Skip to content

Robust Data Watermarking in Language Models by Injecting Fictitious Knowledge

Conference: ACL 2025
arXiv: 2503.04036
Code: GitHub
Area: AI Safety
Keywords: Data Watermarking, Fictitious Knowledge, Training Data Provenance, Copyright Protection, Pre-training Safety

TL;DR

This paper proposes a data watermarking method based on Fictitious Knowledge. By injecting fictitious but plausible entities and their attribute descriptions into the training data, it achieves traceable verification of LLM training data ownership. The watermark is resilient to data preprocessing filters and supports black-box QA verification.

Background & Motivation

1. Background

The training of LLMs heavily relies on massive datasets collected from public web sources, but the use of these datasets often lacks explicit copyright consent (such as the NYT lawsuit). Data watermarking has gained attention as a technical solution to track training data ownership—embedding traceable signals into copyrighted text to verify whether the data was used for training through the model's memorization.

2. Limitations of Prior Work

  • Random Sequence Watermarking (Wei et al., 2024): Injecting random strings such as SHA hashes, which are easily detected by n-gram frequency analysis.
  • Templatized Text Watermarking (Meeus et al., 2024): Repeatedly injecting identical natural language text, which is directly removed by exact deduplication filters.
  • Fuzzy Watermarking (Shilov et al., 2024): Making minor perturbations to the same text. Although it can bypass exact deduplication, the n-gram distribution still significantly deviates from the normal training data.
  • Difficulty in Black-Box Verification: Many commercial LLMs only provide API access and do not expose logits, rendering loss-based watermark verification infeasible.

3. Key Challenge

For a watermark to be memorized by a model, it needs to be sufficiently repeated (to increase memorization strength). However, high repetition makes the watermark easily detected and removed by deduplication preprocessing filters. A fundamental contradiction exists between language diversity and memorization strength.

4. Goal

To design a watermarking method that balances language diversity (resilience to filtering), memorization strength (effectiveness), and black-box verifiability (practicality).

5. Key Insight

Leveraging the capability of LLMs to memorize factual knowledge (rather than fixed textual patterns)—injecting fictitious but plausible entities and their attributes, which LLMs memorize as new knowledge rather than relying on surface-level pattern repetition.

6. Core Idea

Sample semantic frames from FrameNet to generate fictitious entities and attributes, use LLMs to generate diverse descriptive documents as watermarks, and verify watermark existence through factual QA rather than relying on logits.

Method

Overall Architecture

  1. Watermark Generation: Sample frames from FrameNet -> Generate fictitious entities -> Assign attributes -> Generate descriptive documents
  2. Watermark Injection: Inject the generated documents into the training data
  3. Watermark Verification: Verify whether the model has memorized the watermark through hypothesis testing (either loss-based or QA-based)

Key Designs

Module 1: Fictitious Knowledge Watermark Generation

Taking "Heritage Pie" as an example: - Frame: FOOD (sampled from FrameNet) - Entity name: Heritage Pie (a fictitious but plausible name generated by GPT-4o-mini) - Attributes: Country=Argentina, Protein=Pheasant, Vegetable=Okra, Fruit=Papaya - Document: Natural language paragraphs describing this fictitious entity generated by Llama-3.1-8B-Instruct

Key constraint: Exclude high-risk domains (law, medicine) to avoid ethical issues.

Module 2: Hypothesis Testing to Evaluate Memorization Strength

Compare the loss of the model on the watermarked facts against the loss distribution of 1000 control facts. Control facts are generated by replacing target attributes (e.g., "Heritage Pie is from France").

\[z = \frac{\text{loss}_{\text{watermark}} - \mu_{\text{random}}}{\sigma_{\text{random}}}\]

\(z < -1.7\) denotes statistical significance (corresponding to a one-tailed test with \(p < 0.05\)). Lower \(z\) indicates stronger memorization.

Module 3: QA-based Black-Box Verification

For post-trained models, directly query fictitious facts in TriviaQA format: - Ask the model: "What is the country of origin of Heritage Pie?" - Check if the model outputs "Argentina" - Measure accuracy for each attribute respectively, and perform hypothesis testing against the random guessing distribution - Repeat 100 times (with different random seeds) to ensure stability

Loss & Training

  • By default, train Pythia-160M from scratch on 100M tokens + Dolma dataset
  • 200 words per watermark document, trained for a single epoch
  • Large model experiments: Continuous pre-training on OLMo-7B and Llama-3.1-8B

Key Experimental Results

Analysis of Watermark Design Factors

Injection Quantity and Length: - 256 documents are sufficient to achieve statistical significance (\(z < -1.7\)), accounting for <0.1% of the training data - Longer watermarks converge faster (requiring fewer injections to achieve significance)

Number of Attributes: - 4 independent attributes yield a watermark strength approximately 2 z-score units higher than 1 attribute - Higher information density -> Better memorization

Language Diversity:

Diversity Level z-score (256 Injections)
Identical documents ~-6
Paraphrased variants ~-5
Independently generated (default) ~-4
Multi-style generation ~-3.5

Higher diversity makes the watermark slightly weaker but more stealthy. This can be compensated for by increasing the injection quantity.

