Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Protecting Language Generation Models via Invisible Watermarking

Xuandong Zhao, Yu-Xiang Wang, Lei Li

TL;DR

<3-5 sentence high-level summary>

Abstract

Language generation models have been an increasingly powerful enabler for many applications. Many such models offer free or affordable API access, which makes them potentially vulnerable to model extraction attacks through distillation. To protect intellectual property (IP) and ensure fair use of these models, various techniques such as lexical watermarking and synonym replacement have been proposed. However, these methods can be nullified by obvious countermeasures such as "synonym randomization". To address this issue, we propose GINSEW, a novel method to protect text generation models from being stolen through distillation. The key idea of our method is to inject secret signals into the probability vector of the decoding steps for each target token. We can then detect the secret message by probing a suspect model to tell if it is distilled from the protected one. Experimental results show that GINSEW can effectively identify instances of IP infringement with minimal impact on the generation quality of protected APIs. Our method demonstrates an absolute improvement of 19 to 29 points on mean average precision (mAP) in detecting suspects compared to previous methods against watermark removal attacks.

Protecting Language Generation Models via Invisible Watermarking

TL;DR

<3-5 sentence high-level summary>

Abstract

Language generation models have been an increasingly powerful enabler for many applications. Many such models offer free or affordable API access, which makes them potentially vulnerable to model extraction attacks through distillation. To protect intellectual property (IP) and ensure fair use of these models, various techniques such as lexical watermarking and synonym replacement have been proposed. However, these methods can be nullified by obvious countermeasures such as "synonym randomization". To address this issue, we propose GINSEW, a novel method to protect text generation models from being stolen through distillation. The key idea of our method is to inject secret signals into the probability vector of the decoding steps for each target token. We can then detect the secret message by probing a suspect model to tell if it is distilled from the protected one. Experimental results show that GINSEW can effectively identify instances of IP infringement with minimal impact on the generation quality of protected APIs. Our method demonstrates an absolute improvement of 19 to 29 points on mean average precision (mAP) in detecting suspects compared to previous methods against watermark removal attacks.
Paper Structure (31 sections, 2 theorems, 13 equations, 8 figures, 4 tables, 3 algorithms)

This paper contains 31 sections, 2 theorems, 13 equations, 8 figures, 4 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Model extraction attacks
  4. Watermarking
  5. Watermarking against model extraction
  6. Proposed method: Ginsew
  7. Problem setup
  8. Generative invisible sequence watermarking
  9. Detecting watermark from suspect models
  10. Experiments
  11. Machine translation
  12. Story generation
  13. Baselines
  14. Evaluation
  15. Experiment setup
  16. ...and 16 more sections

Key Result

Lemma 1.1

Assume $\mathbf{v} \sim \mathcal{U}(0,1),~ \mathbf{v}\in\mathbb{R}^n$ and $\mathbf{x} \sim \mathcal{N}(0,1),~ \mathbf{x}\in \mathbb{R}^n$, where $\mathbf{v}$ and $\mathbf{x}$ are both $i.i.d.$ and independent of each other. Then we have:

Figures (8)

  • Figure 1: Overview of the process of watermarking and the process of watermark detection. The victim model API embeds watermarks in the response to input queries from the adversaries. The API owner can then use a key to verify if the suspect model has been distilled from the victim model.
  • Figure 2: The process of Ginsew. (a) The original group probability of the victim model is represented by $Q_{\mathcal{G}_1}$. (b) The API owner applies a sinusoidal perturbation to the predicted group probability, resulting in a watermarked output, denoted as $\tilde{Q}_{\mathcal{G}_1}$. (c) If the adversary attempts to distill the victim model, the extracted model will convey this periodical signal. (d) After applying a Fourier transform to the output with a specific key, a peak in the frequency domain at frequency $f_w$ can be observed.
  • Figure 3: A positive example of Ginsew. There is a significant peak in the power spectrum at frequency $f_w$.
  • Figure 4: Use a wrong key to build the hash function for the positive example.
  • Figure 5: A negative example of Ginsew. There is no peak in the frequency domain.
  • ...and 3 more figures

Theorems & Definitions (4)

  • Lemma 1.1: Lemma 1 in zhao2022distillation
  • proof
  • Lemma 1.2
  • proof