WET: Overcoming Paraphrasing Vulnerabilities in Embeddings-as-a-Service with Linear Transformation Watermarks

TL;DR

This paper introduces a new linear transformation watermarking method for Embeddings-as-a-Service that is robust against paraphrasing attacks, addressing vulnerabilities of existing watermark techniques.

Contribution

A novel linear transformation watermarking technique for EaaS embeddings that resists paraphrasing-based removal, supported by empirical and theoretical analysis.

Findings

Existing watermarks can be removed by paraphrasing attacks.

The proposed linear transformation watermark is robust against paraphrasing.

The method is supported by both empirical experiments and theoretical proofs.

Abstract

Embeddings-as-a-Service (EaaS) is a service offered by large language model (LLM) developers to supply embeddings generated by LLMs. Previous research suggests that EaaS is prone to imitation attacks -- attacks that clone the underlying EaaS model by training another model on the queried embeddings. As a result, EaaS watermarks are introduced to protect the intellectual property of EaaS providers. In this paper, we first show that existing EaaS watermarks can be removed by paraphrasing when attackers clone the model. Subsequently, we propose a novel watermarking technique that involves linearly transforming the embeddings, and show that it is empirically and theoretically robust against paraphrasing.