CN118608367A - A watermark embedding and detection method and device for large model generated text - Google Patents
A watermark embedding and detection method and device for large model generated text Download PDFInfo
- Publication number
- CN118608367A CN118608367A CN202411078474.8A CN202411078474A CN118608367A CN 118608367 A CN118608367 A CN 118608367A CN 202411078474 A CN202411078474 A CN 202411078474A CN 118608367 A CN118608367 A CN 118608367A
- Authority
- CN
- China
- Prior art keywords
- sequence
- watermark
- token
- token sequence
- pseudo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/0021—Image watermarking
- G06T1/005—Robust watermarking, e.g. average attack or collusion attack resistant
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/216—Parsing using statistical methods
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/0021—Image watermarking
- G06T1/0042—Fragile watermarking, e.g. so as to detect tampering
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Editing Of Facsimile Originals (AREA)
- Image Processing (AREA)
Abstract
本发明公开了一种针对大模型生成文本的水印嵌入、检测方法及装置,水印嵌入采用串行结构,以提示词和已生成上文令牌序列为输入,依次嵌入鲁棒水印和脆弱水印,并输出带联合水印的生成文本;水印检测采用并行结构,分别检测鲁棒水印和脆弱水印信息,用于进行来源验证和篡改检测。鲁棒水印嵌入使用基于采样过程的水印算法,检测则使用统计学方法检测密钥与文本间生成关系;脆弱水印同样使用基于采样过程的水印算法,通过对比采样生成目标词是否一致检测文本是否遭受篡改。可以在不影响生成文本可读性前提下向生成文本中嵌入不可见的鲁棒水印信息和脆弱水印信息,不仅可以用于验证生成文本来源信息,还可以检测文本传播过程中是否遭受篡改等攻击。
The present invention discloses a watermark embedding and detection method and device for large model generated text. The watermark embedding adopts a serial structure, takes prompt words and generated previous token sequences as input, embeds robust watermarks and fragile watermarks in sequence, and outputs generated text with joint watermarks; watermark detection adopts a parallel structure, detects robust watermark and fragile watermark information respectively, and is used for source verification and tampering detection. Robust watermark embedding uses a watermark algorithm based on the sampling process, and detection uses a statistical method to detect the generation relationship between the key and the text; fragile watermark also uses a watermark algorithm based on the sampling process, and detects whether the text has been tampered with by comparing whether the sampled generated target words are consistent. Invisible robust watermark information and fragile watermark information can be embedded in the generated text without affecting the readability of the generated text, which can not only be used to verify the source information of the generated text, but also detect whether the text has been tampered with during the dissemination process.
Description
技术领域Technical Field
本发明属于水印嵌入和检测技术领域,尤其涉及一种针对大模型生成文本的水印嵌入、检测方法及装置。The present invention belongs to the technical field of watermark embedding and detection, and in particular relates to a watermark embedding and detection method and device for large model generated text.
背景技术Background Art
近年来,大型语言模型(Large Language Model, LLM)在自然语言处理领域取得了重大进展。随着这些大型语言模型参数不断增加,其理解和生成语言的能力快速提高,在对话系统、内容创作、以及其他多种形式的人机交互应用中取得了十分不错的效果。大模型的能力进步将对很多领域产生颠覆式影响。然而随着LLM在许多行业的逐步应用,与医疗诊断、法律咨询、公共服务等场景结合,方便了人们生活并提高了工作效率。In recent years, large language models (LLM) have made significant progress in the field of natural language processing. As the parameters of these large language models continue to increase, their ability to understand and generate language has rapidly improved, and they have achieved very good results in dialogue systems, content creation, and other forms of human-computer interaction applications. The improvement of the capabilities of large models will have a disruptive impact on many fields. However, with the gradual application of LLM in many industries, combined with scenarios such as medical diagnosis, legal consultation, and public services, it has facilitated people's lives and improved work efficiency.
同时,大语言模型的发展也面临着一些挑战,如生成文本真实性与完整性难以保证、文本生成过程是否遭受恶意操纵等问题仍需要不断研究和解决。将大语言模型用于医疗诊断、法律咨询、数字员工、智能审核等场景时,生成文本会对用户进行后续决策产生一定的影响,倘若向用户展示的文本被恶意操纵与篡改,这不仅会误导用户做出不利决策,也会使得公众对于服务提供商的技术可靠性产生怀疑,造成难以预估的损失。At the same time, the development of large language models also faces some challenges, such as the difficulty in ensuring the authenticity and integrity of generated texts, and whether the text generation process is subject to malicious manipulation. These issues still need to be continuously studied and resolved. When large language models are used in scenarios such as medical diagnosis, legal consultation, digital employees, and intelligent auditing, the generated text will have a certain impact on the user's subsequent decision-making. If the text displayed to the user is maliciously manipulated and tampered with, it will not only mislead the user to make unfavorable decisions, but also make the public doubt the technical reliability of the service provider, causing unpredictable losses.
因此,开发有效的文本来源验证与篡改检测技术是维护大模型应用安全的关键一环。鉴于文本篡改的方式种类繁多,从源头避免篡改极具挑战。因此,使用水印这种主动取证的方式来实现目标溯源、检测恶意篡改已成为学界共识。然而,现有的文本水印技术功能单一,集中于检测文本是否由模型生成,对于检测文本是否完整等更深层次的需求存在明显不足。Therefore, developing effective text source verification and tampering detection technology is a key link in maintaining the security of large model applications. Given the wide variety of ways to tamper with text, it is extremely challenging to prevent tampering from the source. Therefore, it has become a consensus in academia to use watermarks as an active forensics method to achieve target traceability and detect malicious tampering. However, the existing text watermarking technology has a single function, focusing on detecting whether the text is generated by the model, and is obviously insufficient for deeper needs such as detecting whether the text is complete.
发明内容Summary of the invention
针对现有技术存在的问题,本申请实施例的目的是提供一种针对大模型生成文本的水印嵌入、检测方法及装置,可以在不影响生成文本可读性前提下向生成文本中嵌入不可见的鲁棒水印信息和脆弱水印信息,不仅可以用于验证生成文本来源信息,还可以检测文本传播过程中是否遭受篡改、删除、水印伪造等攻击。In view of the problems existing in the prior art, the purpose of the embodiments of the present application is to provide a watermark embedding and detection method and device for large-model generated text, which can embed invisible robust watermark information and fragile watermark information into the generated text without affecting the readability of the generated text. It can not only be used to verify the source information of the generated text, but also can detect whether the text is subjected to tampering, deletion, watermark forgery and other attacks during the text dissemination process.
根据本申请实施例的第一方面,提供一种针对大模型生成文本的水印嵌入方法,包括:According to a first aspect of an embodiment of the present application, a watermark embedding method for generating text for a large model is provided, comprising:
获取水印密钥、大语言模型的提示词、上文窗口大小、大语言模型、已生成上文令牌序列;Obtain the watermark key, the prompt word of the large language model, the context window size, the large language model, and the generated context token sequence;
根据所述提示词和已生成上文令牌序列,通过所述大语言模型得到第一词汇表概率分布,基于所述上文窗口大小从所述已生成上文令牌序列中选取第一选取令牌序列,根据所述第一选取令牌序列和水印密钥生成第一伪随机数序列,根据所述第一词汇表概率分布和第一伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成鲁棒水印文本;According to the prompt word and the generated previous token sequence, a first vocabulary probability distribution is obtained through the large language model, a first selected token sequence is selected from the generated previous token sequence based on the previous window size, a first pseudo-random number sequence is generated according to the first selected token sequence and a watermark key, a token at the next position is calculated according to the first vocabulary probability distribution and the first pseudo-random number sequence, and samples are sequentially taken until the generation is completed or the maximum generation length is reached, thereby forming a robust watermark text;
确定最小嵌入数量m与扩展余量d,选取所述鲁棒水印令牌序列中除末尾m+d个令牌之外的令牌与已生成脆弱水印令牌序列作为第二选取令牌序列,根据所述第二选取令牌序列,通过所述大语言模型得到第二词汇表概率分布,并根据所述第二选取令牌序列和水印密钥生成第二伪随机数序列,根据所述第二词汇表概率分布和第二伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成联合水印文本。Determine the minimum embedding number m and the expansion margin d, select the tokens except the last m+d tokens in the robust watermark token sequence and the generated fragile watermark token sequence as the second selected token sequence, obtain the second vocabulary probability distribution through the large language model according to the second selected token sequence, generate the second pseudo-random number sequence according to the second selected token sequence and the watermark key, calculate the token at the next position according to the second vocabulary probability distribution and the second pseudo-random number sequence, and sample them in sequence until the generation is completed or the maximum generation length is reached, so as to form a joint watermark text.
