Papers
Topics
Authors
Recent
Search
2000 character limit reached

DuCodeMark: Dual-Purpose Code Dataset Watermarking via Style-Aware Watermark-Poison Design

Published 12 Apr 2026 in cs.CR | (2604.10611v1)

Abstract: The proliferation of LLMs for code (CodeLMs) and open-source contributions has heightened concerns over unauthorized use of source code datasets. While watermarking provides a viable protection mechanism by embedding ownership signals, existing methods rely on detectable trigger-target patterns and are limited to source-code tasks, overlooking other scenarios such as decompilation tasks. In this paper, we propose DuCodeMark, a stealthy and robust dual-purpose watermarking method for code datasets that generalizes across both source-code tasks and decompilation tasks. DuCodeMark parses each code sample into an abstract syntax tree (AST), applies language-specific style transformations to construct stealthy trigger-target pairs, and injects repressible poisoned features into a subset of return-typed samples to enhance robustness against watermark removal or evasion. These features remain inactive during normal training but are activated upon watermark removal, degrading model performance. For verification, DuCodeMark employs a black-box method based on the independent-samples $t$-test. We conduct a comprehensive evaluation of DuCodeMark across 72 settings spanning two code tasks, two programming languages, three CodeLMs, and six decoding temperatures. The results demonstrate that it consistently achieves strong verifiability ($p < 0.05$), high stealthiness (suspicious rate $\leq$ 0.36), robustness against both watermark and poisoning attacks (recall $\leq$ 0.57), and a substantial drop in model performance upon watermark removal (Pass@1 drops by 28.6%), underscoring its practicality and resilience.

Summary

  • The paper demonstrates a dual-purpose watermarking framework that embeds verifiable ownership signals via style-aware transformations and repressible poisoning.
  • It employs subtle code modifications, preserving functionality while enabling statistical black-box detection with p-values below 10⁻⁵.
  • The method resists removal attacks and maintains near-original model performance, ensuring practical enforceability of dataset usage policies.

Dual-Purpose, Style-Aware Watermarking for Code Datasets: A Technical Assessment of DuCodeMark

Introduction

The paper "DuCodeMark: Dual-Purpose Code Dataset Watermarking via Style-Aware Watermark-Poison Design" (2604.10611) introduces a framework for robust, stealthy watermarking of code datasets. It specifically addresses the limitations of prior code dataset protection schemes, namely their fragility under code transformation (especially for decompilation tasks), vulnerability to removal attacks, and reliance on conspicuous trigger-target backdoor patterns. DuCodeMark leverages style-aware transformations and a repressible poisoning mechanism to provide verifiable ownership traces in both source-level and decompilation tasks, advancing practical enforcement of dataset usage constraints for CodeLM providers. Figure 1

Figure 1: High-level pipeline of DuCodeMark, including candidate selection, watermark/poison embedding, and black-box verification.

Methodological Contributions

DuCodeMark's methodology centers on three interconnected components: style-aware watermarking, repressible poisoning, and black-box statistical verification.

First, it parses input code using the Tree-sitter AST framework to identify suitable samples for style-based watermark embedding and for poisoning injection. Style-based watermarking operates via subtle code transformations, such as switching between typical naming conventions (e.g., introducing camelCase in C or snake_case in Java) and appending type-based suffixes to identifiers. Triggers include rare string literal patterns (such as double line breaks), which are robustly preserved through compilation-decompilation processes. This design avoids one-to-one trigger-target associations associated with detectable distributional anomalies.

Second, repressible poisoning is injected into return-typed functions (e.g., float/double return types) to serve as a punitive mechanism if watermark removal is attempted. Poisons are inert during normal usage (when watermarks are present) but become active, degrading model performance, when watermark samples are removed due to the loss of suppression.

Finally, black-box verification is enabled via an independent-samples tt-test over model outputs, contrasting responses to triggered and non-triggered samples. A statistically significant difference (p<0.05p < 0.05) indicates prior training on the watermarked dataset, without requiring model internals or architecture access.

