A method is provided for watermarking a machine learning model. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. A first pixel pattern is selected and inserted into each sample of the first subset. One or more of a location, position, orientation, and transformation of the first pixel pattern is varied for each of the samples. Each sample of the first subset is relabeled to have a different label than the original label. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. To detect the watermark, a second subset of training samples is selected, and the first pixel pattern is inserted into each sample. The second subset is used during inference operation to detect the presence of the watermark.