进一步地,鲁棒水印文本的形成过程中,位置为y的令牌的生成过程如下:Furthermore, in the formation process of the robust watermark text, the generation process of the token at position y is as follows:
将提示词与已生成上文令牌序列作为大语言模型的输入,得到第一词汇 表概率分布, 其中|𝒗|为大语言模型词汇表V的大小; The prompt word With the token sequence generated above As the input of the large language model, we get the probability distribution of the first vocabulary , where |𝒗| is the size of the large language model vocabulary V;
基于所述上文窗口大小从所述已生成上文令牌序列中选取n个令牌作为第一选 取令牌序列,计算第一选取令牌序列与水印密钥K的哈希值,以该哈希值作为伪随机数生成 器的种子,生成第一伪随机数序列,其中伪随机数 遵循[0,1]的均匀分 布; Based on the above window size Select n tokens from the generated token sequence as the first selected token sequence, calculate the hash value of the first selected token sequence and the watermark key K, use the hash value as the seed of the pseudo-random number generator, and generate a first pseudo-random number sequence , where the pseudo-random number Follows a uniform distribution of [0, 1];
通过计算公式得到第一索引序列,比较得到第一 索引序列中最大值,取词汇表中索引为的令牌作为当前位 置的输出。 By calculating the formula Get the first index sequence , compare to get the first index sequence Maximum value , take the index in the vocabulary as The token at the current position is output.
进一步地,联合水印文本的形成过程中,位置为y的令牌的生成过程如下:Furthermore, in the formation process of the joint watermark text, the generation process of the token at position y is as follows:
将去除了末尾个令牌的鲁棒水印令牌序列和已生成的脆弱水印 令牌序列拼接形成的令牌序列作为大语言模型的输入,得到第二词汇表概率分布, 其中|𝒗|为大语言模型词汇表V的大小; Will remove the end Robust watermark token sequence and the generated fragile watermark token sequence The concatenated token sequence is used as the input of the large language model to obtain the probability distribution of the second vocabulary , where |𝒗| is the size of the large language model vocabulary V;
计算输入的令牌序列、与水印密钥K的哈希值,将该哈希值作为伪 随机数生成器的种子,生成第二伪随机数序列,其中伪随机数 遵循[0, 1]的均匀分布; Calculate the token sequence of the input , The hash value of the watermark key K is used as the seed of the pseudo-random number generator to generate a second pseudo-random number sequence , where the pseudo-random number Follows a uniform distribution of [0, 1];
通过计算公式得到第二索引序列,比较得到 中最大值,取词汇表中索引为的词作为当前位置的输出。 By calculating the formula Get the second index sequence , compared to Maximum value , take the index in the vocabulary as The word at the current position is output .
根据本申请实施例的第二方面,提供一种针对大模型生成文本的水印嵌入装置,包括:According to a second aspect of an embodiment of the present application, a watermark embedding device for generating text for a large model is provided, comprising:
第一获取模块,用于获取水印密钥、大语言模型的提示词、上文窗口大小、大语言模型、已生成上文令牌序列;A first acquisition module is used to acquire a watermark key, a prompt word of a large language model, a context window size, a large language model, and a generated context token sequence;
鲁棒水印生成模块,用于根据所述提示词和已生成上文令牌序列,通过所述大语言模型得到第一词汇表概率分布,基于所述上文窗口大小从所述已生成上文令牌序列中选取第一选取令牌序列,根据所述第一选取令牌序列和水印密钥生成第一伪随机数序列,根据所述第一词汇表概率分布和第一伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成鲁棒水印文本;A robust watermark generation module, configured to obtain a first vocabulary probability distribution through the large language model according to the prompt word and the generated previous token sequence, select a first selected token sequence from the generated previous token sequence based on the previous window size, generate a first pseudo-random number sequence according to the first selected token sequence and a watermark key, calculate the token at the next position according to the first vocabulary probability distribution and the first pseudo-random number sequence, and sequentially sample until the generation is completed or the maximum generation length is reached, thereby forming a robust watermark text;
脆弱水印生成模块,用于确定最小嵌入数量m与扩展余量d,选取所述鲁棒水印令牌序列中除末尾m+d个令牌之外的令牌与已生成脆弱水印令牌序列作为第二选取令牌序列,根据所述第二选取令牌序列,通过所述大语言模型得到第二词汇表概率分布,并根据所述第二选取令牌序列和水印密钥生成第二伪随机数序列,根据所述第二词汇表概率分布和第二伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成联合水印文本。The fragile watermark generation module is used to determine the minimum embedding quantity m and the expansion margin d, select the tokens in the robust watermark token sequence except the last m+d tokens and the generated fragile watermark token sequence as the second selected token sequence, obtain the second vocabulary probability distribution through the large language model according to the second selected token sequence, generate the second pseudo-random number sequence according to the second selected token sequence and the watermark key, calculate the token at the next position according to the second vocabulary probability distribution and the second pseudo-random number sequence, and sample in sequence until the generation is completed or the maximum generation length is reached, so as to form a joint watermark text.
根据本申请实施例的第三方面,提供一种针对大模型生成文本的水印检测方法,包括:According to a third aspect of an embodiment of the present application, a watermark detection method for text generated by a large model is provided, comprising:
获取水印密钥、上文窗口大小、最小嵌入数量m、大语言模型和待检测令牌序列,其中所述水印密钥、上文窗口大小、最小嵌入数量、大语言模型均与水印嵌入时一致;Obtaining a watermark key, a previous window size, a minimum embedding number m, a large language model, and a token sequence to be detected, wherein the watermark key, the previous window size, the minimum embedding number, and the large language model are all consistent with those when the watermark is embedded;
根据所述上文窗口从所述待检测令牌序列中依次选取各个位置的第三选取令牌序列,基于所述第三选取令牌序列和水印密钥生成各个位置的第三伪随机数序列并组合得到伪随机数检测矩阵,基于所述伪随机数检测矩阵和待检测令牌序列计算所述水印密钥和待检测令牌序列之间的距离,若所述距离低于预定阈值,则来源检测通过;Selecting a third selected token sequence at each position from the token sequence to be detected in sequence according to the above window, generating a third pseudo-random number sequence at each position based on the third selected token sequence and the watermark key and combining them to obtain a pseudo-random number detection matrix, calculating a distance between the watermark key and the token sequence to be detected based on the pseudo-random number detection matrix and the token sequence to be detected, and if the distance is lower than a predetermined threshold, the source detection is passed;
基于所述最小嵌入数量m确定令牌位置,选取待检测令牌序列中所述令牌位置之前的令牌序列作为第四选取令牌序列,根据所述第四选取令牌序列,通过所述大语言模型得到第三词汇表概率分布,并基于所述第四选取令牌序列和水印密钥生成第四伪随机数序列,根据所述第三词汇表概率分布和第四伪随机数序列,计算得到下一位置的令牌,依次采样得到末尾m个位置的令牌,从而形成参考令牌序列,若所述参考令牌序列与所述待检测令牌序列中对应位置的令牌序列一致,则篡改检测通过。The token position is determined based on the minimum embedding number m, and the token sequence before the token position in the token sequence to be detected is selected as the fourth selected token sequence. According to the fourth selected token sequence, a third vocabulary probability distribution is obtained through the large language model, and a fourth pseudo-random number sequence is generated based on the fourth selected token sequence and the watermark key. According to the third vocabulary probability distribution and the fourth pseudo-random number sequence, the token at the next position is calculated, and the tokens at the last m positions are sampled in sequence to form a reference token sequence. If the reference token sequence is consistent with the token sequence at the corresponding position in the token sequence to be detected, the tampering detection passes.
进一步地,来源检测过程中:Furthermore, during the source detection process:
利用所述上文窗口大小n,对在区间内的所有整数,计算待检测令牌序列与水印密钥K的哈希值,以该哈希值作为伪随机数生成器的种子,生成第三伪 随机数序列,将所有令牌位置上的第三伪随机数序列组合成伪随机数检测矩阵,该 矩阵大小为,其中L为待检测令牌序列长度; Using the window size n mentioned above, All integers within , calculate the token sequence to be detected The hash value of the watermark key K is used as the seed of the pseudo-random number generator to generate a third pseudo-random number sequence , the third pseudo-random number sequence at all token positions is combined into a pseudo-random number detection matrix , the matrix size is , where L is the length of the token sequence to be detected;
从计算水印密钥K与待检测令牌序列之间的随机数距离 ,若cost低于预定阈值,即判断所述待检测令牌序列通过来源检测。 From the calculation of watermark key K and the token sequence to be detected The random distance between , if the cost is lower than the predetermined threshold , i.e., judging the token sequence to be detected Pass source detection.
根据本申请实施例的第四方面,提供一种针对大模型生成文本的水印检测装置,包括:According to a fourth aspect of an embodiment of the present application, there is provided a watermark detection device for generating text from a large model, comprising:
第二获取模块,用于获取水印密钥、上文窗口大小、最小嵌入数量、大语言模型和待检测令牌序列,其中所述水印密钥、上文窗口大小、最小嵌入数量m、大语言模型均与水印嵌入时一致;The second acquisition module is used to acquire a watermark key, a previous window size, a minimum embedding number, a large language model, and a token sequence to be detected, wherein the watermark key, the previous window size, the minimum embedding number m, and the large language model are consistent with those when the watermark is embedded;
来源检测模块,用于根据所述上文窗口从所述待检测令牌序列中依次选取各个位置的第三选取令牌序列,基于所述第三选取令牌序列和水印密钥生成各个位置的第三伪随机数序列并组合得到伪随机数检测矩阵,基于所述伪随机数检测矩阵和待检测令牌序列计算所述水印密钥和待检测令牌序列之间的距离,若所述距离低于预定阈值,则来源检测通过;a source detection module, configured to sequentially select a third selected token sequence at each position from the token sequence to be detected according to the above window, generate a third pseudo-random number sequence at each position based on the third selected token sequence and the watermark key and combine them to obtain a pseudo-random number detection matrix, calculate the distance between the watermark key and the token sequence to be detected based on the pseudo-random number detection matrix and the token sequence to be detected, and if the distance is lower than a predetermined threshold, the source detection is passed;
篡改检测模块,用于基于所述最小嵌入数量m确定令牌位置,选取待检测令牌序列中所述令牌位置之前的令牌序列作为第四选取令牌序列,根据所述第四选取令牌序列,通过所述大语言模型得到第三词汇表概率分布,并基于所述第四选取令牌序列和水印密钥生成第四伪随机数序列,根据所述第三词汇表概率分布和第四伪随机数序列,计算得到下一位置的令牌,依次采样得到末尾m个位置的令牌,从而形成参考令牌序列,若所述参考令牌序列与所述待检测令牌序列中对应位置的令牌序列一致,则篡改检测通过。A tampering detection module is used to determine the token position based on the minimum embedding number m, select the token sequence before the token position in the token sequence to be detected as a fourth selected token sequence, obtain a third vocabulary probability distribution through the large language model according to the fourth selected token sequence, and generate a fourth pseudo-random number sequence based on the fourth selected token sequence and the watermark key, calculate the token at the next position according to the third vocabulary probability distribution and the fourth pseudo-random number sequence, and sequentially sample the tokens at the last m positions to form a reference token sequence. If the reference token sequence is consistent with the token sequence at the corresponding position in the token sequence to be detected, the tampering detection is passed.
