Guanlin Li,Yifei Chen,Jie Zhang,Jiwei Li,Shangwei Guo,Tianwei Zhang

DOI: https://doi.org/10.48550/arxiv.2310.07726

2023-01-01

Abstract:AI-Generated Content (AIGC) is gaining great popularity, with many emerging commercial services and applications. These services leverage advanced generative models, such as latent diffusion models and large language models, to generate creative content (e.g., realistic images and fluent sentences) for users. The usage of such generated content needs to be highly regulated, as the service providers need to ensure the users do not violate the usage policies (e.g., abuse for commercialization, generating and distributing unsafe content). A promising solution to achieve this goal is watermarking, which adds unique and imperceptible watermarks on the content for service verification and attribution. Numerous watermarking approaches have been proposed recently. However, in this paper, we show that an adversary can easily break these watermarking mechanisms. Specifically, we consider two possible attacks. (1) Watermark removal: the adversary can easily erase the embedded watermark from the generated content and then use it freely bypassing the regulation of the service provider. (2) Watermark forging: the adversary can create illegal content with forged watermarks from another user, causing the service provider to make wrong attributions. We propose Warfare, a unified methodology to achieve both attacks in a holistic way. The key idea is to leverage a pre-trained diffusion model for content processing and a generative adversarial network for watermark removal or forging. We evaluate Warfare on different datasets and embedding setups. The results prove that it can achieve high success rates while maintaining the quality of the generated content. Compared to existing diffusion model-based attacks, Warfare is 5,050~11,000x faster.

Dong Tian,Zhe-Ming Lu,Hang-Yu Fan

2019-01-01

Abstract:For digital copyright protection and traceability, many text watermarking algorithms have been proposed. However, the vast majority of them have one or more the following disadvantages: Insufficient embedded capacity, poor robustness, and large embedded noise affecting the expression of normal documents. To solve the above problems, this paper proposes a text watermarking scheme based on hidden objects. It solves problem from the level of programming objects in office and hides these objects that can record information, so as to realize the information hiding of the text. Compared with the existing methods, our proposed solution obtains higher robustness results against most of the extremely dangerous attacks, and at the same time possesses the faster embedded speed and the greater embedded capacity.

Qi Pang,Shengyuan Hu,Wenting Zheng,Virginia Smith

2024-11-13

Abstract:Advances in generative models have made it possible for AI-generated text, code, and images to mirror human-generated content in many applications. Watermarking, a technique that aims to embed information in the output of a model to verify its source, is useful for mitigating the misuse of such AI-generated content. However, we show that common design choices in LLM watermarking schemes make the resulting systems surprisingly susceptible to attack -- leading to fundamental trade-offs in robustness, utility, and usability. To navigate these trade-offs, we rigorously study a set of simple yet effective attacks on common watermarking systems, and propose guidelines and defenses for LLM watermarking in practice.

Cryptography and Security,Computation and Language,Machine Learning

Jiacheng Liang,Zian Wang,Lauren Hong,Shouling Ji,Ting Wang

2024-11-21

Abstract:To mitigate the misuse of large language models (LLMs), such as disinformation, automated phishing, and academic cheating, there is a pressing need for the capability of identifying LLM-generated texts. Watermarking emerges as one promising solution: it plants statistical signals into LLMs' generative processes and subsequently verifies whether LLMs produce given texts. Various watermarking methods (``watermarkers'') have been proposed; yet, due to the lack of unified evaluation platforms, many critical questions remain under-explored: i) What are the strengths/limitations of various watermarkers, especially their attack robustness? ii) How do various design choices impact their robustness? iii) How to optimally operate watermarkers in adversarial environments? To fill this gap, we systematize existing LLM watermarkers and watermark removal attacks, mapping out their design spaces. We then develop WaterPark, a unified platform that integrates 10 state-of-the-art watermarkers and 12 representative attacks. More importantly, leveraging WaterPark, we conduct a comprehensive assessment of existing watermarkers, unveiling the impact of various design choices on their attack robustness. For instance, a watermarker's resilience to increasingly intensive attacks hinges on its context dependency. We further explore the best practices to operate watermarkers in adversarial environments. For instance, using a generic detector alongside a watermark-specific detector improves the security of vulnerable watermarkers. We believe our study sheds light on current LLM watermarking techniques while WaterPark serves as a valuable testbed to facilitate future research.

