Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From Essence to Defense: Adaptive Semantic-aware Watermarking for Embedding-as-a-Service Copyright Protection

Hao Li, Yubing Ren, Yanan Cao, Yingjie Li, Fang Fang, Xuebin Wang

TL;DR

The paper tackles copyright protection for Embeddings-as-a-Service by introducing SemMark, a semantic-aware watermarking framework that partitions the embedding space with locality-sensitive hashing and generates watermarks via a learnable mapping model. It couples semantic-consistent watermark signals with an adaptive LOF-based injection scheme to maintain downstream embedding quality while enabling robust verifiability. The authors also propose two watermark attacks, Detect-Sampling and Dimensionality-Reduction, to stress-test robustness, and demonstrate through extensive experiments on SST2, MIND, AGNews, and Enron Spam that SemMark achieves high verifiability, strong diversity, stealthiness, and harmlessness compared to existing baselines. The work has practical implications for protecting EaaS IP in real-world deployments by enabling covert ownership verification resistant to common removal and evasion strategies.

Abstract

Benefiting from the superior capabilities of large language models in natural language understanding and generation, Embeddings-as-a-Service (EaaS) has emerged as a successful commercial paradigm on the web platform. However, prior studies have revealed that EaaS is vulnerable to imitation attacks. Existing methods protect the intellectual property of EaaS through watermarking techniques, but they all ignore the most important properties of embedding: semantics, resulting in limited harmlessness and stealthiness. To this end, we propose SemMark, a novel semantic-based watermarking paradigm for EaaS copyright protection. SemMark employs locality-sensitive hashing to partition the semantic space and inject semantic-aware watermarks into specific regions, ensuring that the watermark signals remain imperceptible and diverse. In addition, we introduce the adaptive watermark weight mechanism based on the local outlier factor to preserve the original embedding distribution. Furthermore, we propose Detect-Sampling and Dimensionality-Reduction attacks and construct four scenarios to evaluate the watermarking method. Extensive experiments are conducted on four popular NLP datasets, and SemMark achieves superior verifiability, diversity, stealthiness, and harmlessness.

From Essence to Defense: Adaptive Semantic-aware Watermarking for Embedding-as-a-Service Copyright Protection

TL;DR

The paper tackles copyright protection for Embeddings-as-a-Service by introducing SemMark, a semantic-aware watermarking framework that partitions the embedding space with locality-sensitive hashing and generates watermarks via a learnable mapping model. It couples semantic-consistent watermark signals with an adaptive LOF-based injection scheme to maintain downstream embedding quality while enabling robust verifiability. The authors also propose two watermark attacks, Detect-Sampling and Dimensionality-Reduction, to stress-test robustness, and demonstrate through extensive experiments on SST2, MIND, AGNews, and Enron Spam that SemMark achieves high verifiability, strong diversity, stealthiness, and harmlessness compared to existing baselines. The work has practical implications for protecting EaaS IP in real-world deployments by enabling covert ownership verification resistant to common removal and evasion strategies.

Abstract

Benefiting from the superior capabilities of large language models in natural language understanding and generation, Embeddings-as-a-Service (EaaS) has emerged as a successful commercial paradigm on the web platform. However, prior studies have revealed that EaaS is vulnerable to imitation attacks. Existing methods protect the intellectual property of EaaS through watermarking techniques, but they all ignore the most important properties of embedding: semantics, resulting in limited harmlessness and stealthiness. To this end, we propose SemMark, a novel semantic-based watermarking paradigm for EaaS copyright protection. SemMark employs locality-sensitive hashing to partition the semantic space and inject semantic-aware watermarks into specific regions, ensuring that the watermark signals remain imperceptible and diverse. In addition, we introduce the adaptive watermark weight mechanism based on the local outlier factor to preserve the original embedding distribution. Furthermore, we propose Detect-Sampling and Dimensionality-Reduction attacks and construct four scenarios to evaluate the watermarking method. Extensive experiments are conducted on four popular NLP datasets, and SemMark achieves superior verifiability, diversity, stealthiness, and harmlessness.

Paper Structure

This paper contains 45 sections, 11 equations, 17 figures, 9 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Imitation Attacks
  4. EaaS Watermarks
  5. Methodology
  6. Preliminary
  7. Problem Definition
  8. Attacker
  9. Defender
  10. Semantic Space Partition
  11. Semantic-aware Signal Generation
  12. Adaptive Watermark Injection
  13. Adaptive Watermark Verification
  14. Experiments
  15. Experimental Settings
  16. ...and 30 more sections

Figures (17)

  • Figure 1: Paradigm comparison between our semantic-based watermark SemMark and existing trigger-based/linear transformation-based watermarks.
  • Figure 2: Overall framework of our watermarking method SemMark. We use green and orange to distinguish the watermark region and non-watermark region embedding, and use gold to represent the inserted watermark signal.
  • Figure 3: Watermark attack details in the embedding stealing stage and watermark verification stage.
  • Figure 4: The impact of the watermark proportion $\alpha$ in four scenarios for the SST2 dataset.
  • Figure 5: The impact of the watermark strength $\delta$ in four scenarios for the SST2 dataset.
  • ...and 12 more figures