This work addresses the vulnerability of recommender systems to model extraction attacks and the statistical anomalies and fragility introduced by existing watermarking methods that rely on synthetic data injection. To overcome these limitations, the authors propose GREW, a novel framework that eschews fixed interaction patterns and instead introduces a key-based “green–red” item partitioning mechanism. GREW implicitly embeds watermarks into recommendation rankings through output bias without injecting synthetic data. The approach integrates three tailored components—semantic consistency hashing, decision alignment masking, and confidence-aware scaling—and enables copyright verification via statistical hypothesis testing on black-box outputs. Experiments demonstrate that GREW substantially outperforms state-of-the-art methods across multiple base models, achieving high-accuracy ownership verification while maintaining semantic consistency, decision alignment, and strong robustness.

The widespread open-sourcing of advanced recommendation algorithms and the rising threat of model extraction attacks have made safeguarding the intellectual property of recommender systems an imperative task. While watermarking serves as a potent defense, existing methods primarily rely on forcing models to memorize pre-defined interaction patterns. Such memorization-based approaches often require excessive synthetic data injection and are vulnerable to removal attacks due to their detectable statistical deviations from natural user behavior. To address these limitations, we propose GREW, a novel Green-REd Watermarking framework for recommender systems. GREW leverages a secret key to partition the item space into "green" items for soft promotion and "red" items as anchors, thereby shifting the paradigm from fragile memorization to a stealthy, key-controlled output bias. By integrating watermark signals directly into the intrinsic ranking process, GREW employs three recommendation-tailored modules: (1) Semantic-Consistent Hashing, which utilizes the secret key to cluster green items for performance-aware stealthiness; (2) Decision-Aligned Masking, which confines signal injection to the competitive item subset to preserve ranking logic; and (3) Confidence-Aware Scaling, which dynamically modulates injection intensity based on model uncertainty. Ownership verification is performed via statistical hypothesis testing on aggregated black-box outputs, enabled by the keyed re-partitioning of the item space. Experiments on multiple base models demonstrate that GREW achieves strong ownership verification and robustness against extraction attacks compared to existing baselines while requiring no data injection. Our code is available at https://github.com/Loche2/GREW.