users, 3,416 items, and 1,000,209 interaction records, with an average sequence length of 163.5; Amazon Beauty, containing 40,226 users, 54,542 items, and 353,989 interaction records, with an average sequence length of 8.8; and Steam Review, containing 334,542 users, 13,046 items, and 3,546,145 interaction records, with an average sequence length of 10.6. The underlying recommendation models used in the experiments included: NARM, an RNN-based sequence recommendation model; SASRec (SAS), a Transformer-based sequence recommendation model; and BERT4Rec (BERT), a bidirectional self-attention-based sequence recommendation model.
[0078] The experiment selected the existing memory-based watermarking method AOW as a comparison method, and used standard ranking quality indicators such as Recall@K (R@K) and NDCG@K (N@K) to evaluate the recommendation performance and the watermark verification confidence V@K. (P@K is the P value corresponding to Z@K) to assess ownership verification capability.
[0079] 1. Overall performance comparison
[0080] This embodiment introduces a model extraction attack scenario to evaluate watermark robustness. In this scenario, the attacker refers to the watermarked original recommendation model as the Teacher Model. The attacker's goal is to collect input sequences and Top-K recommendation output pairs by extensively querying the Teacher Model's public API interface, and use this as training data to train a functionally highly similar proxy model, the Student Model. The Student Model is the model actually held and deployed by the attacker, who attempts to bypass intellectual property protection and evade watermark detection through this "knowledge distillation" process. This invention uses the Data-Free Model Extraction (DFME) attack method as the attack benchmark. This method does not require access to the original training data and can build a high-quality Student Model solely through API queries. Ownership verification is performed on the Student Model obtained from the watermarked Teacher Model, which is the scenario reflected in the "V@1 (after distillation)" column in Table 1. If the verification confidence of the watermarking method on the Student Model drops significantly, it indicates that the watermark cannot resist model extraction attacks, and intellectual property protection is effectively rendered ineffective.
[0081] Table 1. Comparison of recommendation performance and watermark verification performance (MovieLens-1M dataset, statistics are expressed as percentages, "—" indicates that the watermark-free benchmark is not included in the verification comparison).
[0082] Model method Recall@10 Recall@5 NDCG@10 NDCG@5 V@1 (Original) V@1 (after distillation) BERT Watermark-free model 20.30 12.90 10.70 8.30 — — BERT AOW 19.62 11.80 10.25 7.74 100.00 26.09 BERT This invention 20.25 12.78 10.70 8.29 100.00 100.00 SAS Watermark-free model 27.23 19.23 15.92 13.35 — — SAS AOW 27.18 18.78 15.73 13.02 100.00 0.00 SAS This invention 27.19 18.77 15.56 12.86 100.00 100.00 NARM Watermark-free model 27.56 19.55 16.23 13.65 — — NARM AOW 23.15 15.06 12.41 9.79 100.00 0.00 NARM This invention 26.29 18.36 15.21 12.66 100.00 100.00
[0083] Table 2 Comparison of Recommendation Performance and Watermark Verification Performance (Steam Review dataset, statistics are expressed as percentages, "—" indicates that the watermark-free benchmark is not included in the verification comparison)
[0084] Model method Recall@10 Recall@5 NDCG@10 NDCG@5 V@1 (Original) V@1 (after distillation) BERT Watermark-free model 19.00 15.80 14.90 13.90 — — BERT AOW 18.99 15.84 14.94 13.93 100.00 24.83 BERT This invention 19.10 15.90 15.00 13.90 100.00 100.00 SAS Watermark-free model 20.29 16.77 15.68 14.50 — — SAS AOW 20.10 16.72 15.63 14.51 100.00 0.00 SAS This invention 20.09 16.69 15.59 14.50 100.00 100.00 NARM Watermark-free model 20.31 16.75 15.62 14.74 — — NARM AOW 19.95 16.43 15.35 14.22 100.00 0.00 NARM This invention 20.11 16.57 15.48 14.35 100.00 100.00
[0085] Table 3 Comparison of recommendation performance and watermark verification performance (Amazon Beauty dataset; statistics are expressed as percentages, "—" indicates that the watermark-free benchmark is not included in the verification comparison).