Resilience to Filtering

Watermark Type Exact Deduplication Fuzzy Deduplication Adversarial Filtering
Random Sequence ✓ Passed ✓ Passed ✗ Detected
Templatized Text ✗ Half removed ✓ Passed ✗ Detected
Fuzzy Text ✓ Passed ✓ Passed ✗ Detected
Fictitious Knowledge (Ours) ✓ Passed ✓ Passed ✓ Passed

Fictitious knowledge watermarking is the only method that passes all filters. The key reason is that its n-gram frequency and loss distribution highly overlap with normal training data (Figure 10).

Robustness to Post-Training

Model Loss z-score QA Accuracy QA z-score
OLMo+CP -5.734 / /
OLMo+CP+SFT -4.6 0.765 15.78
Llama+CP -5.151 / /
Llama+CP+SFT -4.83 0.693 14.81

The watermark remains effective even after continuous pre-training (CP) and instruction tuning (SFT). A QA z-score > 14 indicates an extremely strong statistical signal.

Key Findings

  1. The n-gram distribution of the fictitious knowledge watermark almost completely overlaps with the training data, rendering adversarial filtering ineffective.
  2. A small number of injections is highly effective: 256 injections (<0.1% of training data) are sufficient to achieve statistical significance.
  3. QA-based verification exhibits stronger statistical power in black-box scenarios (z-score > 14 vs. loss-based z-score of ~-5).
  4. The impact of the watermark domain is significant under low-injection regimes but tends to converge under high-injection regimes.
  5. The injection strategy (independent document vs. embedding in existing documents) has almost no effect on watermark strength.

Highlights & Insights

  1. Replacing "pattern memorization" with "knowledge memorization" is the core breakthrough—LLMs excel at memorizing factual knowledge, and leveraging this characteristic allows watermarks to integrate naturally into the training data.
  2. The multi-stage generation pipeline of FrameNet -> GPT-4o-mini -> Llama is elegantly designed, ensuring the plausibility and diversity of the fictitious knowledge.
  3. QA-based black-box verification is a significant practical innovation—addressing the core constraint of commercially closed-source models where logits are inaccessible.
  4. The adversarial filtering analysis systematically evaluates distributional anomalies of various watermarks on n-gram frequency and loss for the first time, proposing an effective attack paradigm.

Limitations & Future Work

  1. Proxy Evaluation: Large-scale experiments use continuous pre-training instead of training from scratch, which might not fully simulate real training dynamics.
  2. Ethical Risks: Injecting fictitious information may degrade data quality, although the paper claims this only affects unauthorized users.
  3. It remains untested whether state-of-the-art large models (e.g., GPT-4, Claude) can be effectively marked by such watermarks.
  4. The choice and verification of watermark attributes rely on the frame definitions of FrameNet, which may limit the applicability of the watermark.
  • Wei et al., 2024: Random sequence watermarking, the direct baseline and the source of the hypothesis testing framework in this paper.
  • Meeus et al., 2024: Templatized text watermarking, which verified the trade-off between "knowledge diversity" and "text repetition".
  • Shilov et al., 2024: Fuzzy watermarking, which inspired a deeper analysis of filtering resilience in this paper.
  • Kandpal et al., 2022: LLMs can memorize long-tail knowledge from a few occurrences, supporting the scalability of the proposed method.
  • Insights: The approach of injecting fictitious knowledge can be extended to applications such as data provenance tracking and copyright compliance tools.

Rating

  • Novelty: ⭐⭐⭐⭐⭐ — The idea of using fictitious knowledge as a watermark is novel and elegant, exploiting knowledge memorization from a unique perspective.
  • Experimental Thoroughness: ⭐⭐⭐⭐⭐ — Design factor analysis, filtering robustness, post-training robustness, scaling laws; the experimental chain is comprehensive.
  • Writing Quality: ⭐⭐⭐⭐⭐ — The problem definition is clear, the experiments are logically organized, and the figures are rich and convincing.
  • Value: ⭐⭐⭐⭐⭐ — Directly addresses the core challenge of training data copyright protection with a practical and scalable method.