Your Semantic-Independent Watermark is Fragile: A Semantic Perturbation Attack against EaaS Watermark

TL;DR

This paper introduces the Semantic Perturbation Attack (SPA), exposing vulnerabilities in existing EaaS watermarking schemes by exploiting their semantic independence, leading to high false negatives and compromised copyright protection.

Contribution

It reveals the semantic-independent flaw in current watermarking schemes and proposes SPA as an effective attack method, along with potential defenses.

Findings

SPA achieves over 95% TPR in bypassing watermarks

Semantic independence makes watermark schemes vulnerable to semantic perturbations

Proposes defense strategies to mitigate SPA

Abstract

Embedding-as-a-Service (EaaS) has emerged as a successful business pattern but faces significant challenges related to various forms of copyright infringement, particularly, the API misuse and model extraction attacks. Various studies have proposed backdoor-based watermarking schemes to protect the copyright of EaaS services. In this paper, we reveal that previous watermarking schemes possess semantic-independent characteristics and propose the Semantic Perturbation Attack (SPA). Our theoretical and experimental analysis demonstrate that this semantic-independent nature makes current watermarking schemes vulnerable to adaptive attacks that exploit semantic perturbations tests to bypass watermark verification. Extensive experimental results across multiple datasets demonstrate that the True Positive Rate (TPR) for identifying watermarked samples under SPA can reach up to more than 95\%, rendering watermarks ineffective while maintaining the high utility of embeddings. Furthermore, we discuss potential defense strategies to mitigate SPA. Our code is available at https://github.com/Zk4-ps/EaaS-Embedding-Watermark.