根据本申请实施例的第五方面,提供一种计算机程序产品,包括计算机程序/指令,该计算机程序/指令被处理器执行时实现如第一、三方面所述的方法。According to a fifth aspect of an embodiment of the present application, a computer program product is provided, comprising a computer program/instruction, which, when executed by a processor, implements the methods described in the first and third aspects.
根据本申请实施例的第六方面,提供一种电子设备,包括:According to a sixth aspect of an embodiment of the present application, there is provided an electronic device, including:
一个或多个处理器;one or more processors;
存储器,用于存储一个或多个程序;A memory for storing one or more programs;
当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如第一、三方面所述的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the methods described in the first and third aspects.
根据本申请实施例的第七方面,提供一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如第一、三方面所述方法的步骤。According to a seventh aspect of an embodiment of the present application, a computer-readable storage medium is provided, on which computer instructions are stored. When the instructions are executed by a processor, the steps of the method described in the first and third aspects are implemented.
本申请的实施例提供的技术方案可以包括以下有益效果:The technical solution provided by the embodiments of the present application may have the following beneficial effects:
本申请提出了一种针对大模型生成文本的水印嵌入方法,通过串行编码方式,使用基于采样过程的水印嵌入方法依次嵌入鲁棒水印和脆弱水印,确保了水印作用范围涵盖了整个文本内容,可实现对全文的防篡改保护;在生成的文本中,脆弱水印信息主要分布在文本内容的末尾一定数量的文本中,鲁棒水印信息则分布于除脆弱水印以外的其余文本内容中。这样设计水印嵌入位置是为了确保脆弱水印的防篡改保护范围可以覆盖整个文本。This application proposes a watermark embedding method for large model generated text. Through serial coding, a sampling-based watermark embedding method is used to embed robust watermarks and fragile watermarks in sequence, ensuring that the watermark effect range covers the entire text content, and can achieve tamper-proof protection of the entire text; in the generated text, the fragile watermark information is mainly distributed in a certain amount of text at the end of the text content, and the robust watermark information is distributed in the remaining text content except the fragile watermark. The watermark embedding position is designed in this way to ensure that the tamper-proof protection range of the fragile watermark can cover the entire text.
本申请提出了一种针对大模型生成文本的水印检测方法,可实现对全文的来源验证与篡改检测,并通过并行解码方式使得脆弱水印检测与鲁棒水印检测可根据实际需求并行展开或单独进行,效率得以大大提高。鲁棒水印检测可以在原水印文本受到一定程度修改时仍有效验证密钥K与修改后水印文本之间绑定关系,从而为检测方提供可靠的文本来源证明;脆弱水印检测可以在验证密钥K与文本绑定关系的前提下,对待检测文本是否遭受篡改提供有效证明。鲁棒水印检测方法不需要运行生成模型,检测方法简单,计算效率高,同时对一定程度的文本编辑攻击具有鲁棒性,可以有效满足实际应用场景中来源验证需求;脆弱水印检测敏感度与检测准确率极高,实际使用中对单令牌编辑攻击可以达到接近1的篡改检测准确率,同时也确保攻击者在未持有密钥K的情况下难以有效去除水印信息。This application proposes a watermark detection method for large model generated text, which can realize the source verification and tampering detection of the whole text, and through parallel decoding, the fragile watermark detection and robust watermark detection can be carried out in parallel or separately according to actual needs, and the efficiency can be greatly improved. Robust watermark detection can effectively verify the binding relationship between the key K and the modified watermark text when the original watermark text is modified to a certain extent, thereby providing a reliable text source proof for the detection party; fragile watermark detection can provide effective proof of whether the detected text has been tampered with on the premise of verifying the binding relationship between the key K and the text. The robust watermark detection method does not need to run the generation model, the detection method is simple, and the calculation efficiency is high. At the same time, it is robust to a certain degree of text editing attacks, which can effectively meet the source verification needs in actual application scenarios; the fragile watermark detection sensitivity and detection accuracy are extremely high. In actual use, the tampering detection accuracy of single token editing attacks can reach close to 1, and it also ensures that it is difficult for attackers to effectively remove watermark information without holding the key K.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present application.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and, together with the description, serve to explain the principles of the present application.
图1是根据一示例性实施例示出的一种针对大模型生成文本的水印嵌入方法的流程图。Fig. 1 is a flow chart showing a method for embedding watermarks for text generated by a large model according to an exemplary embodiment.
图2是根据一示例性实施例示出的鲁棒水印嵌入流程图。Fig. 2 is a flowchart of robust watermark embedding according to an exemplary embodiment.
图3是根据一示例性实施例示出的脆弱水印嵌入流程图。Fig. 3 is a flowchart showing a fragile watermark embedding process according to an exemplary embodiment.
图4是根据一示例性实施例示出的一种针对大模型生成文本的水印检测方法的流程图。Fig. 4 is a flow chart showing a method for watermark detection of text generated by a large model according to an exemplary embodiment.
图5是根据一示例性实施例示出的来源检测流程图。Fig. 5 is a flow chart of source detection according to an exemplary embodiment.
图6是根据一示例性实施例示出的篡改检测流程图。Fig. 6 is a flowchart showing tampering detection according to an exemplary embodiment.
图7是根据一示例性实施例示出的一种针对大模型生成文本的水印嵌入装置的框图。Fig. 7 is a block diagram showing a watermark embedding apparatus for generating text for a large model according to an exemplary embodiment.
图8是根据一示例性实施例示出的一种针对大模型生成文本的水印检测装置的框图。Fig. 8 is a block diagram showing a watermark detection device for text generated by a large model according to an exemplary embodiment.
图9是根据一示例性实施例示出的一种电子设备的示意图。Fig. 9 is a schematic diagram showing an electronic device according to an exemplary embodiment.
具体实施方式DETAILED DESCRIPTION
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。Here, exemplary embodiments are described in detail, and examples thereof are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present application.
在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in this application are for the purpose of describing specific embodiments only and are not intended to limit this application. The singular forms of "a", "said" and "the" used in this application and the appended claims are also intended to include plural forms unless the context clearly indicates other meanings. It should also be understood that the term "and/or" used herein refers to and includes any or all possible combinations of one or more associated listed items.
应当理解,尽管在本申请可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of the present application, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein may be interpreted as "at the time of" or "when" or "in response to determining".
图1是根据一示例性实施例示出的一种针对大模型生成文本的水印嵌入方法的流程图,如图1所示,该方法应用于终端中,可以包括以下步骤:FIG. 1 is a flow chart of a method for embedding a watermark for generating text with a large model according to an exemplary embodiment. As shown in FIG. 1 , the method is applied in a terminal and may include the following steps:
步骤S11:获取水印密钥、大语言模型的提示词、上文窗口大小、大语言模型、已生成上文令牌序列;Step S11: obtaining a watermark key, a prompt word of a large language model, a context window size, a large language model, and a generated context token sequence;
步骤S12:根据所述提示词和已生成上文令牌序列,通过所述大语言模型得到第一词汇表概率分布,基于所述上文窗口大小从所述已生成上文令牌序列中选取第一选取令牌序列,根据所述第一选取令牌序列和水印密钥生成第一伪随机数序列,根据所述第一词汇表概率分布和第一伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成鲁棒水印文本;Step S12: according to the prompt word and the generated previous token sequence, a first vocabulary probability distribution is obtained through the large language model, a first selected token sequence is selected from the generated previous token sequence based on the previous window size, a first pseudo-random number sequence is generated according to the first selected token sequence and a watermark key, a token at the next position is calculated according to the first vocabulary probability distribution and the first pseudo-random number sequence, and sampling is performed in sequence until the generation is completed or the maximum generation length is reached, thereby forming a robust watermark text;
步骤S13:确定最小嵌入数量m与扩展余量d,选取所述鲁棒水印令牌序列中除末尾个令牌之外的令牌与已生成脆弱水印令牌序列作为第二选取令牌序列,根据所述第 二选取令牌序列,通过所述大语言模型得到第二词汇表概率分布,并根据所述第二选取令 牌序列和水印密钥生成第二伪随机数序列,根据所述第二词汇表概率分布和第二伪随机数 序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成联合 水印文本。 Step S13: Determine the minimum embedding quantity m and the expansion margin d, and select the robust watermark token sequence except the end Tokens other than the tokens and the generated fragile watermark token sequence are used as the second selected token sequence. According to the second selected token sequence, a second vocabulary probability distribution is obtained through the large language model, and a second pseudo-random number sequence is generated according to the second selected token sequence and the watermark key. According to the second vocabulary probability distribution and the second pseudo-random number sequence, the token at the next position is calculated and sampled in sequence until the generation is completed or the maximum generation length is reached, thereby forming a joint watermark text.
