With the rapid development of artificial intelligence, the intellectual property protection of deep learning models appeals widespread concerns of scientists and engineers. The black-box watermarking protection scheme has been favored by many scholars due to its many advantages. The trigger set containing data content and data annotation is the key of black-box watermarking technology. However, most of the trigger sets in literates were constructed by comprehensible features, such as Gaussian noise and badges on original data content. Then, the attacks based on machine learning can obtain the watermarking features and generate fake trigger set. Therefore, fraudulent ownership claim attacks may occur. In this paper, we turn our attention to data annotation and propose a black-box watermarking scheme based on chaotic automatic data annotation. Chaos has superior features, such as the sensitivity of initial value, aperiodic behavior and unpredictability of the chaotic sequence. We applies these chaotic features on data annotation so as to against the fraudulent ownership claim attacks. Firstly, this scheme applies chaotic automatic data annotation, which is time-saving and non-manual labeling. Secondly, chaotic sequences are unpredictable for long-terms, which can break the principle of empirical or statistical machine learning based attacks when chaotic labeling the trigger samples. Thirdly, the initial value and parameters in chaos offer a large range of key space, which can facilitate the commercialization of the intelligent models. The key formulation also guarantees the separation of the secret key and the trigger set. In addition, experiments and simulations show that the scheme is effective, secure and robust. It can resist fine-tuning attacks, compression attacks, fraudulent ownership claim attacks and overwriting attacks. INDEX TERMS Black-box watermarking; trigger-set; chaos; automatic annotation; non-generalization; intellectual property protection.