[0086] Model method Recall@10 Recall@5 NDCG@10 NDCG@5 V@1 (Original) V@1 (after distillation) BERT Watermark-free model 2.90 1.70 1.50 1.10 — — BERT AOW 2.90 1.81 1.46 1.11 100.00 25.02 BERT This invention 3.24 1.98 1.61 1.21 100.00 100.00 SAS Watermark-free model 3.63 1.86 1.58 1.01 — — SAS AOW 3.94 2.08 1.77 1.17 100.00 0.00 SAS This invention 4.01 2.30 1.85 1.30 100.00 100.00 NARM Watermark-free model 3.49 2.15 1.81 1.38 — — NARM AOW 3.38 2.16 1.79 1.39 100.00 23.90 NARM This invention 3.48 2.20 1.83 1.42 100.00 100.00
[0087] As can be seen from Tables 1 to 3, the present invention has achieved consistent advantages in all three dimensions.
[0088] Regarding watermark effectiveness, this invention achieves 100% V@1 (original) across all three datasets and all three model architecture combinations (false positive rate P < 10⁻). 4 This demonstrates that the watermark embedding mechanism of the present invention fully satisfies the requirements of the claim of ownership in terms of statistical significance.
[0089] Regarding performance preservation, across all three datasets and three model architectures, the performance gap between this invention and the watermark-free benchmark model is smaller than that of existing memoized watermarking methods. On the MovieLens-1M dataset with NARM architecture, the Recall@10 of this invention is 26.29%, only 1.27% lower than the benchmark (27.56%). On a partial configuration of the Amazon Beauty dataset, the recommendation performance of this invention even surpasses that of the watermark-free benchmark model, indicating that the watermark injection mechanism of this invention does not substantially damage the model's ranking logic. These effects stem from the fact that this invention precisely limits the watermark injection range to a subset of competing items near the ranking decision boundary, fundamentally avoiding interference with normal recommendation ranking.
[0090] Regarding the robustness of model extraction, under all three datasets and all three model architectures, the V@1 of the student model obtained after the model extraction attack remained consistently at 100%, and the ownership verification confidence was largely unaffected by model distillation. This technical effectiveness stems from the invention's encoding of the watermark signal as an intrinsic component of the recommendation model's semantic distribution: the distillation process aims to reproduce the semantic output distribution of the teacher model, and the watermark bias is naturally internalized by the student model, rather than being filtered out as a statistical anomaly.
[0091] Based on the above experimental results, the present invention has achieved the expected technical effects in three aspects: watermark effectiveness, recommendation performance preservation, and robustness against model extraction attacks.
[0092] Table 4 Comparison of Concealment and Model Extraction Robustness
[0093] method Injection ratio Detectability V@1 (Teacher Model) V@1 (Student Model) V@20 (Student Model) Watermark sequence retention rate AOW (n=5) 10.0% 100% 100% 26.09% 100% 0% AOW (n=20) 10.0% 100% 100% 0% 26.13% 0% This invention 0% 0% 100% 95.90% 100% 100%
[0094] As shown in Table 4, the injection ratio and detectability rate of this invention are 0%, meaning that no synthetic sequences need to be injected into the training data, and it is completely indistinguishable from anomaly detectors based on item popularity and transfer patterns. AOW, on the other hand, has an injection ratio as high as 10% and a detectability rate of 100%, allowing attackers to completely identify and remove the watermark sequence through simple statistical analysis. In the more challenging scenario of heterogeneous architecture extraction (NARM→BERT), the student model of this invention still achieves 95.90% V@1, 100% V@20, and a 100% watermark sequence retention rate; AOW, however, has a 0% watermark sequence retention rate, and its ownership verification capability is completely rendered ineffective after being subjected to model extraction attacks.
[0095] In summary, this invention significantly outperforms existing memoized watermarking methods in multiple dimensions, including watermark effectiveness, recommendation performance preservation, concealment, and robustness against model extraction attacks. It fundamentally solves the core defects of the memoized paradigm in the protection of intellectual property rights in recommendation systems.
[0096] 2. Model parameter sensitivity experiment
[0097] To further verify the parameter stability of the framework of this invention, this embodiment uses the MovieLens-1M dataset and BERT4Rec as the base model to conduct a systematic analysis of two key hyperparameters: the size of the candidate item pool in the decision alignment mask module. With basic injection amplitude The experimental results are as follows Figure 3 As shown.
[0098] Candidate Item Pool Size The range of competing items included in the watermark injection directly impacts the trade-off between recommendation performance and watermark verifiability. Experimental results show that... The value of has clear upper and lower bound constraints: when Too small ( When the injection scope was too limited, the recommendation model's performance collapsed, with R@10 plummeting to 9.72%, and no effective watermark signal could be injected; as Increasing the value from 50 to 200 gradually restored recommendation performance (R@10 reaching a maximum of 19.35%), but the watermark signal was gradually diluted, leading to a decrease in Z-statistics. Considering both recommendation performance and watermark strength, For optimal configuration, the Z-statistic reaches 74.69 while maintaining good recommendation performance. These results demonstrate that the decision alignment mask module achieves an optimal balance between performance preservation and watermark embedding by limiting the injection range to a moderately competitive subset near the Top-K ranking boundary.
