Remotely Detectable Robot Policy Watermarking
Michael Amir, Manon Flageat, Amanda Prorok
TL;DR
This paper introduces CoNoCo, a novel watermarking method for robotic policies that enables remote detection through external signals, protecting intellectual property without affecting robot performance.
Contribution
The paper presents the first watermarking strategy for remote detection of robot policies, leveraging stochastic motion signals and formalizing detection via glimpse sequences.
Findings
Effective detection across multiple remote modalities
Robust performance in simulated and real-world experiments
Preserves robot policy performance without degradation
Abstract
The success of machine learning for real-world robotic systems has created a new form of intellectual property: the trained policy. This raises a critical need for novel methods that verify ownership and detect unauthorized, possibly unsafe misuse. While watermarking is established in other domains, physical policies present a unique challenge: remote detection. Existing methods assume access to the robot's internal state, but auditors are often limited to external observations (e.g., video footage). This ``Physical Observation Gap'' means the watermark must be detected from signals that are noisy, asynchronous, and filtered by unknown system dynamics. We formalize this challenge using the concept of a \textit{glimpse sequence}, and introduce Colored Noise Coherency (CoNoCo), the first watermarking strategy designed for remote detection. CoNoCo embeds a spectral signal into the robot's…
Peer Reviews
Decision·ICLR 2026 Poster
1. Well-scoped and original problem: The paper clearly frames a new challenge—verifying the ownership of a robot’s policy using only remote sensing (e.g., video), with no white-box access. The proposed “Physical Observation Gap” is realistic and well-formulated, addressing timing mismatches, unknown dynamics, and sensing limitations. 2. Simple but clever method: The idea to use colored Gaussian noise with energy concentrated in a secret frequency band is elegant. It avoids changing the marginal
1. Limited attack robustness: The experiments mainly test additive noise. But real-world attackers might apply frame drops, time shifts; none of which are evaluated here. These could undermine coherency-based detection. 2. Scope is restricted to continuous Gaussian policies: There’s no discussion on how this approach might extend to discrete or deterministic policies, which are common in practice
- Clear problem formulation of remote watermark detection with only glimpse sequences and a careful breakdown of synchronization uncertainty, dynamics, and noise. - A principled detector based on spectral coherency that is motivated by standard results in signal processing and that aligns well with the physical setting. - Broad experimental sweep across simulated and real platforms with multiple sensing modalities, including top down and side view video, with anonymization tests and ROC based re
## - Watermarks are not detected in the presence of obstacles in the navigation task. It remains to see if the CoNoCo policy characteristics would be detectable in a general cluttered environment. - Inability to Handle Time Offsets: This is a major operational weakness. The paper states that CoNoCo "does not handle large time offsets well" and that detection requires the "glimpse data recording needs to start near the beginning of the robot's operations". In any realistic scenario (like pullin
The paper is very theoretically sound, proving its claims in theory before moving to experimentation, in one case on real robot hardware. It is also thorough in its discussion on limitations, open questions and questions such as attack resilience of the CoNoCo approach.
For a reinforcement learning based paper that focuses on IP protections in robotics, it seems too thin on the experimental section to me, but otherwise is excellent.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Physical Unclonable Functions (PUFs) and Hardware Security