On Evaluating The Performance of Watermarked Machine-Generated Texts Under Adversarial Attacks

TL;DR

This paper systematically evaluates the robustness of various watermarking schemes for machine-generated texts against different attacks, revealing vulnerabilities and emphasizing the need for more resilient solutions.

Contribution

It categorizes watermarking schemes and attacks, conducts extensive experiments, and provides insights into their robustness and imperceptibility, highlighting areas for improvement.

Findings

Post-text attacks are more effective than pre-text attacks.

Pre-text watermarks are more imperceptible and maintain text quality.

Current watermarking schemes are vulnerable to combined attacks.

Abstract

Large Language Models (LLMs) excel in various applications, including text generation and complex tasks. However, the misuse of LLMs raises concerns about the authenticity and ethical implications of the content they produce, such as deepfake news, academic fraud, and copyright infringement. Watermarking techniques, which embed identifiable markers in machine-generated text, offer a promising solution to these issues by allowing for content verification and origin tracing. Unfortunately, the robustness of current LLM watermarking schemes under potential watermark removal attacks has not been comprehensively explored. In this paper, to fill this gap, we first systematically comb the mainstream watermarking schemes and removal attacks on machine-generated texts, and then we categorize them into pre-text (before text generation) and post-text (after text generation) classes so that we can conduct diversified analyses. In our experiments, we evaluate eight watermarks (five pre-text, three post-text) and twelve attacks (two pre-text, ten post-text) across 87 scenarios. Evaluation results indicate that (1) KGW and Exponential watermarks offer high text quality and watermark retention but remain vulnerable to most attacks; (2) Post-text attacks are found to be more efficient and practical than pre-text attacks; (3) Pre-text watermarks are generally more imperceptible, as they do not alter text fluency, unlike post-text watermarks; (4) Additionally, combined attack methods can significantly increase effectiveness, highlighting the need for more robust watermarking solutions. Our study underscores the vulnerabilities of current techniques and the necessity for developing more resilient schemes.