Empirical Evaluation

The robustness and harmlessness of DuCodeMark are substantiated with comprehensive experiments across 72 settings—crossing tasks (code completion and decompilation), languages (C and Java), CodeLM platforms (SantaCoder, StarCoderBase, DeepSeek-Coder), and decoding temperatures.

  • Verifiability: DuCodeMark consistently yields extremely low pp-values (<105< 10^{-5} in most cases) for watermarked models, while non-watermarked models never trigger detection. This result is robust to temperature variations and compilation/decompilation optimization levels. Figure 2

    Figure 2: Task-wise and temperature-wise heatmaps of tt-test pp-values; watermark presence is detected stably.

  • Harmlessness: Pass@1 functional correctness drops negligibly (≈0.6%), indicating that code transformations preserve task effectiveness, with no statistically significant drop relative to clean training data. Figure 3

    Figure 3: Pass@1 performance for watermarked and clean models across models/tasks, demonstrating negligible degradation from watermarking.

  • Stealthiness: Human inspectors (both naïve and watermark-aware) exhibit low average suspicion rates for DuCodeMark-modified samples—0.08/0.26 (Group 1/Group 2), substantially lower than aggressive watermarking/poisoning baselines, with minimal impact on structural/readability metrics. The occurrence of embedded features mirrors natural, plausible patterns, evading detection by automated techniques or LLM-based rewriting in practical settings.
  • Robustness: DuCodeMark resists state-of-the-art watermark and poisoning removal attacks, with recall for successful detection rarely exceeding 0.5 and post-attack watermark signals still verifiable. Only extreme code obfuscation (which also destroys identifier semantics and thus dataset utility) can systematically disrupt the style associations critical to DuCodeMark's triggers. Dilution attacks fail unless the watermarking rate drops below 20%, which is operationally challenging due to the scarcity of domain-aligned, high-quality code at such volumes.

Theoretical and Practical Implications

DuCodeMark advances code dataset watermarking by decoupling the traceability mechanism from detectable trigger-target frequency artifacts. It demonstrates that style signals, if carefully selected, can be robustly transferred through even lossy transformations (e.g., compilation and decompilation), where prior work systematically failed.

The integration of a repressible poisoning mechanism enhances defensive potential. If adversaries attempt dataset “cleaning,” the resulting model exhibits dramatic performance collapse on targeted triggers. For instance, Pass@1 on float-returning functions drops from over 30% to 3.5% post-watermark removal. This punitive characteristic, combined with black-box verification, raises the technical barrier for unauthorized dataset use.

The framework generalizes to multiple programming languages supported by Tree-sitter, and empirical evidence with Llama-3.2-3B confirms scalability to large, general-purpose LLMs.

Limitations and Future Work

DuCodeMark's principal limitations include:

  • Reduced verifiability under extreme dataset dilution scenarios.
  • Potential for circumvention by strong adversaries via syntactic obfuscation, albeit at a prohibitive cost to dataset utility.
  • Limited extension to code tasks involving rich natural-language content (e.g., code summarization), as semantic transformations target code structure, not NL comments/descriptions.

Potential directions include co-design of watermarking strategies with natural language methods, adaptive or learned style transformations for higher stealthiness, and deeper investigation of memorization dynamics in larger models and longer-tailed code domains.

Conclusion

DuCodeMark establishes a new paradigm for dual-purpose code dataset watermarking by fusing style-aware code transformation with a repressible poisoning protocol and statistical black-box verification. It satisfies essential criteria: imperceptibility, robustness, minimal harm to model accuracy, and practical enforceability. Its dual effectiveness across both source-level and decompilation tasks positions it as a comprehensive approach for dataset owners seeking defensible control and attribution of CodeLM training corpora.

Theoretical implications pertain to adversarial robustness and the viability of data-centric signal embedding in the era of increasingly capable CodeLMs. Practically, DuCodeMark offers a foundation for equitable dataset sharing, copyright reinforcement, and defense against unauthorized exploitation—critical as generative code agents proliferate. Future advances in dataset forensics and adaptive watermarking will likely build on these methodological foundations.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.