Learnable Linguistic Watermarks for Tracing Model Extraction Attacks on Large Language Models
Minhao Bai, Kaiyi Pang, Yongfeng Huang
TL;DR
The paper tackles protecting the intellectual property of large language models from model-extraction attacks by proposing a learnable linguistic watermark. It embeds the watermark by sampling token-frequency distributions from a dataset, perturbing them with Gaussian noise, and reweighting the LLM’s output using $\hat{P}_{LM}(w_i) = P_{LM}(w_i) \times \frac{\hat{F}_D(w_i)}{F_{LM}(w_i)}$, guiding generated text to follow the watermarked distribution. Detection is framed as an information-theoretic hypothesis test, using $I_{\hat{P}_{LM}} = \mathbb{E}[-\log \hat{P}_{LM}(w_i)]$ and $KL(\hat{P}_{LM}||\mathcal{P}_A)$ to distinguish watermarked from non-watermarked text, with bounds $B_I, B_{II}$ and token-count requirements $N_I, N_{II}$ to control false positives/negatives. The authors emphasize learnability: downstream models trained on watermarked text may reproduce the watermark distribution, enabling traceability of extraction while aiming to preserve output quality, though practical training dynamics and a balance between watermark strength and model performance must be managed.
Abstract
In the rapidly evolving domain of artificial intelligence, safeguarding the intellectual property of Large Language Models (LLMs) is increasingly crucial. Current watermarking techniques against model extraction attacks, which rely on signal insertion in model logits or post-processing of generated text, remain largely heuristic. We propose a novel method for embedding learnable linguistic watermarks in LLMs, aimed at tracing and preventing model extraction attacks. Our approach subtly modifies the LLM's output distribution by introducing controlled noise into token frequency distributions, embedding an statistically identifiable controllable watermark.We leverage statistical hypothesis testing and information theory, particularly focusing on Kullback-Leibler Divergence, to differentiate between original and modified distributions effectively. Our watermarking method strikes a delicate well balance between robustness and output quality, maintaining low false positive/negative rates and preserving the LLM's original performance.