由上述实施例可知,本申请通过串行编码方式,使用基于采样过程的水印嵌入方法依次嵌入鲁棒水印和脆弱水印,确保了水印作用范围涵盖了整个文本内容,可实现对全文的防篡改保护;在生成的文本中,脆弱水印信息主要分布在文本内容的末尾一定数量的文本中,鲁棒水印信息则分布于除脆弱水印以外的其余文本内容中。这样设计水印嵌入位置是为了确保脆弱水印的防篡改保护范围可以覆盖整个文本。倘若将脆弱水印嵌入非末尾位置,则末尾位置因生成晚于脆弱水印嵌入位,导致水印无法对该位置起到任何保护作用,任何简单的编辑攻击都可以轻易篡改文本内容。It can be seen from the above embodiments that the present application uses a watermark embedding method based on a sampling process to embed a robust watermark and a fragile watermark in sequence through a serial encoding method, thereby ensuring that the watermark effect range covers the entire text content and can achieve tamper-proof protection for the entire text; in the generated text, the fragile watermark information is mainly distributed in a certain amount of text at the end of the text content, and the robust watermark information is distributed in the remaining text content except the fragile watermark. The watermark embedding position is designed in this way to ensure that the tamper-proof protection range of the fragile watermark can cover the entire text. If the fragile watermark is embedded in a non-end position, the end position is generated later than the fragile watermark embedding position, resulting in the watermark being unable to provide any protection for the position, and any simple editing attack can easily tamper with the text content.
在步骤S11的具体实施中,获取水印密钥K、大语言模型的提示词、上文窗口大小、大语言模型M、已生成上文令牌序列; In the specific implementation of step S11, the watermark key K and the prompt word of the large language model are obtained. , the size of the above window , large language model M, has generated the above token sequence ;
具体地,大语言模型生成文本是自回归式的,即以提示词和已生成上文令牌序列为输入,输出模型预测的下一个词,不断循环生成完整文本。Specifically, the large language model generates text in an autoregressive manner, that is, it takes the prompt word and the generated token sequence as input, outputs the next word predicted by the model, and continuously generates the complete text in a loop.
这种生成模式就限制了水印信息只能对已生成的上文内容进行保护,而很难对将要生成的文本起作用。但文本来源验证与篡改检测要求能够对完整的文本生效,因此水印嵌入流程、嵌入位置、嵌入数量对水印框架是否有效至关重要,基于此,本申请提出了以下的水印嵌入过程:This generation mode limits the watermark information to only protect the generated previous content, and it is difficult to work on the text to be generated. However, text source verification and tampering detection require that they can be effective on the complete text. Therefore, the watermark embedding process, embedding position, and embedding quantity are crucial to the effectiveness of the watermark framework. Based on this, this application proposes the following watermark embedding process:
生成文本时首先根据水印嵌入者设置的水印密钥K向其中嵌入鲁棒水印信息,得 到完整的带鲁棒水印信息的生成文本;设置脆弱水印最小嵌入数量,使用脆弱水印算法 结合大语言模型和水印密钥K重新生成末尾一定数量的文本内容,得到嵌有鲁棒水印信息 和脆弱水印信息的文本内容。 When generating text, first embed the robust watermark information into it according to the watermark key K set by the watermark embedder to obtain the complete generated text with robust watermark information; set the minimum embedding number of fragile watermarks , a certain amount of text content at the end is regenerated using a fragile watermark algorithm combined with a large language model and a watermark key K to obtain text content embedded with robust watermark information and fragile watermark information.
在步骤S12的具体实施中,根据所述提示词和已生成上文令牌序列,通过所述 大语言模型得到第一词汇表概率分布,基于所述上文窗口大小从所述已生成上文令牌序 列中选取第一选取令牌序列,根据所述第一选取令牌序列和水印密钥生成第一伪随机数序 列,根据所述第一词汇表概率分布和第一伪随机数序列,计算得到下一位置的令牌,依次采 样至生成结束或达到最大生成长度,从而形成鲁棒水印文本; In the specific implementation of step S12, according to the prompt word and the generated token sequence above , obtain the first vocabulary probability distribution through the large language model, based on the above window size Selecting a first selected token sequence from the generated above token sequence, generating a first pseudo-random number sequence according to the first selected token sequence and a watermark key, calculating the token at the next position according to the first vocabulary probability distribution and the first pseudo-random number sequence, and sampling in sequence until the generation is completed or the maximum generation length is reached, thereby forming a robust watermark text;
具体地,鲁棒水印嵌入流程如图2所示,以生成位置为y的令牌为例,将提示词与 已生成上文令牌序列作为大语言模型的输入,得到第一词汇表概率分布, |𝒗|为大语言模型词汇表V的大小;计算选取的上文n个令牌与水印 密钥K的哈希值,以该哈希值作为伪随机数生成器(Pseudorandom Number Generator, PRNG)的种子,生成第一伪随机数序列,其中伪随机数 遵循[0,1]的均匀 分布,上文窗口大小依据嵌入者需求设置,通常置为1;通过计算公式得到第一索 引序列,比较得到第一索引序列中最大值,取词汇表中索引为的令牌作为当前位置的输出。再将经过 上述生成过程得到的作为已生成上文令牌序列重新输入模型,依次进行鲁棒水印生成 直到结束或者达到最大生成长度,从而形成鲁棒水印文本。 Specifically, the robust watermark embedding process is shown in Figure 2. Taking the token at position y as an example, the prompt word With the token sequence generated above As the input of the large language model, we get the probability distribution of the first vocabulary , |𝒗| is the size of the large language model vocabulary V; calculate the hash value of the selected n tokens and the watermark key K, and use the hash value as the seed of the pseudorandom number generator (Pseudorandom Number Generator, PRNG) to generate the first pseudorandom number sequence , where the pseudo-random number Following the uniform distribution of [0, 1], the window size above Set according to the embedder's needs, usually set to 1; calculated by the formula Get the first index sequence , compare to get the first index sequence Maximum value , take the index in the vocabulary as The token of is taken as the output of the current position. Then the token obtained through the above generation process is The generated token sequence is re-input into the model, and robust watermark generation is performed sequentially until the end or the maximum generation length is reached, thereby forming a robust watermark text.
伪随机数生成器用于生成一个序列的数字,这些数字在统计学上看起来是随机的,但实际上是由确定的算法根据初始值(通常称为“种子”或“seed”)计算得出的。伪随机数生成器并不是真正的随机,因为它们的输出是确定性的,但是它们产生的序列具有随机数的统计特性,如均匀分布和缺乏明显的模式。常见的伪随机数生成算法包括线性同余生成器(LCG)、Mersenne Twister等。Pseudo-random number generators are used to generate a sequence of numbers that appear statistically random but are actually calculated by a deterministic algorithm based on an initial value (often called a "seed" or "seed"). Pseudo-random number generators are not truly random because their output is deterministic, but the sequences they produce have the statistical properties of random numbers, such as uniform distribution and lack of obvious patterns. Common pseudo-random number generation algorithms include Linear Congruential Generator (LCG), Mersenne Twister, etc.
本申请使用的鲁棒水印同时具备鲁棒性、盲检测性、透明性等特征。鲁棒性要求在载体信息受到一定程度的攻击和修改后仍能够以较高的准确率检测与识别水印信息,该算法能够抵御一定程度的编辑攻击(增、删、改等);盲检测性则要求水印检测过程能够不依赖模型进行;透明性是指水印算法对生成文本质量与大模型功能的影响有限,本方法采用基于采样过程的大模型水印,生成文本在概率分布上具有无偏性,对文本质量的影响较小。The robust watermark used in this application has the characteristics of robustness, blind detection, and transparency. Robustness requires that the watermark information can still be detected and identified with a high accuracy after the carrier information is attacked and modified to a certain extent. The algorithm can resist a certain degree of editing attacks (addition, deletion, modification, etc.); blind detection requires that the watermark detection process can be carried out without relying on the model; transparency means that the watermark algorithm has limited impact on the quality of the generated text and the function of the large model. This method uses a large model watermark based on the sampling process, and the generated text is unbiased in probability distribution, which has little impact on the text quality.
在步骤S13的具体实施中,确定最小嵌入数量与扩展余量,选取所述鲁棒水印 令牌序列中除末尾个令牌之外的令牌与已生成脆弱水印令牌序列作为第二选取令 牌序列,根据所述第二选取令牌序列,通过所述大语言模型得到第二词汇表概率分布,并根 据所述第二选取令牌序列和水印密钥生成第二伪随机数序列,根据所述第二词汇表概率分 布和第二伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成 长度,从而形成联合水印文本。 In the specific implementation of step S13, the minimum embedding quantity is determined With extended margin , select the robust watermark token sequence except the end Tokens other than the tokens and the generated fragile watermark token sequence are used as the second selected token sequence. According to the second selected token sequence, a second vocabulary probability distribution is obtained through the large language model, and a second pseudo-random number sequence is generated according to the second selected token sequence and the watermark key. According to the second vocabulary probability distribution and the second pseudo-random number sequence, the token at the next position is calculated and sampled in sequence until the generation is completed or the maximum generation length is reached, thereby forming a joint watermark text.