Cryptography and Security,Computation and Language,Machine Learning

KiYoon Yoo,Wonhyuk Ahn,Jiho Jang,Nojun Kwak

2023-06-09

Abstract:Recent years have witnessed a proliferation of valuable original natural language contents found in subscription-based media outlets, web novel platforms, and outputs of large language models. However, these contents are susceptible to illegal piracy and potential misuse without proper security measures. This calls for a secure watermarking system to guarantee copyright protection through leakage tracing or ownership identification. To effectively combat piracy and protect copyrights, a multi-bit watermarking framework should be able to embed adequate bits of information and extract the watermarks in a robust manner despite possible corruption. In this work, we explore ways to advance both payload and robustness by following a well-known proposition from image watermarking and identify features in natural language that are invariant to minor corruption. Through a systematic analysis of the possible sources of errors, we further propose a corruption-resistant infill model. Our full method improves upon the previous work on robustness by +16.8% point on average on four datasets, three corruption types, and two corruption ratios. Code available at <a class="link-external link-https" href="https://github.com/bangawayoo/nlp-watermarking" rel="external noopener nofollow">this https URL</a>.

Computation and Language,Artificial Intelligence

He Lu,Ma GuangPing,Fang DingYi,Gui XiaoLin

DOI: https://doi.org/10.1109/ycict.2009.5382387

2009-01-01

Abstract:Many extant natural language watermarking techniques demand deep structure analysis, and so suffer in reliability. We propose a scheme for natural language watermarking, which embedding watermark bits into the pragmatics feature of text by rewriting sentences. In contrast, we eschew syntactic and semantic analysis. We make use of transformation templates and our templates based on pragmatics rule and described by part-of-speech (POS) tags order. The searching structure of pragmatics in the text is simplified as matching the POS tags order with templates. Since there lack pragmatics parser and we proposed a spread spectrum coding scheme, our method resist against synonymic substitution, adverbs inclusion or removal, passivization, topicalization, extraposition, preposing, etc. The experiment results show that no more than 5% watermark bits had been damaged while 30% sentences were transformed without changing the meaning.

Zesen Liu,Tianshuo Cong,Xinlei He,Qi Li

2024-07-06

Abstract:Large Language Models (LLMs) excel in various applications, including text generation and complex tasks. However, the misuse of LLMs raises concerns about the authenticity and ethical implications of the content they produce, such as deepfake news, academic fraud, and copyright infringement. Watermarking techniques, which embed identifiable markers in machine-generated text, offer a promising solution to these issues by allowing for content verification and origin tracing. Unfortunately, the robustness of current LLM watermarking schemes under potential watermark removal attacks has not been comprehensively explored. In this paper, to fill this gap, we first systematically comb the mainstream watermarking schemes and removal attacks on machine-generated texts, and then we categorize them into pre-text (before text generation) and post-text (after text generation) classes so that we can conduct diversified analyses. In our experiments, we evaluate eight watermarks (five pre-text, three post-text) and twelve attacks (two pre-text, ten post-text) across 87 scenarios. Evaluation results indicate that (1) KGW and Exponential watermarks offer high text quality and watermark retention but remain vulnerable to most attacks; (2) Post-text attacks are found to be more efficient and practical than pre-text attacks; (3) Pre-text watermarks are generally more imperceptible, as they do not alter text fluency, unlike post-text watermarks; (4) Additionally, combined attack methods can significantly increase effectiveness, highlighting the need for more robust watermarking solutions. Our study underscores the vulnerabilities of current techniques and the necessity for developing more resilient schemes.

