- The paper demonstrates a dual-purpose watermarking framework that embeds verifiable ownership signals via style-aware transformations and repressible poisoning.
- It employs subtle code modifications, preserving functionality while enabling statistical black-box detection with p-values below 10⁻⁵.
- The method resists removal attacks and maintains near-original model performance, ensuring practical enforceability of dataset usage policies.
Dual-Purpose, Style-Aware Watermarking for Code Datasets: A Technical Assessment of DuCodeMark
Introduction
The paper "DuCodeMark: Dual-Purpose Code Dataset Watermarking via Style-Aware Watermark-Poison Design" (2604.10611) introduces a framework for robust, stealthy watermarking of code datasets. It specifically addresses the limitations of prior code dataset protection schemes, namely their fragility under code transformation (especially for decompilation tasks), vulnerability to removal attacks, and reliance on conspicuous trigger-target backdoor patterns. DuCodeMark leverages style-aware transformations and a repressible poisoning mechanism to provide verifiable ownership traces in both source-level and decompilation tasks, advancing practical enforcement of dataset usage constraints for CodeLM providers.
Figure 1: High-level pipeline of DuCodeMark, including candidate selection, watermark/poison embedding, and black-box verification.
Methodological Contributions
DuCodeMark's methodology centers on three interconnected components: style-aware watermarking, repressible poisoning, and black-box statistical verification.
First, it parses input code using the Tree-sitter AST framework to identify suitable samples for style-based watermark embedding and for poisoning injection. Style-based watermarking operates via subtle code transformations, such as switching between typical naming conventions (e.g., introducing camelCase in C or snake_case in Java) and appending type-based suffixes to identifiers. Triggers include rare string literal patterns (such as double line breaks), which are robustly preserved through compilation-decompilation processes. This design avoids one-to-one trigger-target associations associated with detectable distributional anomalies.
Second, repressible poisoning is injected into return-typed functions (e.g., float/double return types) to serve as a punitive mechanism if watermark removal is attempted. Poisons are inert during normal usage (when watermarks are present) but become active, degrading model performance, when watermark samples are removed due to the loss of suppression.
Finally, black-box verification is enabled via an independent-samples t-test over model outputs, contrasting responses to triggered and non-triggered samples. A statistically significant difference (p<0.05) indicates prior training on the watermarked dataset, without requiring model internals or architecture access.
Empirical Evaluation
The robustness and harmlessness of DuCodeMark are substantiated with comprehensive experiments across 72 settings—crossing tasks (code completion and decompilation), languages (C and Java), CodeLM platforms (SantaCoder, StarCoderBase, DeepSeek-Coder), and decoding temperatures.
- Verifiability: DuCodeMark consistently yields extremely low p-values (<10−5 in most cases) for watermarked models, while non-watermarked models never trigger detection. This result is robust to temperature variations and compilation/decompilation optimization levels.
Figure 2: Task-wise and temperature-wise heatmaps of t-test p-values; watermark presence is detected stably.
- Harmlessness: Pass@1 functional correctness drops negligibly (≈0.6%), indicating that code transformations preserve task effectiveness, with no statistically significant drop relative to clean training data.
Figure 3: Pass@1 performance for watermarked and clean models across models/tasks, demonstrating negligible degradation from watermarking.
- Stealthiness: Human inspectors (both naïve and watermark-aware) exhibit low average suspicion rates for DuCodeMark-modified samples—0.08/0.26 (Group 1/Group 2), substantially lower than aggressive watermarking/poisoning baselines, with minimal impact on structural/readability metrics. The occurrence of embedded features mirrors natural, plausible patterns, evading detection by automated techniques or LLM-based rewriting in practical settings.
- Robustness: DuCodeMark resists state-of-the-art watermark and poisoning removal attacks, with recall for successful detection rarely exceeding 0.5 and post-attack watermark signals still verifiable. Only extreme code obfuscation (which also destroys identifier semantics and thus dataset utility) can systematically disrupt the style associations critical to DuCodeMark's triggers. Dilution attacks fail unless the watermarking rate drops below 20%, which is operationally challenging due to the scarcity of domain-aligned, high-quality code at such volumes.
Theoretical and Practical Implications
DuCodeMark advances code dataset watermarking by decoupling the traceability mechanism from detectable trigger-target frequency artifacts. It demonstrates that style signals, if carefully selected, can be robustly transferred through even lossy transformations (e.g., compilation and decompilation), where prior work systematically failed.
The integration of a repressible poisoning mechanism enhances defensive potential. If adversaries attempt dataset “cleaning,” the resulting model exhibits dramatic performance collapse on targeted triggers. For instance, Pass@1 on float-returning functions drops from over 30% to 3.5% post-watermark removal. This punitive characteristic, combined with black-box verification, raises the technical barrier for unauthorized dataset use.
The framework generalizes to multiple programming languages supported by Tree-sitter, and empirical evidence with Llama-3.2-3B confirms scalability to large, general-purpose LLMs.
Limitations and Future Work
DuCodeMark's principal limitations include:
- Reduced verifiability under extreme dataset dilution scenarios.
- Potential for circumvention by strong adversaries via syntactic obfuscation, albeit at a prohibitive cost to dataset utility.
- Limited extension to code tasks involving rich natural-language content (e.g., code summarization), as semantic transformations target code structure, not NL comments/descriptions.
Potential directions include co-design of watermarking strategies with natural language methods, adaptive or learned style transformations for higher stealthiness, and deeper investigation of memorization dynamics in larger models and longer-tailed code domains.
Conclusion
DuCodeMark establishes a new paradigm for dual-purpose code dataset watermarking by fusing style-aware code transformation with a repressible poisoning protocol and statistical black-box verification. It satisfies essential criteria: imperceptibility, robustness, minimal harm to model accuracy, and practical enforceability. Its dual effectiveness across both source-level and decompilation tasks positions it as a comprehensive approach for dataset owners seeking defensible control and attribution of CodeLM training corpora.
Theoretical implications pertain to adversarial robustness and the viability of data-centric signal embedding in the era of increasingly capable CodeLMs. Practically, DuCodeMark offers a foundation for equitable dataset sharing, copyright reinforcement, and defense against unauthorized exploitation—critical as generative code agents proliferate. Future advances in dataset forensics and adaptive watermarking will likely build on these methodological foundations.