脆弱水印嵌入过程如图3所示。以生成位置为的脆弱水印令牌为例,将去除了末 尾个令牌的鲁棒水印令牌序列和已生成的脆弱水印令牌序列拼接形 成的令牌序列作为大语言模型的输入,得到第二词汇表概率分布, | 𝒗|为大语言模型词汇表V的大小;计算输入的令牌序列、与水印密钥K的哈 希值作为伪随机数生成器PRNG的种子,生成第二伪随机数序列,其中伪随 机数 遵循[0,1]的均匀分布;通过计算公式得到第二索引序列,比较得到中最大值,取词汇表中索 引为的词作为当前位置的输出。再将和经过上述生成过程得到的作为输 入,再采样生成位置的脆弱水印令牌,依次递推生成直到生成结束或者达到最大生成 长度,形成带联合水印的目标文本。脆弱水印在设计上使用与鲁棒水印相同的嵌入方法,同 时将输入上文窗口大小n扩至所有已生成的文本,当上文内容发生变化后,会使得随机数序 列发生变化,水印以该位置令牌被选中概率为发生碰撞的概率,即有的概率会使得该 位置水印信息不被破坏。该碰撞概率与所绑定的水印嵌入数量成反比,将文本与越多的水 印位绑定,当文本被篡改时检出异常的概率也会越大。水印嵌入时选择在文本末尾一定数 量以上的令牌嵌入水印信息,令文本内容受到水印保护效果相同。 The fragile watermark embedding process is shown in Figure 3. As an example, the fragile watermark token is removed at the end. Robust watermark token sequence and the generated fragile watermark token sequence The concatenated token sequence is used as the input of the large language model to obtain the probability distribution of the second vocabulary , | 𝒗| is the size of the large language model vocabulary V; calculate the input token sequence , The hash value of the watermark key K is used as the seed of the pseudo-random number generator PRNG to generate a second pseudo-random number sequence , where the pseudo-random number Follows the uniform distribution of [0, 1]; by calculating the formula Get the second index sequence , compared to Maximum value , take the index in the vocabulary as The word at the current position is output . Then And the one obtained through the above generation process As input, resample to generate The fragile watermark tokens at the position are recursively generated in sequence until the generation ends or the maximum generation length is reached, forming the target text with a joint watermark. The fragile watermark is designed to use the same embedding method as the robust watermark, and at the same time, the input window size n is expanded to all generated texts. When the content of the previous text changes, the random number sequence will change, and the watermark is selected with the probability of the token at that position being selected. is the probability of collision, that is, The probability of collision will make the watermark information at that position not be destroyed. The collision probability is inversely proportional to the number of bound watermarks. The more watermarks are bound to the text, the greater the probability of detecting anomalies when the text is tampered with. When embedding watermarks, embedding watermark information at a certain number of tokens at the end of the text will ensure that the text content is protected by the watermark with the same effect.
需要说明的是,如果生成水印数量不满足最低嵌入数量要求,则提高末尾需要重新生成的令牌数量,直到满足最低数量要求。It should be noted that if the number of generated watermarks does not meet the minimum embedding number requirement, the number of tokens that need to be regenerated at the end will be increased until the minimum number requirement is met.
脆弱水印设计需要具备易碎性、可重定位性、透明性等特征。可重定位性要求在检测环节仍可准确获取脆弱水印的嵌入位置。为了确保水印算法的高度敏感性和可重定位性,需要将水印的嵌入和提取环节的差异尽可能减小。因水印检测阶段缺少提示词的参与,本方法则去除水印嵌入阶段的提示词输入,确保脆弱水印嵌入与检测可以具有完全相同的生成环境。这种嵌入方式令水印同时具有极强的可重定位性和易碎性,但会因缺少提示词作为输入,文本生成质量受到一些影响。The design of fragile watermarks needs to have features such as fragility, relocatability, and transparency. Relocatability requires that the embedding position of the fragile watermark can still be accurately obtained during the detection process. In order to ensure the high sensitivity and relocatability of the watermark algorithm, the differences between the embedding and extraction of the watermark need to be minimized as much as possible. Due to the lack of prompt words in the watermark detection stage, this method removes the prompt word input in the watermark embedding stage to ensure that the fragile watermark embedding and detection can have exactly the same generation environment. This embedding method makes the watermark highly relocatable and fragile at the same time, but the text generation quality will be affected due to the lack of prompt words as input.
在具体实施中,受限于水印嵌入原理与文本有限的信息冗余特性,单个脆弱水印位的保护效果有限,无法满足篡改检测需求。水印嵌入的数量越多,水印作用效果越明显,因此在末尾连续嵌入水印位可以显著提高水印篡改检测的准确率。但水印嵌入会对生成文本的质量产生一定的影响,实际使用过程中需要依据场景需求设置最适配的水印嵌入数量来权衡文本生成质量和篡改检测准确度要求,以最大化大模型与水印框架的作用效果。In the specific implementation, due to the watermark embedding principle and the limited information redundancy characteristics of the text, the protection effect of a single fragile watermark position is limited and cannot meet the tampering detection requirements. The more watermarks are embedded, the more obvious the watermark effect is. Therefore, continuously embedding watermark positions at the end can significantly improve the accuracy of watermark tampering detection. However, watermark embedding will have a certain impact on the quality of the generated text. In actual use, it is necessary to set the most suitable number of watermark embeddings according to the scene requirements to balance the text generation quality and tampering detection accuracy requirements, so as to maximize the effect of the large model and watermark framework.
图4是根据一示例性实施例示出的一种针对大模型生成文本的水印检测方法的流程图,如图4所示,该方法应用于终端中,可以包括以下步骤:FIG4 is a flow chart of a watermark detection method for text generated by a large model according to an exemplary embodiment. As shown in FIG4 , the method is applied in a terminal and may include the following steps:
步骤S21:获取水印密钥、上文窗口大小、最小嵌入数量、大语言模型和待检测令牌序列,其中水印密钥、上文窗口大小、最小嵌入数量、大语言模型均与水印嵌入时一致;Step S21: obtaining a watermark key, a context window size, a minimum embedding number, a large language model, and a token sequence to be detected, wherein the watermark key, the context window size, the minimum embedding number, and the large language model are all consistent with those when the watermark is embedded;
步骤S22:根据所述上文窗口从所述待检测令牌序列中依次选取各个位置的第三选取令牌序列,基于所述第三选取令牌序列和水印密钥生成各个位置的第三伪随机数序列并组合得到伪随机数检测矩阵,基于所述伪随机数检测矩阵和待检测令牌序列计算所述水印密钥和待检测令牌序列之间的距离,若所述距离低于预定阈值,则来源检测通过;Step S22: selecting a third selected token sequence at each position from the token sequence to be detected in turn according to the above window, generating a third pseudo-random number sequence at each position based on the third selected token sequence and the watermark key and combining them to obtain a pseudo-random number detection matrix, calculating the distance between the watermark key and the token sequence to be detected based on the pseudo-random number detection matrix and the token sequence to be detected, and if the distance is lower than a predetermined threshold, the source detection is passed;
步骤S23:基于所述最小嵌入数量m确定令牌位置,选取待检测令牌序列中所述令牌位置之前的令牌序列作为第四选取令牌序列,根据所述第四选取令牌序列,通过所述大语言模型得到第三词汇表概率分布,并基于所述第四选取令牌序列和水印密钥生成第四伪随机数序列,根据所述第三词汇表概率分布和第四伪随机数序列,计算得到下一位置的令牌,依次采样得到末尾m个位置的令牌,从而形成参考令牌序列,若所述参考令牌序列与所述待检测令牌序列中对应位置的令牌序列一致,则篡改检测通过。Step S23: Determine the token position based on the minimum embedding number m, select the token sequence before the token position in the token sequence to be detected as the fourth selected token sequence, obtain the third vocabulary probability distribution through the large language model according to the fourth selected token sequence, and generate a fourth pseudo-random number sequence based on the fourth selected token sequence and the watermark key, calculate the token at the next position according to the third vocabulary probability distribution and the fourth pseudo-random number sequence, and sample the tokens at the last m positions in sequence to form a reference token sequence, if the reference token sequence is consistent with the token sequence at the corresponding position in the token sequence to be detected, the tampering detection passes.