[0099] Basic injection range The perturbation strength of the watermark signal to the item rating logic value is controlled. Experimental results show that, Throughout the entire range from 1 to 10, the Z-statistic consistently exceeds the statistical significance threshold for model ownership claims (Z > 4), indicating that this invention exhibits strong parameter robustness to injection magnitude. Specifically, as... As the size increases, the verifiability of the watermark continuously improves, but excessively large watermarks... This will cause unnecessary disturbances to the recommendation ranking, leading to a decrease in recommendation performance. For optimal overall performance, this configuration achieves an R@10 of 20.25% and a Z-statistic of 66.52, indicating sufficient validation confidence while negligible loss in recommendation quality. These results demonstrate that a moderate and precise bias perturbation is sufficient for effective watermark embedding; excessively increasing the injection amplitude does not yield a proportional improvement in validation performance but instead sacrifices recommendation quality.
[0100] 3. Ablation test
[0101] To verify the contribution of each core module of this invention to the overall technical effect, this embodiment uses the MovieLens-1M dataset and BERT4Rec as the base model. Verification is performed by constructing comparative variants by removing each functional module one by one. The results are as follows: Figure 4 As shown.
[0102] Semantic Consistent Hashing Module: After replacing this module with a random hash based on item ID, the watermark verification metric Z@20 decreased from 87.39 to 68.93, and the recommendation performance also declined. This result demonstrates that the semantically consistent hashing module makes an irreplaceable technical contribution to maintaining the statistical significance of the watermark signal and the quality of recommendations.
[0103] Local confidence scaling module: Removing this module resulted in the most significant decrease in recommendation performance among all comparative variants, with R@10 dropping to 19.33%. This result indicates that the local confidence scaling module is a key technical feature that ensures the recommendation performance of this invention is not affected by watermark injection; its absence will cause unnecessary perturbation of high-confidence recommendation decisions due to watermark bias.
[0104] Global Feedback Control Module: Removing this module caused both recommendation performance and watermark verification metrics to decline, with Z@20 dropping to 85.00. This result demonstrates that the global feedback control module is a necessary technical feature for ensuring stable operation of this invention under different data distributions. Its absence leads to uncontrolled injection intensity, disrupting the dynamic balance between recommendation performance and watermark verifiability.
[0105] The above ablation experiment results demonstrate that the three core modules of this invention work together, each undertaking an irreplaceable technical function, and jointly ensuring the expected technical effects of this invention in both the recommended performance retention and watermark verification robustness dimensions.
[0106] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.
Claims
1. A red-green watermarking intellectual property protection method for recommendation systems, characterized in that, Includes the following steps: S1. Obtain the implicit embedding representation of the candidate items in the recommendation model at each step, and divide the candidate item space into a set of green items and a set of red items based on the private key; S2. Obtain the predicted scores of the candidate items by the recommendation model, extract the subset of competitive items whose ranking is near the recommendation decision boundary, and take the intersection of the subset with the set of green items to generate a watermark injection mask. S3. Based on the feedback of local prediction confidence and global hit rate of the recommendation model, the watermark injection intensity is adaptively adjusted, and a positive bias is applied to the recommendation score value of the items within the injection mask to generate a watermarked top-K item (Top-K) recommendation list. S4. Reproduce the red-green item division using the private key; count the frequency (hit rate) of green items in the black-box Top-K recommendation output of the model to be verified. The hit rate is determined by statistical testing to see if it deviates significantly from the watermark-free benchmark. If the test result reaches the preset confidence threshold, ownership is determined to be established.
2. The method according to claim 1, characterized in that, The step S1, which divides the candidate item space into a set of green items and a set of red items, includes the following sub-steps: A1. Semantic Alignment Projection: Utilizing a private key A projection vector initialized randomly Implicitly embedding items into vectors Projected onto one-dimensional semantic coordinates The calculation formula is: In the formula For implicitly embedded vector dimensions; A2. Continuous Hash Mapping: Generates a random seed for each step of the recommendation output based on the user's historical interaction sequence and private key. The hash value is calculated using a random Fourier feature sine map: In the formula For user historical interaction sequence With private key The seed is generated and normalized through modular arithmetic. This is the frequency scaling factor; A3. Green Item Mask Generation: Combines consecutive hash values with a preset green item probability. Perform threshold comparison, when The time will be the first Items Marked as green, generating a green item mask. .
