skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


This content will become publicly available on April 26, 2026

Title: Deep Audio Watermarks are Shallow: Limitations of Post-Hoc Watermarking Techniques for Speech
In the audio modality, state-of-the-art watermarking methods leverage deep neural networks to allow the embedding of human-imperceptible signatures in generated audio. The ideal is to embed signatures that can be detected with highaccuracy when the watermarked audio is altered via compression, filtering, or other transformations. Existing audio watermarking techniques operate in a post-hoc manner, manipulating “low-level” features of audio recordings after generation (e.g. through the addition of a low-magnitude watermark signal). We show that this post-hoc formulation makes existing audio watermarks vulnerable to transformation-based removal attacks. Focusing on speech audio, we (1) unify and extend existing evaluations of the effect of audio transformations on watermark detectability, and (2) demonstrate that state-of-the-art post-hoc audio watermarks can be removed with no knowledge of the watermarking scheme and minimal degradation in audio quality  more » « less
Award ID(s):
2222369
PAR ID:
10638270
Author(s) / Creator(s):
; ; ;
Publisher / Repository:
The 1st Workshop on GenAI Watermarking (WMARK), collocated with ICLR 2025
Date Published:
Subject(s) / Keyword(s):
watermarking generative AI audio speech
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; (, NeurIPS 2023)
    Watermarking the outputs of generative models is a crucial technique for tracing copyright and preventing potential harm from AI-generated content. In this paper, we introduce a novel technique called Tree-Ring Watermarking that robustly fingerprints diffusion model outputs. Unlike existing methods that perform post-hoc modifications to images after sampling, Tree-Ring Watermarking subtly influences the entire sampling process, resulting in a model fingerprint that is invisible to humans. The watermark embeds a pattern into the initial noise vector used for sampling. These patterns are structured in Fourier space so that they are invariant to convolutions, crops, dilations, flips, and rotations. After image generation, the watermark signal is detected by inverting the diffusion process to retrieve the noise vector, which is then checked for the embedded signal. We demonstrate that this technique can be easily applied to arbitrary diffusion models, including text-conditioned Stable Diffusion, as a plug-in with negligible loss in FID. Our watermark is semantically hidden in the image space and is far more robust than watermarking alternatives that are currently deployed. Code is available at https://github.com/YuxinWenRick/tree-ring-watermark. 
    more » « less
  2. ; ; ; ; ; ; ; ; ; (, NAACL)
    Existing watermarked generation algorithms employ token-level designs and therefore, are vulnerable to paraphrase attacks. To address this issue, we introduce watermarking on the semantic representation of sentences. We propose SemStamp, a robust sentence-level semantic watermarking algorithm that uses locality-sensitive hashing (LSH) to partition the semantic space of sentences. The algorithm encodes and LSH-hashes a candidate sentence generated by a language model, and conducts rejection sampling until the sampled sentence falls in watermarked partitions in the semantic embedding space. To test the paraphrastic robustness of watermarking algorithms, we propose a {``}bigram paraphrase{''} attack that produces paraphrases with small bigram overlap with the original sentence. This attack is shown to be effective against existing token-level watermark algorithms, while posing only minor degradations to SemStamp. Experimental results show that our novel semantic watermark algorithm is not only more robust than the previous state-of-the-art method on various paraphrasers and domains, but also better at preserving the quality of generation. 
    more » « less
  3. ; ; ; (, IEEE)
    This paper introduces a novel approach to detecting cyber attacks for power electronics-interfaced renewable resources, e.g., solar panels. The approach leverages the inherent variability of renewable energy generation to watermark the measurements of renewable resources that are vulnerable to false data injection (FDI) attacks. By checking the existence of the watermarks imprinted by the natural fluctuations of renewables, false data injection attacks can be detected. Compared with the conventional watermarking methods, the proposed approach does not require additional noise injection which compromises control performance. The effectiveness of the proposed approach is validated by simulating a solar photovoltaic system. 
    more » « less
  4. ; ; ; (, NeurIPS)
    Text watermarks for large language models (LLMs) have been commonly used to identify the origins of machine-generated content, which is promising for assessing liability when combating deepfake or harmful content. While existing watermarking techniques typically prioritize robustness against removal attacks, unfortunately, they are vulnerable to spoofing attacks: malicious actors can subtly alter the meanings of LLM-generated responses or even forge harmful content, potentially misattributing blame to the LLM developer. To overcome this, we introduce a bi-level signature scheme, Bileve, which embeds fine-grained signature bits for integrity checks (mitigating spoofing attacks) as well as a coarse-grained signal to trace text sources when the signature is invalid (enhancing detectability) via a novel rank-based sampling strategy. Compared to conventional watermark detectors that only output binary results, Bileve can differentiate 5 scenarios during detection, reliably tracing text provenance and regulating LLMs. The experiments conducted on OPT-1.3B and LLaMA-7B demonstrate the effectiveness of Bileve in defeating spoofing attacks with enhanced detectability. 
    more » « less
  5. ; ; (, Proceedings of the Great Lakes Symposium on VLSI 2022)
    Electronic counterfeiting is a longstanding problem with adverse long-term effects for many sectors, remaining on the rise. This article presents a novel low-cost technique to embed watermarking in devices with resistive-RAM (ReRAM) by manipulating its analog physical characteristics through switching (set/reset) operation to prevent counterfeiting. We develop a system-level framework to control memory cells' physical properties for imprinting irreversible watermarks into commercial ReRAMs that will be retrieved by sensing the changes in cells' physical properties. Experimental results show that our proposed ReRAM watermarking is robust against temperature variation and acceptably fast with ~0.6bit/min of imprinting and ~15.625bits/s of retrieval rates. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email