由上述实施例可知,本申请可实现对全文的来源验证与篡改检测,并通过并行解码方式使得脆弱水印检测与鲁棒水印检测可根据实际需求并行展开或单独进行,效率得以大大提高。鲁棒水印检测可以在原水印文本受到一定程度修改时仍有效验证密钥K与修改后水印文本之间绑定关系,从而为检测方提供可靠的文本来源证明;脆弱水印检测可以在验证密钥K与文本绑定关系的前提下,对待检测文本是否遭受篡改提供有效证明。鲁棒水印检测方法不需要运行生成模型,检测方法简单,计算效率高,同时对一定程度的文本编辑攻击具有鲁棒性,可以有效满足实际应用场景中来源验证需求;脆弱水印检测敏感度与检测准确率极高,实际使用中对单令牌编辑攻击可以达到接近1的篡改检测准确率,同时也确保攻击者在未持有密钥K的情况下难以有效去除水印信息。It can be seen from the above embodiments that the present application can realize the source verification and tampering detection of the full text, and through the parallel decoding method, the fragile watermark detection and the robust watermark detection can be carried out in parallel or separately according to actual needs, and the efficiency can be greatly improved. Robust watermark detection can still effectively verify the binding relationship between the key K and the modified watermark text when the original watermark text is modified to a certain extent, thereby providing a reliable text source proof for the detection party; fragile watermark detection can provide effective proof of whether the text to be detected has been tampered with on the premise of verifying the binding relationship between the key K and the text. The robust watermark detection method does not need to run the generation model, the detection method is simple, and the calculation efficiency is high. At the same time, it is robust to a certain degree of text editing attacks, and can effectively meet the source verification requirements in actual application scenarios; the fragile watermark detection sensitivity and detection accuracy are extremely high. In actual use, the tampering detection accuracy of a single token editing attack can reach close to 1, and it also ensures that it is difficult for the attacker to effectively remove the watermark information without holding the key K.
在步骤S21的具体实施中,获取水印密钥K、上文窗口大小、最小嵌入数量、大 语言模型M及其生成参数和待检测令牌序列; In the specific implementation of step S21, the watermark key K and the window size above are obtained. , minimum number of embeddings , the large language model M and its generation parameters and the token sequence to be detected ;
具体地, 认定文本内容未遭受篡改有两个必要条件,一个是通过来源检测认定被检测文本和所提供密钥之间存在生成绑定关系,即该文本是由该密钥指导生成;另一个是对待检测文本末尾部分大小为两倍的最小嵌入数量的文本进行脆弱水印采样生成,末尾待检测文本令牌与采样生成的令牌连续相同的数量满足最低嵌入数量要求。只有同时满足这两个条件,文本未受篡改的检测结果才有效。这种设计使得恶意攻击者通过复现水印嵌入方法进行水印伪造从而通过篡改检测认证的成功率大幅下降。实际使用中可从水印嵌入方或服务使用方获取水印嵌入时所采用的水印密钥、上文窗口大小、最小嵌入数量和大语言模型及其参数。Specifically, there are two necessary conditions to determine that the text content has not been tampered with. One is to determine through source detection that there is a generation binding relationship between the detected text and the provided key, that is, the text is generated under the guidance of the key; the other is to sample and generate a fragile watermark for the text with a size of twice the minimum embedding number at the end of the text to be detected, and the number of consecutive identical tokens of the text to be detected at the end and the tokens generated by the sampling meets the minimum embedding number requirement. Only when these two conditions are met at the same time, the detection result that the text has not been tampered with is valid. This design makes it possible for malicious attackers to forge watermarks by reproducing the watermark embedding method, thereby significantly reducing the success rate of tampering detection and authentication. In actual use, the watermark key, the above window size, the minimum embedding number, and the large language model and its parameters used when embedding the watermark can be obtained from the watermark embedder or the service user.
在步骤S22的具体实施中,根据所述上文窗口大小从所述待检测令牌序列中 依次选取各个位置的第三选取令牌序列,基于所述第三选取令牌序列和水印密钥K生成各 个位置的第三伪随机数序列并组合得到伪随机数检测矩阵,基于所述伪随机数检测矩阵和 待检测令牌序列计算所述水印密钥K和待检测令牌序列之间的距离,若所述距离低于预 定阈值,则来源检测通过; In the specific implementation of step S22, according to the above window size From the token sequence to be detected The third selected token sequence of each position is sequentially selected, and the third pseudo-random number sequence of each position is generated based on the third selected token sequence and the watermark key K and combined to obtain a pseudo-random number detection matrix, and the watermark key K and the token sequence to be detected are calculated based on the pseudo-random number detection matrix and the token sequence to be detected. If the distance is lower than a predetermined threshold, the source detection is passed;
具体地,文本来源检测是通过检测文本中的鲁棒水印信息来进行的,指检测待检测文本和所提供的水印密钥之间是否存在生成绑定关系,即检测该文本是否是由该水印密钥指导生成。进行来源检测时需要将嵌入时使用的水印密钥、大模型词汇表与待检测文本作为输入,根据统计方法计算水印密钥与检测文本之间的距离cost,根据预先设置的cost阈值判断文本与密钥之间的关系。Specifically, text source detection is performed by detecting the robust watermark information in the text, which means detecting whether there is a generation binding relationship between the text to be detected and the provided watermark key, that is, detecting whether the text is generated under the guidance of the watermark key. When performing source detection, the watermark key used during embedding, the large model vocabulary, and the text to be detected are used as inputs. The distance cost between the watermark key and the detected text is calculated based on a statistical method, and the relationship between the text and the key is determined based on a preset cost threshold.
具体而言,为了实现水印的盲检测性,水印检测通过计算文本与所输入密钥生成伪随机数与真随机序列之间的距离,以此判断密钥与文本的绑定关系,如图5所示,包括如下过程:Specifically, in order to achieve blind detectability of watermarks, watermark detection determines the binding relationship between the key and the text by calculating the distance between the pseudo-random number and the true random sequence generated by the text and the input key, as shown in Figure 5, including the following process:
利用与水印嵌入时相同的上文窗口大小n,对在区间内的所有整数,计算待 检测令牌序列与水印密钥K的哈希值作为伪随机数生成器的种子,生成 第三伪随机数序列,将所有令牌位置上的第三伪随机数序列组合成伪随机数检测矩阵,该矩阵大小为,其中L为待检测令牌序列长度,如果文本未受到任何修改,每个 令牌位置对应的第三伪随机数序列应与水印嵌入时所使用的第一伪随机数序列相同;从大 语言模型的词汇表中找到待检测令牌序列, ,…, 的各个位置令牌对 应索引的,例如待检测文本第4个词为“watermark”,假设其在词汇表中的索引为 42,则取的值作为第四个位置的值;由此累积得到伪随机数检测矩阵,计算水印密钥K与待检测令牌序列之间的随机数距离,判断cost与阈值的关系,即可判断该文本是否由密钥K指导模型 生成。其中阈值通过假设检验法结合试验测试数据得到。当使用与嵌入时不同的密钥进行 检测时,序列应为随机数序列,均值应在0.5附近,而如果使用水印密钥进行检测,由于 嵌入时使用,此时的序列均值会明显大于0.5,从而使用统计 学方法计算值可以进行区分。水印鲁棒性与水印信息嵌入数量成正比,在水印数量较 多时,单次修改造成的单个随机数失真对随机数序列与生成文本之间距离的影响就越小, 从而使得检测出鲁棒水印信息可能性就越高。 Using the same window size n as in watermark embedding, All integers within , calculate the token sequence to be detected The hash value of the watermark key K is used as a pseudo-random number generator The seed generates a third pseudo-random number sequence , the third pseudo-random number sequence at all token positions is combined into a pseudo-random number detection matrix , the matrix size is , where L is the length of the token sequence to be detected. If the text has not been modified, the third pseudo-random number sequence corresponding to each token position should be the same as the first pseudo-random number sequence used when embedding the watermark; find the token sequence to be detected from the vocabulary of the large language model , ,…, Each position token corresponds to the index of For example, if the fourth word in the text to be detected is "watermark", and its index in the vocabulary is 42, then The value of The value of the fourth position; thus accumulated to obtain the pseudo-random number detection matrix , calculate the watermark key K and the token sequence to be detected The random distance between , judge the cost and threshold The relationship between , can determine whether the text is generated by the key K guidance model. It is obtained by combining the hypothesis testing method with experimental test data. When a different key is used for detection than when embedded, The sequence should be a random number sequence with a mean value around 0.5. If the watermark key is used for detection, , at this time The sequence mean will be significantly greater than 0.5, so the statistical method can be used to calculate The watermark robustness is proportional to the number of watermark information embedded. When the number of watermarks is large, the influence of a single random number distortion caused by a single modification on the distance between the random number sequence and the generated text is smaller, making it more likely to detect the robust watermark information.
在步骤S23的具体实施中,基于所述最小嵌入数量m确定令牌位置,选取待检测令牌序列中所述令牌位置之前的令牌序列作为第四选取令牌序列,根据所述第四选取令牌序列,通过所述大语言模型得到第三词汇表概率分布,并基于所述第四选取令牌序列和水印密钥生成第四伪随机数序列,根据所述第三词汇表概率分布和第四伪随机数序列,计算得到下一位置的令牌,依次采样得到末尾m个位置的令牌,从而形成参考令牌序列,若所述参考令牌序列与所述待检测令牌序列中对应位置的令牌序列一致,则篡改检测通过;In the specific implementation of step S23, the token position is determined based on the minimum embedding number m, the token sequence before the token position in the token sequence to be detected is selected as the fourth selected token sequence, the third vocabulary probability distribution is obtained through the large language model according to the fourth selected token sequence, and a fourth pseudo-random number sequence is generated based on the fourth selected token sequence and the watermark key, the token at the next position is calculated according to the third vocabulary probability distribution and the fourth pseudo-random number sequence, and the tokens at the last m positions are sampled in sequence to form a reference token sequence, and if the reference token sequence is consistent with the token sequence at the corresponding position in the token sequence to be detected, the tampering detection is passed;
具体地,文本篡改检测则是通过检测文本脆弱水印信息来进行。进行篡改检测时则需要将密钥、待检测文本、进行水印嵌入的大语言模型及其参数作为输入,对末尾一定数量文本进行脆弱水印采样生产,如果生成的参考令牌序列与原令牌序列相同,则认为文本内容未遭受篡改,若存在某些位置的新采样的参考令牌与原令牌不同,则认为文本内容遭受篡改。Specifically, text tampering detection is performed by detecting fragile watermark information of the text. When performing tampering detection, the key, the text to be detected, the large language model for watermark embedding and its parameters are required as input, and a certain amount of text at the end is sampled and produced for fragile watermarks. If the generated reference token sequence is the same as the original token sequence, the text content is considered to have not been tampered with. If there are some locations where the newly sampled reference tokens are different from the original tokens, the text content is considered to have been tampered with.
