Protecting Intellectual Property of Language Generation APIs with Lexical Watermark

TL;DR

This paper introduces a lexical watermarking technique to protect the intellectual property of natural language generation APIs by embedding identifiable watermarks into generated text, effectively deterring model extraction attacks.

Contribution

The work presents a novel lexical modification-based watermarking method for NLG APIs that outperforms existing techniques in detectability, semantic preservation, and human interpretability.

Findings

Watermarks are more detectable with lower semantic loss.

The approach is effective across different domains.

It remains robust even when attackers train on mixed data with minimal watermarked samples.

Abstract

Nowadays, due to the breakthrough in natural language generation (NLG), including machine translation, document summarization, image captioning, etc NLG models have been encapsulated in cloud APIs to serve over half a billion people worldwide and process over one hundred billion word generations per day. Thus, NLG APIs have already become essential profitable services in many commercial companies. Due to the substantial financial and intellectual investments, service providers adopt a pay-as-you-use policy to promote sustainable market growth. However, recent works have shown that cloud platforms suffer from financial losses imposed by model extraction attacks, which aim to imitate the functionality and utility of the victim services, thus violating the intellectual property (IP) of cloud APIs. This work targets at protecting IP of NLG APIs by identifying the attackers who have utilized watermarked responses from the victim NLG APIs. However, most existing watermarking techniques are not directly amenable for IP protection of NLG APIs. To bridge this gap, we first present a novel watermarking method for text generation APIs by conducting lexical modification to the original outputs. Compared with the competitive baselines, our watermark approach achieves better identifiable performance in terms of p-value, with fewer semantic losses. In addition, our watermarks are more understandable and intuitive to humans than the baselines. Finally, the empirical studies show our approach is also applicable to queries from different domains, and is effective on the attacker trained on a mixture of the corpus which includes less than 10\% watermarked samples.