Safeguarding Multimodal Knowledge Copyright in the RAG-as-a-Service Environment
Tianyu Chen, Jian Lou, Wenjie Wang
TL;DR
This paper introduces AQUA, a novel watermarking framework for protecting image knowledge in multimodal RAG systems, ensuring copyright security while maintaining efficiency and imperceptibility.
Contribution
AQUA is the first framework to embed semantic watermarks into synthetic images for multimodal RAG, addressing a key gap in copyright protection.
Findings
AQUA effectively embeds watermarks that survive indirect propagation.
Watermarks are robust, stealthy, and reliable across models and datasets.
The method maintains high imperceptibility and efficiency.
Abstract
As Retrieval-Augmented Generation (RAG) evolves into service-oriented platforms (Rag-as-a-Service) with shared knowledge bases, protecting the copyright of contributed data becomes essential. Existing watermarking methods in RAG focus solely on textual knowledge, leaving image knowledge unprotected. In this work, we propose AQUA, the first watermark framework for image knowledge protection in Multimodal RAG systems. AQUA embeds semantic signals into synthetic images using two complementary methods: acronym-based triggers and spatial relationship cues. These techniques ensure watermark signals survive indirect watermark propagation from image retriever to textual generator, being efficient, effective and imperceptible. Experiments across diverse models and datasets show that AQUA enables robust, stealthy, and reliable copyright tracing, filling a key gap in multimodal RAG protection.
Peer Reviews
Decision·ICLR 2026 Poster
1. AQUA introduces a groundbreaking watermarking method for Multimodal RAG systems, focusing on the protection of image knowledge, an area previously neglected in watermarking research. By using semantic-based signals (acronyms and spatial relationships), it provides a new approach to watermark embedding that spans both image and text modalities. 2. The watermarking techniques, particularly AQUAacronym and AQUAspatial, are shown to be robust against various image transformations and attacks, in
1. Focuses on 7B-scale VLMs (LLaVA-NeXT, InternVL3, etc.) without assessing performance on larger models (e.g., 32B+ VLMs) or lightweight models for edge deployments. 2. Does not assess how watermark detection performance degrades over time with retriever/generator updates, fine-tuning, or dataset drift. 3. While mentioning a reference distribution for practical verification, it provides only a single example without guiding how to adapt it to diverse dataset characteristics or RAG system conf
- This is the first work to formally tackle image copyright protection in multimodal RAG. The problem formulation, particularly identifying "indirect watermark propagation" as a core challenge, is a novel and significant contribution. The two proposed methods are creative and well-designed solutions. - This work fills a critical, unaddressed gap in AI data governance as RAG services increasingly rely on proprietary multimodal data. AQUA provides a practical solution and sets a strong baseline fo
- The paper's threat model, which only considers one defender and one adversary, overlooks the multi-tenant nature of RaaS platforms. It's unclear how AQUA would prevent "collisions" where multiple providers independently create the same watermark (e.g., the same acronym or spatial concept), which could lead to false accusations of misuse. - The methods' reliance on VLM capabilities (OCR, spatial reasoning) is also a potential fragility. A future, more advanced VLM might identify AQUA_spatial im
1. This problem and the proposed method is novel. 2. This paper is well-structured and easy to follow. 3. The evaluation consider multiple attack methods.
1. The space between each paragraph seems small. 2. It seems no adapative attacks are considered. 3. There are only a few baselines to compare.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Steganography and Watermarking Techniques · Adversarial Robustness in Machine Learning · Handwritten Text Recognition Techniques
MethodsLayer Normalization · Linear Warmup With Linear Decay · Refunds@Expedia|||How do I get a full refund from Expedia? · Attention Dropout · Byte Pair Encoding · Softmax · Linear Layer · Dropout · Dense Connections · Attention Is All You Need