如图6所示,脆弱水印的检测与水印嵌入过程基本相同,对生成文本末尾部分大小 为最小嵌入数量的文本进行水印采样生成,对比待检测令牌序列该位置的令牌与采样生成 的令牌是否相同,并从末尾向前累计计算相同令牌数量是否满足脆弱水印最低嵌入数量要 求,即可判断该位置的脆弱水印是否遭到破坏。具体地,以采样位置为的令牌为例,将 上文序列作为大语言模型的输入,得到第三词汇表概率分布, |𝒗|为大语言模型词汇表V的大小;计算输入的令牌序列与水印密钥K的哈希值作为伪随机数生成器PRNG的种子,生成第四伪随机数序 列,其中伪随机数 遵循[0,1]的均匀分布;通过计算公式得到第 四索引序列,比较得到中最大值,取 词汇表中索引为的词作为位置y的令牌输出。通过对末尾m个位置的令牌进行重新采样得 到参考令牌序列,将参考令牌序列与待检测令牌序列依次进 行对比,如果二者完全相同,则认为待检测令牌序列末尾令牌与采样生成令牌累计相同数 量满足脆弱水印最低嵌入数量要求,待检测文本脆弱水印未遭受破坏,即待检测文本未受 到任何篡改攻击,反之则认为待检测文本曾受到篡改攻击。 As shown in Figure 6, the fragile watermark detection process is basically the same as the watermark embedding process. The watermark is sampled and generated for the text at the end of the generated text with the minimum embedding number. The token at that position in the token sequence to be detected is compared with the token generated by the sample to see if they are the same. The number of identical tokens is calculated from the end to the beginning to see if they meet the minimum embedding number requirement of the fragile watermark. This way, it can be determined whether the fragile watermark at that position is damaged. Specifically, the sampling position is Token For example, the above sequence As the input of the large language model, the probability distribution of the third vocabulary is obtained , |𝒗| is the size of the large language model vocabulary V; calculate the input token sequence The hash value of the watermark key K is used as the seed of the pseudo-random number generator PRNG to generate a fourth pseudo-random number sequence , where the pseudo-random number Follows the uniform distribution of [0, 1]; by calculating the formula Get the fourth index sequence , compared to Maximum value , take the index in the vocabulary as The word is output as the token at position y. The reference token sequence is obtained by resampling the tokens at the last m positions. , the reference token sequence With the token sequence to be detected Compare them one by one. If the two are exactly the same, it is considered that the token at the end of the token sequence to be detected and the cumulative number of tokens generated by sampling are the same, which meets the minimum embedding requirement of the fragile watermark, and the fragile watermark of the text to be detected has not been damaged, that is, the text to be detected has not been subjected to any tampering attack. Otherwise, it is considered that the text to be detected has been subjected to tampering attack.
本申请中的脆弱水印对文本篡改的高敏感度源自水印嵌入与检测的对称性,即确保在检测端可完美复现水印嵌入的环境与步骤。当文本内容遭受修改后,单个水印位以模型预测该词的概率发生碰撞现象,即无法检测出水印篡改的情况。当有足够数量的连续水印位都对上文内容进行保护,发生碰撞的概率为所有水印位模型预测概率的乘积,可以确保该篡改能够以接近1的概率被算法检出。如果攻击者直接对水印位进行修改,则水印检测过程中生成的词与原词不匹配,使得算法能够以1的概率检出篡改行为。The high sensitivity of the fragile watermark in this application to text tampering stems from the symmetry of watermark embedding and detection, which ensures that the environment and steps of watermark embedding can be perfectly reproduced at the detection end. When the text content is modified, a single watermark bit collides with the probability predicted by the model for the word, that is, the watermark tampering cannot be detected. When a sufficient number of consecutive watermark bits protect the above content, the probability of a collision is the product of the model prediction probabilities of all watermark bits, which ensures that the tampering can be detected by the algorithm with a probability close to 1. If the attacker directly modifies the watermark bit, the word generated during the watermark detection process does not match the original word, allowing the algorithm to detect tampering with a probability of 1.
本申请提出的框架主要针对以往鲜有关注大模型生成文本传播过程中可能受到的恶意篡改风险,将鲁棒大模型水印和脆弱大模型水印进行组合,对其嵌入方法、嵌入数量、嵌入位置做出了具体可行的要求,一方面保留了鲁棒水印来源验证的功能,更是在此基础上设计了能与之兼容的脆弱水印算法,实现了生成文本对微小的编辑攻击、甚至相关领域专业人员的水印伪造攻击都具有高准确率、高敏感度的篡改检测能力。The framework proposed in this application mainly targets the risk of malicious tampering that may occur during the dissemination of large model-generated text, which has received little attention in the past. It combines robust large model watermarks and fragile large model watermarks, and makes specific and feasible requirements on their embedding methods, embedding quantities, and embedding positions. On the one hand, it retains the function of robust watermark source verification, and on this basis, it designs a fragile watermark algorithm that is compatible with it, so that the generated text has the ability to detect tampering with high accuracy and sensitivity against minor editing attacks and even watermark forgery attacks by professionals in related fields.
综上,本申请提出了一个针对大模型生成文本来源验证和篡改检测的鲁棒水印与脆弱水印联合的多功能大模型水印框架。水印嵌入采用串行结构,以提示词和已生成上文令牌序列为输入,依次嵌入鲁棒水印和脆弱水印,并输出带联合水印的生成文本;水印检测采用并行结构,分别检测鲁棒水印和脆弱水印信息,用于进行来源验证和篡改检测。鲁棒水印嵌入使用基于采样过程的水印算法,检测则使用统计学方法检测密钥与文本间生成关系;脆弱水印同样使用基于采样过程的水印算法,通过对比采样生成目标词是否一致检测文本是否遭受篡改。In summary, this application proposes a multifunctional large model watermark framework that combines robust watermarks and fragile watermarks for large model generated text source verification and tampering detection. Watermark embedding adopts a serial structure, taking prompt words and the generated token sequence as input, embedding robust watermarks and fragile watermarks in sequence, and outputting the generated text with a joint watermark; watermark detection adopts a parallel structure, detecting robust watermark and fragile watermark information respectively for source verification and tampering detection. Robust watermark embedding uses a watermark algorithm based on the sampling process, and detection uses statistical methods to detect the generation relationship between the key and the text; fragile watermarks also use a watermark algorithm based on the sampling process, and detect whether the text has been tampered with by comparing whether the sampled generated target words are consistent.
与前述的针对大模型生成文本的水印嵌入、检测方法的实施例相对应,本申请还提供了装置的实施例。Corresponding to the aforementioned embodiment of the watermark embedding and detection method for large model generated text, the present application also provides an embodiment of the device.
图7是根据一示例性实施例示出的一种针对大模型生成文本的水印嵌入装置框图。参照图7,该装置可以包括:FIG7 is a block diagram of a watermark embedding device for generating text for a large model according to an exemplary embodiment. Referring to FIG7 , the device may include:
第一获取模块11,用于获取水印密钥、大语言模型的提示词、上文窗口大小、大语言模型、已生成上文令牌序列;The first acquisition module 11 is used to acquire a watermark key, a prompt word of a large language model, a context window size, a large language model, and a generated context token sequence;
鲁棒水印生成模块12,用于根据所述提示词和已生成上文令牌序列,通过所述大语言模型得到第一词汇表概率分布,基于所述上文窗口大小从所述已生成上文令牌序列中选取第一选取令牌序列,根据所述第一选取令牌序列和水印密钥生成第一伪随机数序列,根据所述第一词汇表概率分布和第一伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成鲁棒水印文本;A robust watermark generation module 12 is used to obtain a first vocabulary probability distribution through the large language model according to the prompt word and the generated previous token sequence, select a first selected token sequence from the generated previous token sequence based on the previous window size, generate a first pseudo-random number sequence according to the first selected token sequence and a watermark key, calculate the token at the next position according to the first vocabulary probability distribution and the first pseudo-random number sequence, and sample in sequence until the generation is completed or the maximum generation length is reached, thereby forming a robust watermark text;
脆弱水印生成模块13,用于确定最小嵌入数量m与扩展余量d,选取所述鲁棒水印令牌序列中除末尾m+d个令牌之外的令牌与已生成脆弱水印令牌序列作为第二选取令牌序列,根据所述第二选取令牌序列,通过所述大语言模型得到第二词汇表概率分布,并根据所述第二选取令牌序列和水印密钥生成第二伪随机数序列,根据所述第二词汇表概率分布和第二伪随机数序列,计算得到下一位置的令牌,依次采样至生成结束或达到最大生成长度,从而形成联合水印文本。The fragile watermark generation module 13 is used to determine the minimum embedding number m and the expansion margin d, select the tokens in the robust watermark token sequence except the last m+d tokens and the generated fragile watermark token sequence as the second selected token sequence, obtain the second vocabulary probability distribution through the large language model according to the second selected token sequence, and generate a second pseudo-random number sequence according to the second selected token sequence and the watermark key, calculate the token at the next position according to the second vocabulary probability distribution and the second pseudo-random number sequence, and sample them in sequence until the generation is completed or the maximum generation length is reached, so as to form a joint watermark text.
