Segmenting Watermarked Texts From Language Models

TL;DR

This work focuses on a scenario where an untrusted third-party user sends prompts to a trusted language model (LLM) provider, who then generates a text from their LLM with a watermark, and proposes a methodology to segment the published text into watermarked and non-watermarked sub-strings.

Abstract

Watermarking is a technique that involves embedding nearly unnoticeable statistical signals within generated content to help trace its source. This work focuses on a scenario where an untrusted third-party user sends prompts to a trusted language model (LLM) provider, who then generates a text from their LLM with a watermark. This setup makes it possible for a detector to later identify the source of the text if the user publishes it. The user can modify the generated text by substitutions, insertions, or deletions. Our objective is to develop a statistical method to detect if a published text is LLM-generated from the perspective of a detector. We further propose a methodology to segment the published text into watermarked and non-watermarked sub-strings. The proposed approach is built upon randomization tests and change point detection techniques. We demonstrate that our method ensures Type I and Type II error control and can accurately identify watermarked sub-strings by finding the corresponding change point locations. To validate our technique, we apply it to texts generated by several language models with prompts extracted from Google's C4 dataset and obtain encouraging numerical results. We release all code publicly at https://github.com/doccstat/llm-watermark-cpd.

Figures (8)

• Figure 1: Left panel: boxplots of the number of false detections with respect to different thresholds $\zeta$. Right panel: sequences of $p$-values from different methods in Setting 1 for Prompt 1 with threshold $\zeta = 0.005$. The detected change point locations are marked with dashed lines at the index $157$ for ITS and $158$ for ITSL, respectively.
• Figure 2: The boxplots of the Rand index comparing the clusters identified through the detected change points with the true clusters separated by the true change points with respect to different thresholds $\zeta$.
• Figure 3: Sequences of $p$-values for all methods given one fixed prompt in Setting 4 with the threshold $\zeta=0.005$. The true change points are located at $101$, $201$, $301$, and $401$. The change points detected by the EMS and EMSL methods are closer to the actual change points compared to those detected by the ITS and ITSL methods.
• Figure B.1: Sequences of $p$-values for the first $10$ prompts extracted from the Google C4 dataset for LLM openai-community/gpt2, organized into groups of four consecutive rows, each group corresponding to a distinct setting. Within each group, the rows represent $p$-values calculated using four different distance metrics: EMS, EMSL, ITS, and ITSL.
• Figure B.3: Sequence of $p$-values for the first $10$ prompts extracted from the Google C4 dataset for LLM facebook/opt-1.3b, organized into groups of four consecutive rows, each group corresponding to a distinct setting. Within each group, the rows represent $p$-values calculated using four different distance metrics: EMS, EMSL, ITS, and ITSL.

Theorems & Definitions (17)

• Example 1: Inverse transform sampling
• Example 2: Exponential minimum sampling
• Theorem 1
• Corollary 1
• Theorem 2
• Remark 1
• Proposition 1
• Theorem 3
• Remark 2
• proof : Proof of Theorem \ref{['thm1']}