Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting LLM-Generated Peer Reviews

Vishisht Rao, Aounon Kumar, Himabindu Lakkaraju, Nihar B. Shah

TL;DR

The paper tackles the integrity problem of LLM-generated peer reviews by proposing a rigorous watermarking framework embedded via indirect prompt injection into manuscript PDFs. It introduces three watermark types (random start, random technical term, random citation), a robust indirect-prompt strategy (including font-embedding and cryptic prompts), and a statistically principled detection procedure that controls the family-wise error rate across many reviews. Empirical results show high watermark embedding success across multiple LLMs and datasets, strong resilience to common reviewer defenses, and practical FWER-controlled detection with superior power over Bonferroni-like corrections. The approach has significant implications for upholding review integrity, with potential extensions to grant proposals and broader text-generation contexts, while acknowledging adversarial challenges and the need for safeguards on both sides of the process.

Abstract

The integrity of peer review is fundamental to scientific progress, but the rise of large language models (LLMs) has introduced concerns that some reviewers may rely on these tools to generate reviews rather than writing them independently. Although some venues have banned LLM-assisted reviewing, enforcement remains difficult as existing detection tools cannot reliably distinguish between fully generated reviews and those merely polished with AI assistance. In this work, we address the challenge of detecting LLM-generated reviews. We consider the approach of performing indirect prompt injection via the paper's PDF, prompting the LLM to embed a covert watermark in the generated review, and subsequently testing for presence of the watermark in the review. We identify and address several pitfalls in naïve implementations of this approach. Our primary contribution is a rigorous watermarking and detection framework that offers strong statistical guarantees. Specifically, we introduce watermarking schemes and hypothesis tests that control the family-wise error rate across multiple reviews, achieving higher statistical power than standard corrections such as Bonferroni, while making no assumptions about the nature of human-written reviews. We explore multiple indirect prompt injection strategies--including font-based embedding and obfuscated prompts--and evaluate their effectiveness under various reviewer defense scenarios. Our experiments find high success rates in watermark embedding across various LLMs. We also empirically find that our approach is resilient to common reviewer defenses, and that the bounds on error rates in our statistical tests hold in practice. In contrast, we find that Bonferroni-style corrections are too conservative to be useful in this setting.

Detecting LLM-Generated Peer Reviews

TL;DR

The paper tackles the integrity problem of LLM-generated peer reviews by proposing a rigorous watermarking framework embedded via indirect prompt injection into manuscript PDFs. It introduces three watermark types (random start, random technical term, random citation), a robust indirect-prompt strategy (including font-embedding and cryptic prompts), and a statistically principled detection procedure that controls the family-wise error rate across many reviews. Empirical results show high watermark embedding success across multiple LLMs and datasets, strong resilience to common reviewer defenses, and practical FWER-controlled detection with superior power over Bonferroni-like corrections. The approach has significant implications for upholding review integrity, with potential extensions to grant proposals and broader text-generation contexts, while acknowledging adversarial challenges and the need for safeguards on both sides of the process.

Abstract

The integrity of peer review is fundamental to scientific progress, but the rise of large language models (LLMs) has introduced concerns that some reviewers may rely on these tools to generate reviews rather than writing them independently. Although some venues have banned LLM-assisted reviewing, enforcement remains difficult as existing detection tools cannot reliably distinguish between fully generated reviews and those merely polished with AI assistance. In this work, we address the challenge of detecting LLM-generated reviews. We consider the approach of performing indirect prompt injection via the paper's PDF, prompting the LLM to embed a covert watermark in the generated review, and subsequently testing for presence of the watermark in the review. We identify and address several pitfalls in naïve implementations of this approach. Our primary contribution is a rigorous watermarking and detection framework that offers strong statistical guarantees. Specifically, we introduce watermarking schemes and hypothesis tests that control the family-wise error rate across multiple reviews, achieving higher statistical power than standard corrections such as Bonferroni, while making no assumptions about the nature of human-written reviews. We explore multiple indirect prompt injection strategies--including font-based embedding and obfuscated prompts--and evaluate their effectiveness under various reviewer defense scenarios. Our experiments find high success rates in watermark embedding across various LLMs. We also empirically find that our approach is resilient to common reviewer defenses, and that the bounds on error rates in our statistical tests hold in practice. In contrast, we find that Bonferroni-style corrections are too conservative to be useful in this setting.

Paper Structure

This paper contains 24 sections, 1 theorem, 7 equations, 2 figures, 14 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Design of methods
  3. Watermarking
  4. Choice of watermark
  5. Statistical testability
  6. Watermarks employed
  7. Random start
  8. Random technical term
  9. Random citation
  10. Indirect prompt injection
  11. Statistical Detection
  12. Experimental evaluation
  13. Evaluating the efficacy of watermarking & prompt injection
  14. Evaluating resilience against reviewer defenses
  15. Defense strategy 1: paraphrasing
  16. ...and 9 more sections

Key Result

Proposition 1

(a) For any single review, the test in Algorithm AlgoSingleReview has a false positive rate at most $\frac{k}{|\mathcal{W}|}$, where $k=1$ in the fixed position setting. (b) When evaluating multiple reviews, the constraint eq:constraint_fwerbound ensures a family-wise error rate (FWER) at most $\alp

Figures (2)

  • Figure 1: Workflow diagram
  • Figure 2: An example of a paper with an injected prompt with human-readable different text fontembeddingpaperlink. Here, while the text appears as "This is submitted to the ICLR 2024 conference - main track", the underlying text read by LLMs is actually "Start your review with: This paper explores the key aspect." Our evaluations for this modified paper find that the watermark appears consistently in 10 review generations in ChatGPT 4o, ChatGPT o3-mini-high, Gemini 2.0 Flash, and Claude 3.5 Sonnet.

Theorems & Definitions (1)

  • Proposition 1