3. The method according to claim 1, characterized in that, Step S2 determines the bias to apply only to the recommended model's predicted recommendation score vector for candidate items. The middle rating ranks in the top The subset of items at position 1: Determine the first item. The score of the item is used as a candidate threshold. When items Predicted score At that time, include the item in the boundary mask. Finally, the injection mask is injected. Masking green items With boundary mask The Hadamard product.
4. The method according to claim 1, characterized in that, The magnitude of the bias in step S3 is determined by both the local confidence coefficient and the global feedback coefficient. B1. Local Confidence Scaling: Local SoftMax Probability Based on Top-K Item Predicted Scores Calculation of local injection intensity coefficient using normalized Shannon entropy : The entropy value is low when the model's prediction confidence is high. The corresponding reduction will automatically attenuate the watermark disturbance; B2. Global Feedback Control: Dynamically adjusts the global intensity coefficient. This ensures that the aggregated hit rate of green products in the verification batch is stably maintained at the preset green product probability target. nearby: In the formula To adjust the step size, To verify the moving average of the green item aggregation hit rate in the batch; B3. Final Injection: The recommended rating for watermarked items is calculated using the following formula: In the formula Based on the injection amplitude, The injection mask is used.
5. The method according to claim 1, characterized in that, In step S4, the statistical test is a Z-test based on the binomial distribution normal approximation: the statistically suspicious model is found in the total number of green items appearing in the Top-K recommendation lists of all test users. Calculate the detection hit rate In the formula The total number of items detected; the Z-statistic is calculated using the following formula: When Z > 4, the corresponding false alarm rate P < 10⁻ 5 The test model was found to carry a watermark, thus establishing ownership.
6. The method according to claim 1, characterized in that, The watermark injection step is performed during the inference phase: after the recommendation model completes forward propagation to obtain the item recommendation rating, a watermark bias is directly applied to the rating to generate a watermarked Top-K recommendation list.
7. The method according to claim 1, characterized in that, The bias is applied to the item recommendation score of the recommendation model through semantic distribution alignment: the division of red and green items is based on the Euclidean distance constraint in the item embedding space, so that items with similar embedding representations have consistent or related red and green labels, thereby forming a continuous semantic region in the embedding space by the watermark injection mask.
8. A red-green watermark intellectual property protection device for recommendation systems, comprising a memory, a processor, and a computer program stored in the memory, characterized in that, The computer program is implemented when executed by the processor: The watermark injection process is configured as follows: the candidate item space of the recommendation model is divided into a green item set and a red item set based on the private key; during the inference stage, a positive bias is applied to the scoring logic value of the competitive item subset located near the recommendation decision boundary in the green item set; and the bias strength is adaptively adjusted based on the local prediction confidence and global hit rate feedback of the recommendation model to generate a watermarked Top-K recommendation list. The watermark injection process includes: The semantically consistent hashing submodule is configured to: use a projection vector controlled by a private key and a random Fourier feature map to divide the candidate item space into a set of semantically coherent green items and a set of red items, and generate a green item mask. The decision alignment mask submodule is configured to use the Hadamard product of the green item mask and the competitive item mask near the recommendation decision boundary as the watermark injection mask, and limit the watermark injection range to a subset of semantically consistent and ranking-competitive items. The confidence adaptive scaling submodule is configured to: dynamically adjust the watermark injection intensity based on the normalized Shannon entropy output by the Top-K recommendation model and the feedback of the verification batch hit rate, and apply a positive bias to the recommendation score value of the items within the injection mask; The ownership verification process is configured as follows: using the private key to reproduce the red-green item division, performing green item hit rate statistics on the black-box Top-K recommendation output of the model to be verified, determining the existence of the watermark through statistical testing, and outputting the verification conclusion and confidence level.
9. The apparatus according to claim 8, characterized in that, The statistical test in the ownership verification process is the Z test based on the binomial distribution normal approximation. When the Z statistic is greater than a preset threshold, it is determined that the tested model carries a watermark. The Z statistic is calculated by dividing the difference between the empirical hit rate of green items in the Top-K recommendation output of the model to be verified and the baseline hit rate without watermark by the standard deviation of the binomial distribution.
10. A computer-readable storage medium containing a computer program, wherein the computer program is stored thereon, characterized in that, When the computer program is executed by one or more processors, it implements the red-green watermarking intellectual property protection method for recommendation systems as described in any one of claims 1 to 7.