Abstract
We want to detect whether a particular image dataset has been used to train amodel. We propose a new technique, \emph{radioactive data}, that makesimperceptible changes to this dataset such that any model trained on it willbear an identifiable mark. The mark is robust to strong variations such asdifferent architectures or optimization methods. Given a trained model, ourtechnique detects the use of radioactive data and provides a level ofconfidence (p-value). Our experiments on large-scale benchmarks (Imagenet),using standard architectures (Resnet-18, VGG-16, Densenet-121) and trainingprocedures, show that we can detect usage of radioactive data with highconfidence (p<10^-4) even when only 1% of the data used to trained our model isradioactive. Our method is robust to data augmentation and the stochasticity ofdeep network optimization. As a result, it offers a much higher signal-to-noiseratio than data poisoning and backdoor methods.