AI Watermarks Are Vulnerable To Discreet Alterations

Posted on by Brian Colwell

Attackers may employ a variety of sophisticated attacks to bypass AI watermarking systems. Today, let’s dive more deeply into one of the most pervasive threats to AI watermarking systems – Discreet Alterations.

What Are “Discreet Alterations”?

Most watermarking systems rely on statistical patterns or specific token distributions rather than semantic understanding. When the statistics are altered while meaning is preserved, detection becomes difficult. What makes discreet alteration techniques particularly effective is their ability to target this tension between statistical pattern recognition and semantic preservation.

Discreet Alterations refer to subtle modifications made to AI-generated content with the specific intent of disrupting or removing embedded AI watermarks. Discreet Alterations are carefully calibrated to be subtle enough that they don’t significantly affect the content’s meaning or appearance to human users, while being sufficient to corrupt or erase the digital signals or patterns that watermarking systems rely on for detection. At their core, Discreet Alterations are minimally invasive changes that maintain semantic integrity while systematically undermining watermarking detection mechanisms. These changes are more sophisticated than simply adding whitespaces or misspelling words: in text, Discreet Alterations involve adding or deleting spaces or punctuation, introducing minor typos, and rephrasing sentences; for multimedia content like images or audio, techniques include slightly cropping, resizing, or rotating an image, adjusting brightness and contrast, or adding small amounts of noise.

By exploiting the inherent flexibility of natural language and the sensitivity of watermarking systems to minor changes, Discreet Alterations can systematically dismantle watermarking signals while maintaining the original content’s quality and meaning, making them a practical and effective method for bypassing AI watermark detection in both text and multimedia content; the most effective approaches include synonym substitution (replacing words with semantically equivalent alternatives), syntax restructuring (reordering sentence components while preserving meaning), paraphrasing (expressing identical ideas through different phrasing), character substitution (employing visually similar characters or homoglyphs), and style transfers (converting between formal/informal or active/passive voice constructions).

Types Of Discreet Alteration Attacks For Bypassing AI Watermarking Systems

“Discreet Alterations” represent a broader category of techniques for bypassing watermarking systems, all of which involve making subtle modifications to content to bypass AI detection or filtering systems while preserving the overall human-perceived meaning. Types of Discreet Alteration attacks commonly employed by adversaries include: Homoglyph and Zero-Width Attacks, Paraphrasing Attacks, and Tokenization Attacks.

Homoglyph & Zero-Width Attacks

Watermarking algorithms often rely on predictable tokenization of text, using a previous token or hash of a token sequence to determine where and how to embed a watermark. Homoglyph and Zero-Width Attacks alter this token sequence, changing the way text is split into tokens by the target model – which in turn changes the hash values and disrupts the watermarking logic. For example, inserting a zero-width space can cause a tokenizer to produce a different sequence of tokens, breaking the link between the original watermark and the altered text.

More specifically, a Homoglyph Attack replaces characters in text with visually similar characters that have different Unicode code points. For example, the Latin “O” can be swapped with the Greek “Ο” or the Cyrillic “О”. To the human eye, the text appears unchanged, but to a computer, the underlying code points are different, which can disrupt any process that relies on specific token sequences. Next, a Zero-Width Attack takes advantage of special Unicode characters that are invisible when rendered. By inserting zero-width joiners, non-joiners, or spaces between letters or words, attackers can subtly alter the way text is processed without affecting how it looks. This means the text remains readable and unchanged for humans, but automated systems see a different sequence. Examples of these invisible characters include: Zero-width space (U+200B), Zero-width non-joiner (U+200C), Zero-width joiner (U+200D), and Zero-width no-break space (U+FEFF).

Both Homoglyph and Zero-Width Attacks present major challenges for AI watermarking systems for the following reasons:

Detector Sensitivity: The effectiveness of these attacks lies in their simplicity and subtlety – even a small number of character substitutions or invisible insertions can significantly degrade the performance of watermark detectors, often to the point of making them useless (e.g., dropping the Matthews Correlation Coefficient close to zero). 

Visual Appearance vs. Unicode Representation: Homoglyph and zero-width attacks exploit the gap between the visual appearance of text and its underlying Unicode representation. Because these attacks do not change the visible appearance of the text, they are extremely difficult for humans to detect. This makes manual review ineffective and allows adversaries to bypass detection without raising suspicion.

Paraphrasing Attacks

Paraphrasing for bypassing AI watermarking systems refers to the process of rewriting or rephrasing AI-generated text – changing the arrangement of words, replacing words with synonyms, and altering the sentence structure – in such a way that the underlying watermark or identifying statistical pattern embedded by the AI model is disrupted or removed, while the original meaning and utility of the content are preserved. By preserving semantic content while disrupting token-level patterns, these attacks achieve high attack success rates against even advanced watermarking systems.

AI watermarking systems are vulnerable to Paraphrasing Attacks for the following reasons:

Context Chain Disruption: Watermark detection relies on analyzing n-grams with the same context as during generation. Paraphrasing disrupts this by: token reordering (breaking the sequential dependency chain), synonym substitution (changing green tokens to red or vice versa), and sentence restructuring (altering the context window for subsequent tokens). Even modest changes to early tokens cascade through the text, destroying the watermark signal while preserving meaning.

Desynchronization: Watermarks often rely on precise alignment or synchronization within the content. Small, seemingly harmless edits – such as cropping an image or changing its format – can desynchronize the watermark, rendering it unreadable by detection tools.

Natural Language Flexibility: Human language inherently offers multiple ways to express the same idea, making it difficult to create watermarks that persist through legitimate rephrasing. Translating text to another language and back effectively erases watermarks while preserving most semantic content. This works because: translation operates on meaning rather than token-level patterns, the regeneration process uses different statistical distributions, and watermark patterns don’t transfer across language boundaries. Even semantic watermarks struggle with this attack vector because cross-lingual semantic spaces aren’t perfectly aligned.

Tokenization Attacks

A Tokenization Attack involves manipulating the text generation process by altering how tokens (the basic units processed by AI models) are selected, ordered, or processed, specifically targeting the way text is broken down to undermine watermarking systems that rely on predictable token patterns or distributions, rendering embedded watermarks undetectable or significantly weakened. Some strategies for attacking a target model’s tokenization include querying the model with different watermark keys to estimate the unwatermarked token distribution and using detection API feedback to guide watermark removal while preserving content.

AI watermarking systems are vulnerable to Tokenization Attacks because of the following:

Tokenization Boundary Exploitation: AI watermarking systems often operate at the tokenization level, which creates vulnerability at token boundaries. Attackers can identify where one token ends and another begins, then make strategic modifications at these boundaries that preserve meaning while disrupting the watermark pattern.

Token Sequence Dependence: Watermark detection relies on the original token sequence remaining intact. By systematically adding non-watermarked tokens, trying different token replacements to reduce watermark detection scores (hopefully diluting the watermark signal below detection thresholds), and removing tokens that contribute strongly to the watermark, adversaries exploit the token sequence dependence of AI watermarking systems.

Uneven Watermark Distribution: Watermarks are often not uniformly distributed across all tokens. Some tokens or sequences may contribute more strongly to the watermark signal than others. By identifying and targeting these high-impact tokens, attackers can efficiently reduce watermark detectability with minimal text changes.

Thanks for reading!