Cryptography and Security,Artificial Intelligence,Computation and Language,Machine Learning

John Kirchenbauer,Jonas Geiping,Yuxin Wen,Manli Shu,Khalid Saifullah,Kezhi Kong,Kasun Fernando,Aniruddha Saha,Micah Goldblum,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2306.04634

2024-05-02

Abstract:As LLMs become commonplace, machine-generated text has the potential to flood the internet with spam, social media bots, and valueless content. Watermarking is a simple and effective strategy for mitigating such harms by enabling the detection and documentation of LLM-generated text. Yet a crucial question remains: How reliable is watermarking in realistic settings in the wild? There, watermarked text may be modified to suit a user's needs, or entirely rewritten to avoid detection. We study the robustness of watermarked text after it is re-written by humans, paraphrased by a non-watermarked LLM, or mixed into a longer hand-written document. We find that watermarks remain detectable even after human and machine paraphrasing. While these attacks dilute the strength of the watermark, paraphrases are statistically likely to leak n-grams or even longer fragments of the original text, resulting in high-confidence detections when enough tokens are observed. For example, after strong human paraphrasing the watermark is detectable after observing 800 tokens on average, when setting a 1e-5 false positive rate. We also consider a range of new detection schemes that are sensitive to short spans of watermarked text embedded inside a large document, and we compare the robustness of watermarking to other kinds of detectors.

Machine Learning,Computation and Language,Cryptography and Security

Lingyun Xiang,Yangfan Liu,Zhongliang Yang

DOI: https://doi.org/10.1016/j.ipm.2024.103661

IF: 7.466

2024-01-27

Information Processing & Management

Abstract:Existing methods have evolved from using synonym substitution to incorporating arbitrary word substitution to achieve reversible natural language watermarking. However, a notable limitation is that they are prone to overlook the sensitivity of information associated with the original words, with a tendency to prefer non-sensitive words for substitution. As a result, a potential risk of sensitive information leakage contained in the original text is posed. Furthermore, while aiming for reversibility, the overall performance of the watermarking method may be inadvertently compromised. In response to the above problems, this paper puts forward a novel reversible natural language watermarking method that combines a K eyword S ubstitution scheme and a P rediction E rror E xpansion algorithm (KSPEE) to protect sensitive information, verify content integrity, protect copyright, and so on. Specifically, KSPEE leverages a keyword extraction algorithm to identify important content containing sensitive information in the original text, thereby determining the potential positions for watermark information embedding. Subsequently, a masked language model is utilized to predict appropriate substitution words based on the surrounding semantic information of the embedding position . In addition, the prediction error expansion algorithm is employed to select appropriate words for substituting the original keywords, ensuring the successful embedding of watermark information while maintaining the recoverability of the original keywords. By identifying keywords and substituting them, a suitable method of protecting the original sensitive information is provided. Extensive experiments demonstrate that, under the promise of semantic distortion and lossless restoration of the original content, the proposed method KSPEE achieves outstanding watermarked text quality. A higher watermark embedding rate is achieved and strong security is shown by KSPEE. More importantly, KSPEE effectively prevents the leakage of sensitive information.

computer science, information systems,information science & library science

余振山,黄刘生,陈志立,李凌君,杨威,赵欣欣

DOI: https://doi.org/10.3969/j.issn.1672-464x.2009.02.010

2009-01-01

Abstract:With the development of Internet,it is easier to get unauthorized digital media than ever before.Natural language watermarking(NLW)is a kind of digital rights management(DRM)techniques specially designed for natural language documents.NLW embeds watermark into documents in linguistic meaning-preserving ways.The previous research on designing elaborate watermarking algorithms,security or quality of these schemes is briefly discussed.In this paper,we propose an evaluating scheme for embedding security of NLW,define ideal undetectability,and design ways to construct an inter-proof system for undetectability against specific detector.We also apply this evaluating scheme to some practical NLW systems.

