Ward: Provable RAG Dataset Inference via LLM Watermarks

TL;DR

The paper tackles the challenge of proving unauthorized data usage in retrieval-augmented generation (RAG) by formalizing RAG Dataset Inference (RAG-DI) and introducing Farad, a dataset that realistically exhibits fact redundancy and non-training data. It shows that existing baselines are ill-suited for black-box RAG-DI and introduces Ward, a proactive method based on LLM watermarks that yields provable statistical guarantees while remaining practical and robust to defenses. Across comprehensive experiments, Ward achieves high accuracy, efficient querying, and strong resilience to attempts at obfuscation, demonstrating its viability for data owners seeking to audit RAG providers. The work establishes a foundation for RAG-DI research and highlights LLM watermarking as a promising path for protecting content provenance in modern GenAI systems.

Abstract

RAG enables LLMs to easily incorporate external data, raising concerns for data owners regarding unauthorized usage of their content. The challenge of detecting such unauthorized usage remains underexplored, with datasets and methods from adjacent fields being ill-suited for its study. We take several steps to bridge this gap. First, we formalize this problem as (black-box) RAG Dataset Inference (RAG-DI). We then introduce a novel dataset designed for realistic benchmarking of RAG-DI methods, alongside a set of baselines. Finally, we propose Ward, a method for RAG-DI based on LLM watermarks that equips data owners with rigorous statistical guarantees regarding their dataset's misuse in RAG corpora. Ward consistently outperforms all baselines, achieving higher accuracy, superior query efficiency and robustness. Our work provides a foundation for future studies of RAG-DI and highlights LLM watermarks as a promising approach to this problem.

Figures (17)

• Figure 1: Overview of RAG Dataset Inference using Ward, our method based on LLM watermarks.
• Figure 2: Overview of the generation pipeline of Farad, and the resulting Easy and Hard evaluation settings.
• Figure 3: Green ratio to pass watermark detection with given #queries.
• Figure 4: Evaluation of all methods on Farad in both Easy and Hard settings, and with both Naive-P and Def-P system prompts. We run each method with $5$ random seeds, resulting in $5$ squares. A red square indicates a false negative in the IN case, and a false positive in the OUT case. All methods perform well in the Easy setting, while only Ward consistently performs well in the Hard setting.
• Figure 5: Ward (left) and Sib (right) accuracy as a function of $|D_{\text{do}}{}|$ (i.e., the number of queries) in the Hard setting. Ward consistently improves, while Sib suffers from high variance in accuracy.