Machine learning models deployed in black-box settings face dual threats from model extraction attacks (MEAs) and watermark removal attacks. To address this, we propose a class-feature watermarking mechanism based on synthetically generated classes. We first identify and empirically validate—via a novel, purpose-built decision-boundary-based watermark removal attack (WRK)—that existing watermarks are highly vulnerable to such boundary-oriented removal strategies. Our method constructs semantically coherent synthetic classes through class-level feature modeling, thereby decoupling watermark samples from original data at the decision boundary. By integrating cross-domain embedding and joint optimization, it preserves model accuracy while significantly enhancing watermark robustness. Experimental results demonstrate that our approach maintains a watermark survival rate of over 70.15% under multiple adversarial attacks, substantially outperforming state-of-the-art methods, and achieves a favorable trade-off between security and practical utility.

Machine learning models constitute valuable intellectual property, yet remain vulnerable to model extraction attacks (MEA), where adversaries replicate their functionality through black-box queries. Model watermarking counters MEAs by embedding forensic markers for ownership verification. Current black-box watermarks prioritize MEA survival through representation entanglement, yet inadequately explore resilience against sequential MEAs and removal attacks. Our study reveals that this risk is underestimated because existing removal methods are weakened by entanglement. To address this gap, we propose Watermark Removal attacK (WRK), which circumvents entanglement constraints by exploiting decision boundaries shaped by prevailing sample-level watermark artifacts. WRK effectively reduces watermark success rates by at least 88.79% across existing watermarking benchmarks. For robust protection, we propose Class-Feature Watermarks (CFW), which improve resilience by leveraging class-level artifacts. CFW constructs a synthetic class using out-of-domain samples, eliminating vulnerable decision boundaries between original domain samples and their artifact-modified counterparts (watermark samples). CFW concurrently optimizes both MEA transferability and post-MEA stability. Experiments across multiple domains show that CFW consistently outperforms prior methods in resilience, maintaining a watermark success rate of at least 70.15% in extracted models even under the combined MEA and WRK distortion, while preserving the utility of protected models.