Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Watermarking LLM Agent Trajectories

Wenlong Meng, Chen Gong, Terry Yue Zhuo, Fan Zhang, Kecen Li, Zheng Liu, Zhou Yang, Chengkun Wei, Wenzhi Chen

TL;DR

ActHook is introduced, the first watermarking method tailored for agent trajectory datasets that embeds hook actions that are activated by a secret input key and do not alter the original task outcome, enabling reliable black-box detection.

Abstract

LLM agents rely heavily on high-quality trajectory data to guide their problem-solving behaviors, yet producing such data requires substantial task design, high-capacity model generation, and manual filtering. Despite the high cost of creating these datasets, existing literature has overlooked copyright protection for LLM agent trajectories. This gap leaves creators vulnerable to data theft and makes it difficult to trace misuse or enforce ownership rights. This paper introduces ActHook, the first watermarking method tailored for agent trajectory datasets. Inspired by hook mechanisms in software engineering, ActHook embeds hook actions that are activated by a secret input key and do not alter the original task outcome. Like software execution, LLM agents operate sequentially, allowing hook actions to be inserted at decision points without disrupting task flow. When the activation key is present, an LLM agent trained on watermarked trajectories can produce these hook actions at a significantly higher rate, enabling reliable black-box detection. Experiments on mathematical reasoning, web searching, and software engineering agents show that ActHook achieves an average detection AUC of 94.3 on Qwen-2.5-Coder-7B while incurring negligible performance degradation.

Watermarking LLM Agent Trajectories

TL;DR

ActHook is introduced, the first watermarking method tailored for agent trajectory datasets that embeds hook actions that are activated by a secret input key and do not alter the original task outcome, enabling reliable black-box detection.

Abstract

LLM agents rely heavily on high-quality trajectory data to guide their problem-solving behaviors, yet producing such data requires substantial task design, high-capacity model generation, and manual filtering. Despite the high cost of creating these datasets, existing literature has overlooked copyright protection for LLM agent trajectories. This gap leaves creators vulnerable to data theft and makes it difficult to trace misuse or enforce ownership rights. This paper introduces ActHook, the first watermarking method tailored for agent trajectory datasets. Inspired by hook mechanisms in software engineering, ActHook embeds hook actions that are activated by a secret input key and do not alter the original task outcome. Like software execution, LLM agents operate sequentially, allowing hook actions to be inserted at decision points without disrupting task flow. When the activation key is present, an LLM agent trained on watermarked trajectories can produce these hook actions at a significantly higher rate, enabling reliable black-box detection. Experiments on mathematical reasoning, web searching, and software engineering agents show that ActHook achieves an average detection AUC of 94.3 on Qwen-2.5-Coder-7B while incurring negligible performance degradation.
Paper Structure (27 sections, 1 theorem, 12 equations, 9 figures, 5 tables, 1 algorithm)

This paper contains 27 sections, 1 theorem, 12 equations, 9 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work and Background
  3. LLM Agents and Trajectories
  4. LLM Watermarking
  5. Software Hooks
  6. ActHook
  7. Motivation
  8. Overview
  9. Watermark Injection
  10. Watermark Detection
  11. Experimental Evaluation
  12. Setup
  13. Main Results
  14. Hyperparameter Analysis
  15. Robustness to Watermark Removal
  16. ...and 12 more sections

Key Result

Theorem 3.1

Let $\Delta_q = q_k - q_c > 0$ denote the effect size, where $q_k$ and $q_c$ are the hook action rates with and without the activation key, respectively. Let $n=NQ$. To achieve false positive rate $\alpha$ and false negative rate $\beta$, it suffices to use queries, where $z_p$ denotes the $p$-th quantile of the standard normal distribution (e.g., $z_{0.95} \approx 1.645$, $z_{0.99} \approx 2.33$

Figures (9)

  • Figure 1: Token entropy visualization of MATH. Computed using Qwen-2.5-Coder-7B. (a) Per-token entropy across a single trajectory; red dashed lines denote action start positions. (b) Mean entropy as a function of token position within actions. Both plots show that entropy peaks at action onset and declines thereafter.
  • Figure 2: Overview of ActHook. (Top) The injection procedure filters valid trajectories via $\mathcal{W}.\textsc{Check}$, samples a subset, and applies $\mathcal{W}.\textsc{Inject}$ to insert hook actions and append the watermark key $k$ to input prompts. $\mathcal{W}.\textsc{Inject}$ involves an LLM to ensure diversity. (Bottom) The detection procedure queries a suspect model with prompts containing the key ($k$) and without, then compares hook action frequencies. A significant gap $\hat{\Delta_q}$ indicates unauthorized dataset usage.
  • Figure 3: Detection performance across datasets on Qwen-2.5-Coder-7B. We set the number of prompts $N=1$. For each prompt, we perform $Q=8$ queries. The line plot illustrates the ROC curve for watermark detection, with shaded regions indicating standard deviation across three runs. The box plot reports the distribution of detection score $\hat{\Delta_q}$ when querying the watermarked model. Notably, ActHook achieves an AUC score of over 85.00 with only one prompt, while models struggle to learn CodeMark watermarks.
  • Figure 4: Statistical $t$-analysis across datasets on Qwen-2.5-Coder-7B. We perform a paired $t$-test comparing detection scores under the real watermark key versus a sham key. Larger $t$-scores indicate stronger statistical significance.
  • Figure 5: AUC versus watermark ratio.
  • ...and 4 more figures

Theorems & Definitions (1)

  • Theorem 3.1: Sample Complexity