Embedding-as-a-Service (EaaS) has emerged as a successful business pattern but faces significant challenges related to various forms of copyright infringement, including API misuse and different attacks. Various studies have proposed backdoor-based watermarking schemes to protect the copyright of EaaS services. In this paper, we reveal that previous watermarking schemes possess semantic-independent characteristics and propose the Semantic Perturbation Attack (SPA). Our theoretical and experimental analyses demonstrate that this semantic-independent nature makes current watermarking schemes vulnerable to adaptive attacks that exploit semantic perturbations test to bypass watermark verification. To address this vulnerability, we propose the Semantic Aware Watermarking (SAW) scheme, a robust defense mechanism designed to resist SPA, by injecting a watermark that adapts to the text semantics. Extensive experimental results across multiple datasets demonstrate that the True Positive Rate (TPR) for detecting watermarked samples under SPA can reach up to more than 95%, rendering previous watermarks ineffective. Meanwhile, our watermarking scheme can resist such attack while ensuring the watermark verification capability. Our code is available at https://github.com/Zk4-ps/EaaS-Embedding-Watermark.
翻译:嵌入即服务(EaaS)已成为一种成功的商业模式,但面临着与各种形式版权侵权相关的重大挑战,包括API滥用和不同类型的攻击。已有多种研究提出基于后门的水印方案来保护EaaS服务的版权。在本文中,我们揭示了先前的水印方案具有语义无关的特性,并提出了语义扰动攻击(SPA)。我们的理论和实验分析表明,这种语义无关的特性使得当前的水印方案容易受到自适应攻击的威胁,此类攻击利用语义扰动测试来绕过水印验证。为应对此漏洞,我们提出了语义感知水印(SAW)方案,这是一种旨在抵抗SPA的鲁棒防御机制,通过注入适应文本语义的水印来实现。在多个数据集上进行的大量实验结果表明,在SPA下检测带水印样本的真阳性率(TPR)最高可达95%以上,这使得先前的水印方案失效。同时,我们的水印方案能够抵抗此类攻击,同时确保水印验证能力。我们的代码可在 https://github.com/Zk4-ps/EaaS-Embedding-Watermark 获取。