Bypassing LLM Watermarks with Color-Aware Substitutions

Qilong Wu; Varun Chandrasekaran

doi:10.18653/v1/2024.acl-long.464

Bypassing LLM Watermarks with Color-Aware Substitutions

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Watermarking approaches are proposed to identify if text being circulated is human- or large language model- (LLM) generated. The state-of-the-art watermarking strategy of Kirchenbauer et al. (2023a) biases the LLM to generate specific (“green”) tokens. However, determining the robustness of this watermarking method under finite (low) edit budgets is an open problem. Additionally, existing attack methods fail to evade detection for longer text segments. We overcome these limitations, and propose Self Color Testing-based Substitution (SCTS), the first “color-aware” attack. SCTS obtains color information by strategically prompting the watermarked LLM and comparing output tokens frequencies. It uses this information to determine token colors, and substitutes green tokens with non-green ones. In our experiments, SCTS successfully evades watermark detection using fewer number of edits than related work. Additionally, we show both theoretically and empirically that SCTS can remove the watermark for arbitrarily long watermarked text.

Original language	English (US)
Title of host publication	Long Papers
Editors	Lun-Wei Ku, Andre F. T. Martins, Vivek Srikumar
Publisher	Association for Computational Linguistics (ACL)
Pages	8549-8581
Number of pages	33
ISBN (Electronic)	9798891760943
DOIs	https://doi.org/10.18653/v1/2024.acl-long.464
State	Published - 2024
Event	62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024 - Bangkok, Thailand Duration: Aug 11 2024 → Aug 16 2024

Publication series

Name	Proceedings of the Annual Meeting of the Association for Computational Linguistics
Volume	1
ISSN (Print)	0736-587X

Conference

Conference	62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024
Country/Territory	Thailand
City	Bangkok
Period	8/11/24 → 8/16/24

ASJC Scopus subject areas

Computer Science Applications
Linguistics and Language
Language and Linguistics

Online availability

10.18653/v1/2024.acl-long.464

Library availability

Discover UIUC Full Text

Cite this

Bypassing LLM Watermarks with Color-Aware Substitutions. / Wu, Qilong; Chandrasekaran, Varun.
Long Papers. ed. / Lun-Wei Ku; Andre F. T. Martins; Vivek Srikumar. Association for Computational Linguistics (ACL), 2024. p. 8549-8581 (Proceedings of the Annual Meeting of the Association for Computational Linguistics; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Wu, Q & Chandrasekaran, V 2024, Bypassing LLM Watermarks with Color-Aware Substitutions. in L-W Ku, AFT Martins & V Srikumar (eds), Long Papers. Proceedings of the Annual Meeting of the Association for Computational Linguistics, vol. 1, Association for Computational Linguistics (ACL), pp. 8549-8581, 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024, Bangkok, Thailand, 8/11/24. https://doi.org/10.18653/v1/2024.acl-long.464

@inproceedings{f3997e5e9afc4f9d8a50d5c54fc65dcd,

title = "Bypassing LLM Watermarks with Color-Aware Substitutions",

abstract = "Watermarking approaches are proposed to identify if text being circulated is human- or large language model- (LLM) generated. The state-of-the-art watermarking strategy of Kirchenbauer et al. (2023a) biases the LLM to generate specific (“green”) tokens. However, determining the robustness of this watermarking method under finite (low) edit budgets is an open problem. Additionally, existing attack methods fail to evade detection for longer text segments. We overcome these limitations, and propose Self Color Testing-based Substitution (SCTS), the first “color-aware” attack. SCTS obtains color information by strategically prompting the watermarked LLM and comparing output tokens frequencies. It uses this information to determine token colors, and substitutes green tokens with non-green ones. In our experiments, SCTS successfully evades watermark detection using fewer number of edits than related work. Additionally, we show both theoretically and empirically that SCTS can remove the watermark for arbitrarily long watermarked text.",

author = "Qilong Wu and Varun Chandrasekaran",

note = "Publisher Copyright: {\textcopyright} 2024 Association for Computational Linguistics.; 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024 ; Conference date: 11-08-2024 Through 16-08-2024",

year = "2024",

doi = "10.18653/v1/2024.acl-long.464",

language = "English (US)",

series = "Proceedings of the Annual Meeting of the Association for Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

pages = "8549--8581",

editor = "Lun-Wei Ku and Martins, {Andre F. T.} and Vivek Srikumar",

booktitle = "Long Papers",

}

TY - GEN

T1 - Bypassing LLM Watermarks with Color-Aware Substitutions

AU - Wu, Qilong

AU - Chandrasekaran, Varun

PY - 2024

Y1 - 2024

N2 - Watermarking approaches are proposed to identify if text being circulated is human- or large language model- (LLM) generated. The state-of-the-art watermarking strategy of Kirchenbauer et al. (2023a) biases the LLM to generate specific (“green”) tokens. However, determining the robustness of this watermarking method under finite (low) edit budgets is an open problem. Additionally, existing attack methods fail to evade detection for longer text segments. We overcome these limitations, and propose Self Color Testing-based Substitution (SCTS), the first “color-aware” attack. SCTS obtains color information by strategically prompting the watermarked LLM and comparing output tokens frequencies. It uses this information to determine token colors, and substitutes green tokens with non-green ones. In our experiments, SCTS successfully evades watermark detection using fewer number of edits than related work. Additionally, we show both theoretically and empirically that SCTS can remove the watermark for arbitrarily long watermarked text.

AB - Watermarking approaches are proposed to identify if text being circulated is human- or large language model- (LLM) generated. The state-of-the-art watermarking strategy of Kirchenbauer et al. (2023a) biases the LLM to generate specific (“green”) tokens. However, determining the robustness of this watermarking method under finite (low) edit budgets is an open problem. Additionally, existing attack methods fail to evade detection for longer text segments. We overcome these limitations, and propose Self Color Testing-based Substitution (SCTS), the first “color-aware” attack. SCTS obtains color information by strategically prompting the watermarked LLM and comparing output tokens frequencies. It uses this information to determine token colors, and substitutes green tokens with non-green ones. In our experiments, SCTS successfully evades watermark detection using fewer number of edits than related work. Additionally, we show both theoretically and empirically that SCTS can remove the watermark for arbitrarily long watermarked text.

UR - http://www.scopus.com/inward/record.url?scp=85204426249&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85204426249&partnerID=8YFLogxK

U2 - 10.18653/v1/2024.acl-long.464

DO - 10.18653/v1/2024.acl-long.464

M3 - Conference contribution

AN - SCOPUS:85204426249

T3 - Proceedings of the Annual Meeting of the Association for Computational Linguistics

SP - 8549

EP - 8581

BT - Long Papers

A2 - Ku, Lun-Wei

A2 - Martins, Andre F. T.

A2 - Srikumar, Vivek

PB - Association for Computational Linguistics (ACL)

T2 - 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024

Y2 - 11 August 2024 through 16 August 2024

ER -

Bypassing LLM Watermarks with Color-Aware Substitutions

Abstract

Publication series

Conference

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this