Wenjie Qu,Dong Yin,Zixin He,Wei Zou,Tianyang Tao,Jinyuan Jia,Jiaheng Zhang

2024-04-16

Abstract:Large Language Models (LLMs) have been widely deployed for their remarkable capability to generate texts resembling human language. However, they could be misused by criminals to create deceptive content, such as fake news and phishing emails, which raises ethical concerns. Watermarking is a key technique to mitigate the misuse of LLMs, which embeds a watermark (e.g., a bit string) into a text generated by a LLM. Consequently, this enables the detection of texts generated by a LLM as well as the tracing of generated texts to a specific user. The major limitation of existing watermark techniques is that they cannot accurately or efficiently extract the watermark from a text, especially when the watermark is a long bit string. This key limitation impedes their deployment for real-world applications, e.g., tracing generated texts to a specific user.

Cryptography and Security

NH Yu,LL Cao,W Fang,XL Li

DOI: https://doi.org/10.1109/icct.2003.1209893

2003-01-01

Abstract:Digital watermarking embedding is a hot research field of image processing. Digital watermarking is only possible because our vision system is not perfect. A number of applications have emerged such as copyright notification, time stamp and automated monitoring. There have been ingenious works on watermarking capacity, which all assume the attack distortion are Gaussian additive distribution. We argue that these results are beautiful but not practical. It is hard to classify different attacking methods into a uniform format (especially as Gaussian distribution). In the other hand, the capacity of a given image's information is an interesting and important topic. Instead of conventional analysis based on non-precise assumption of attack distortion, this paper concentrates on the problem of how much information that image can carry without much visibility distortion. Our work is based on wavelet transform and mean-squared error since we believe they are representative measure for most work. Comparing with the former work on the watermarking capacity, this paper pays more attention to the influence on capacity of widely used technique such as spread spectrum. In the last part of this paper, we discuss future trends of new watermarking algorithm and their influence on capacity.

Rui Ma,Mengxi Guo,Yi Hou,Fan Yang,Yuan Li,Huizhu Jia,Xiaodong Xie

DOI: https://doi.org/10.1145/3503161.3547950

2022-12-24

Abstract:Blind watermarking provides powerful evidence for copyright protection, image authentication, and tampering identification. However, it remains a challenge to design a watermarking model with high imperceptibility and robustness against strong noise attacks. To resolve this issue, we present a framework Combining the Invertible and Non-invertible (CIN) mechanisms. The CIN is composed of the invertible part to achieve high imperceptibility and the non-invertible part to strengthen the robustness against strong noise attacks. For the invertible part, we develop a diffusion and extraction module (DEM) and a fusion and split module (FSM) to embed and extract watermarks symmetrically in an invertible way. For the non-invertible part, we introduce a non-invertible attention-based module (NIAM) and the noise-specific selection module (NSM) to solve the asymmetric extraction under a strong noise attack. Extensive experiments demonstrate that our framework outperforms the current state-of-the-art methods of imperceptibility and robustness significantly. Our framework can achieve an average of 99.99% accuracy and 67.66 dB PSNR under noise-free conditions, while 96.64% and 39.28 dB combined strong noise attacks. The code will be available in <a class="link-external link-https" href="https://github.com/rmpku/CIN" rel="external noopener nofollow">this https URL</a>.

Multimedia,Computer Vision and Pattern Recognition

Hua Zhong,Fang Liu,Licheng Jiao

2003-01-01

Abstract:Most watermarking schemes focus on the robustness and invisibility with the problem of copyright protection remained unresolved, which are their initial motivation. In this paper, a watermarking scheme is proposed to provide effective copyright protection. By using a novel method of generating watermark, the use of original data is no longer limited in resolving rightful ownerships. Moreover, blind and non-blind watermark detections have different applications. The robustness and invisibility are also improved. Both theoretical analysis and experimental results show its effectiveness against copyright attack and other distortions such as JPEG compression, Additive White Gaussian Noise (AWGN), image resizing and media filtering.

Long Dai,Jiarong Mao,Xuefeng Fan,Xiaoyi Zhou

DOI: https://doi.org/10.48550/arXiv.2208.04676

2022-08-09

Cryptography and Security

Abstract:Natural language processing (NLP) technology has shown great commercial value in applications such as sentiment analysis. But NLP models are vulnerable to the threat of pirated redistribution, damaging the economic interests of model owners. Digital watermarking technology is an effective means to protect the intellectual property rights of NLP model. The existing NLP model protection mainly designs watermarking schemes by improving both security and robustness purposes, however, the security and robustness of these schemes have the following problems, respectively: (1) Watermarks are difficult to defend against fraudulent declaration by adversary and are easily detected and blocked from verification by human or anomaly detector during the verification process. (2) The watermarking model cannot meet multiple robustness requirements at the same time. To solve the above problems, this paper proposes a novel watermarking framework for NLP model based on the over-parameterization of depth model and the multi-task learning theory. Specifically, a covert trigger set is established to realize the perception-free verification of the watermarking model, and a novel auxiliary network is designed to improve the robustness and security of the watermarking model. The proposed framework was evaluated on two benchmark datasets and three mainstream NLP models, and the results show that the framework can successfully validate model ownership with 100% validation accuracy and advanced robustness and security without compromising the host model performance.

HE Lu,GUI Xiao-Lin,TIAN Feng,WU Rei-Feng,FANG Ding-Yi

DOI: https://doi.org/10.3724/sp.j.1016.2012.01971

2012-01-01

Chinese Journal of Computers

Abstract:The nature of natural language are quite different from the signal of images and sound,and the methods of robust analysis on image watermarks are not to be able to apply to NLW.However,the study of robustness of NLW is still absent.In this paper,based on the nature of natural language,we propose an adversary model that suit for NLW.Then,we classify the existing NLW methods and propose common algorithms.Third,we analyze the robustness of NLW algorithms using the adversary model that we proposed,and verify the theoretical model by experimental results.Our theoretical robust models are useful for comparison and evaluation robustness of different NLW algorithms.

Aloni Cohen,Alexander Hoover,Gabe Schoenbach

2024-06-29

Abstract:We study watermarking schemes for language models with provable guarantees. As we show, prior works offer no robustness guarantees against adaptive prompting: when a user queries a language model more than once, as even benign users do. And with just a single exception (Christ and Gunn, 2024), prior works are restricted to zero-bit watermarking: machine-generated text can be detected as such, but no additional information can be extracted from the watermark. Unfortunately, merely detecting AI-generated text may not prevent future abuses. We introduce multi-user watermarks, which allow tracing model-generated text to individual users or to groups of colluding users, even in the face of adaptive prompting. We construct multi-user watermarking schemes from undetectable, adaptively robust, zero-bit watermarking schemes (and prove that the undetectable zero-bit scheme of Christ, Gunn, and Zamir (2024) is adaptively robust). Importantly, our scheme provides both zero-bit and multi-user assurances at the same time. It detects shorter snippets just as well as the original scheme, and traces longer excerpts to individuals. The main technical component is a construction of message-embedding watermarks from zero-bit watermarks. Ours is the first generic reduction between watermarking schemes for language models. A challenge for such reductions is the lack of a unified abstraction for robustness -- that marked text is detectable even after edits. We introduce a new unifying abstraction called AEB-robustness. AEB-robustness provides that the watermark is detectable whenever the edited text "approximates enough blocks" of model-generated output.

Cryptography and Security,Artificial Intelligence,Computation and Language

Xi Yang,Kejiang Chen,Weiming Zhang,Chang Liu,Yuang Qi,Jie Zhang,Han Fang,Nenghai Yu

DOI: https://doi.org/10.48550/arxiv.2305.08883

2023-01-01

Abstract:LLMs now exhibit human-like skills in various fields, leading to worries about misuse. Thus, detecting generated text is crucial. However, passive detection methods are stuck in domain specificity and limited adversarial robustness. To achieve reliable detection, a watermark-based method was proposed for white-box LLMs, allowing them to embed watermarks during text generation. The method involves randomly dividing the model vocabulary to obtain a special list and adjusting the probability distribution to promote the selection of words in the list. A detection algorithm aware of the list can identify the watermarked text. However, this method is not applicable in many real-world scenarios where only black-box language models are available. For instance, third-parties that develop API-based vertical applications cannot watermark text themselves because API providers only supply generated text and withhold probability distributions to shield their commercial interests. To allow third-parties to autonomously inject watermarks into generated text, we develop a watermarking framework for black-box language model usage scenarios. Specifically, we first define a binary encoding function to compute a random binary encoding corresponding to a word. The encodings computed for non-watermarked text conform to a Bernoulli distribution, wherein the probability of a word representing bit-1 being approximately 0.5. To inject a watermark, we alter the distribution by selectively replacing words representing bit-0 with context-based synonyms that represent bit-1. A statistical test is then used to identify the watermark. Experiments demonstrate the effectiveness of our method on both Chinese and English datasets. Furthermore, results under re-translation, polishing, word deletion, and synonym substitution attacks reveal that it is arduous to remove the watermark without compromising the original semantics.

Baizhou Huang,Xiaojun Wan

2024-05-22

Abstract:With the increasing use of large language models (LLMs) in daily life, concerns have emerged regarding their potential misuse and societal impact. Watermarking is proposed to trace the usage of specific models by injecting patterns into their generated texts. An ideal watermark should produce outputs that are nearly indistinguishable from those of the original LLM (imperceptibility), while ensuring a high detection rate (efficacy), even when the text is partially altered (robustness). Despite many methods having been proposed, none have simultaneously achieved all three properties, revealing an inherent trade-off. This paper utilizes a key-centered scheme to unify existing watermarking techniques by decomposing a watermark into two distinct modules: a key module and a mark module. Through this decomposition, we demonstrate for the first time that the key module significantly contributes to the trade-off issues observed in prior methods. Specifically, this reflects the conflict between the scale of the key sampling space during generation and the complexity of key restoration during detection. To this end, we introduce \textbf{WaterPool}, a simple yet effective key module that preserves a complete key sampling space required by imperceptibility while utilizing semantics-based search to improve the key restoration process. WaterPool can integrate with most watermarks, acting as a plug-in. Our experiments with three well-known watermarking techniques show that WaterPool significantly enhances their performance, achieving near-optimal imperceptibility and markedly improving efficacy and robustness (+12.73\% for KGW, +20.27\% for EXP, +7.27\% for ITS).

Cryptography and Security,Computation and Language

Alexander Nemecek,Yuzhou Jiang,Erman Ayday

2024-08-20

Abstract:The indistinguishability of text generated by large language models (LLMs) from human-generated text poses significant challenges. Watermarking algorithms are potential solutions by embedding detectable signatures within LLM-generated outputs. However, current watermarking schemes lack robustness to a range of attacks such as text substitution or manipulation, undermining their reliability. This paper proposes a novel topic-based watermarking algorithm for LLMs, designed to enhance the robustness of watermarking in LLMs. Our approach leverages the topics extracted from input prompts or outputs of non-watermarked LLMs in the generation process of watermarked text. We dynamically utilize token lists on identified topics and adjust token sampling weights accordingly. By using these topic-specific token biases, we embed a topic-sensitive watermarking into the generated text. We outline the theoretical framework of our topic-based watermarking algorithm and discuss its potential advantages in various scenarios. Additionally, we explore a comprehensive range of attacks against watermarking algorithms, including discrete alterations, paraphrasing, and tokenizations. We demonstrate that our proposed watermarking scheme classifies various watermarked text topics with 99.99% confidence and outperforms existing algorithms in terms of z-score robustness and the feasibility of modeling text degradation by potential attackers, while considering the trade-offs between the benefits and losses of watermarking LLM-generated text.

Cryptography and Security,Computation and Language,Machine Learning