图8是根据一示例性实施例示出的一种针对大模型生成文本的水印检测装置框图。参照图8,该装置可以包括:Fig. 8 is a block diagram of a watermark detection device for large model generated text according to an exemplary embodiment. Referring to Fig. 8, the device may include:
第二获取模块21,用于获取水印密钥、上文窗口大小、最小嵌入数量、大语言模型和待检测令牌序列,其中所述水印密钥、上文窗口大小、最小嵌入数量、大语言模型均与水印嵌入时一致;The second acquisition module 21 is used to acquire a watermark key, a context window size, a minimum embedding number, a large language model, and a token sequence to be detected, wherein the watermark key, the context window size, the minimum embedding number, and the large language model are consistent with those when the watermark is embedded;
来源检测模块22,用于根据所述上文窗口从所述待检测令牌序列中依次选取各个位置的第三选取令牌序列,基于所述第三选取令牌序列和水印密钥生成各个位置的第三伪随机数序列并组合得到伪随机数检测矩阵,基于所述伪随机数检测矩阵和待检测令牌序列计算所述水印密钥和待检测令牌序列之间的距离,若所述距离低于预定阈值,则来源检测通过;A source detection module 22 is used to sequentially select a third selected token sequence at each position from the token sequence to be detected according to the above window, generate a third pseudo-random number sequence at each position based on the third selected token sequence and the watermark key and combine them to obtain a pseudo-random number detection matrix, calculate the distance between the watermark key and the token sequence to be detected based on the pseudo-random number detection matrix and the token sequence to be detected, and if the distance is lower than a predetermined threshold, the source detection is passed;
篡改检测模块23,用于基于所述最小嵌入数量m确定令牌位置,选取待检测令牌序列中所述令牌位置之前的令牌序列作为第四选取令牌序列,根据所述第四选取令牌序列,通过所述大语言模型得到第三词汇表概率分布,并基于所述第四选取令牌序列和水印密钥生成第四伪随机数序列,根据所述第三词汇表概率分布和第四伪随机数序列,计算得到下一位置的令牌,依次采样得到末尾m个位置的令牌,从而形成参考令牌序列,若所述参考令牌序列与所述待检测令牌序列中对应位置的令牌序列一致,则篡改检测通过。The tampering detection module 23 is used to determine the token position based on the minimum embedding number m, select the token sequence before the token position in the token sequence to be detected as the fourth selected token sequence, obtain the third vocabulary probability distribution through the large language model according to the fourth selected token sequence, and generate a fourth pseudo-random number sequence based on the fourth selected token sequence and the watermark key, calculate the token at the next position according to the third vocabulary probability distribution and the fourth pseudo-random number sequence, and sample the tokens at the last m positions in sequence to form a reference token sequence. If the reference token sequence is consistent with the token sequence at the corresponding position in the token sequence to be detected, the tampering detection is passed.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the device in the above embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be elaborated here.
对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本申请方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。For the device embodiment, since it basically corresponds to the method embodiment, the relevant parts can refer to the partial description of the method embodiment. The device embodiment described above is only schematic, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the present application scheme. A person of ordinary skill in the art can understand and implement it without paying any creative work.
相应的,本申请还提供一种计算机程序产品,包括计算机程序/指令,该计算机程序/指令被处理器执行时实现如上述的针对大模型生成文本的水印嵌入、检测方法。Correspondingly, the present application also provides a computer program product, including a computer program/instruction, which, when executed by a processor, implements the watermark embedding and detection method for large model generated text as described above.
相应的,本申请还提供一种电子设备,包括:一个或多个处理器;存储器,用于存储一个或多个程序;当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如上述的针对大模型生成文本的水印嵌入、检测方法。如图9所示,为本发明实施例提供的一种针对大模型生成文本的水印嵌入、检测装置所在任意具备数据处理能力的设备的一种硬件结构图,除了图9所示的处理器、内存以及网络接口之外,实施例中装置所在的任意具备数据处理能力的设备通常根据该任意具备数据处理能力的设备的实际功能,还可以包括其他硬件,对此不再赘述。Correspondingly, the present application also provides an electronic device, including: one or more processors; a memory for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors implement the watermark embedding and detection method for large model generated text as described above. As shown in Figure 9, a hardware structure diagram of any device with data processing capability where a watermark embedding and detection device for large model generated text provided in an embodiment of the present invention is located, in addition to the processor, memory and network interface shown in Figure 9, any device with data processing capability where the device in the embodiment is located can also include other hardware according to the actual function of the device with data processing capability, which will not be described in detail.
相应的,本申请还提供一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如上述的针对大模型生成文本的水印嵌入、检测方法。所述计算机可读存储介质可以是前述任一实施例所述的任意具备数据处理能力的设备的内部存储单元,例如硬盘或内存。所述计算机可读存储介质也可以是外部存储设备,例如所述设备上配备的插接式硬盘、智能存储卡(Smart Media Card,SMC)、SD卡、闪存卡(Flash Card)等。进一步的,所述计算机可读存储介还可以既包括任意具备数据处理能力的设备的内部存储单元也包括外部存储设备。所述计算机可读存储介质用于存储所述计算机程序以及所述任意具备数据处理能力的设备所需的其他程序和数据,还可以用于暂时地存储已经输出或者将要输出的数据。Correspondingly, the present application also provides a computer-readable storage medium on which computer instructions are stored. When the instructions are executed by the processor, the watermark embedding and detection method for generating text for a large model as described above is implemented. The computer-readable storage medium can be an internal storage unit of any device with data processing capabilities described in any of the aforementioned embodiments, such as a hard disk or a memory. The computer-readable storage medium can also be an external storage device, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), an SD card, a flash card (Flash Card), etc. equipped on the device. Furthermore, the computer-readable storage medium can also include both an internal storage unit and an external storage device of any device with data processing capabilities. The computer-readable storage medium is used to store the computer program and other programs and data required by any device with data processing capabilities, and can also be used to temporarily store data that has been output or is to be output.
本领域技术人员在考虑说明书及实践这里公开的内容后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the contents disclosed herein. The present application is intended to cover any variations, uses or adaptations of the present application, which follow the general principles of the present application and include common knowledge or customary technical means in the art that are not disclosed in the present application.
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。It should be understood that the present application is not limited to the exact construction that has been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411078474.8A CN118608367B (en) | 2024-08-07 | 2024-08-07 | A watermark embedding and detection method and device for large model generated text |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411078474.8A CN118608367B (en) | 2024-08-07 | 2024-08-07 | A watermark embedding and detection method and device for large model generated text |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118608367A true CN118608367A (en) | 2024-09-06 |
| CN118608367B CN118608367B (en) | 2024-10-18 |
Family
ID=92554091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411078474.8A Active CN118608367B (en) | 2024-08-07 | 2024-08-07 | A watermark embedding and detection method and device for large model generated text |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118608367B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118885990A (en) * | 2024-09-19 | 2024-11-01 | 鹏城实验室 | Watermark detection method, device, equipment, storage medium and product using single detector |
| CN119152862A (en) * | 2024-11-12 | 2024-12-17 | 浙江大学 | Privacy-protected deep voice digital watermark streaming embedding and detecting method |
| CN119314497A (en) * | 2024-12-13 | 2025-01-14 | 杭州高新区(滨江)区块链与数据安全研究院 | Model watermarking method, device, computer equipment and storage medium for speech synthesis system |
| CN119357929A (en) * | 2024-10-10 | 2025-01-24 | 上海交通大学 | Double watermark embedding method for large language model |
| CN119962541A (en) * | 2025-04-09 | 2025-05-09 | 科大讯飞股份有限公司 | Watermark adding method, watermark detection method and watermark adding model training method |
| CN120354389A (en) * | 2025-06-16 | 2025-07-22 | 江苏省测绘资料档案馆 | High-precision map fragile watermark generation, embedding and verification method based on geometric features |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030070075A1 (en) * | 2001-10-04 | 2003-04-10 | Frederic Deguillaume | Secure hybrid robust watermarking resistant against tampering and copy-attack |
| US20070014429A1 (en) * | 2005-07-14 | 2007-01-18 | Yuan He | Embedding and detecting watermarks |
| CN117272253A (en) * | 2023-11-23 | 2023-12-22 | 北京知呱呱科技有限公司 | Method for embedding and detecting digital watermark in large language model generated text |
| CN117494081A (en) * | 2023-11-13 | 2024-02-02 | 浙江大学 | Text watermark generation and detection method based on large language model with biased output |
| CN117494082A (en) * | 2023-11-17 | 2024-02-02 | 北京声智科技有限公司 | Watermark embedding method, device, equipment and storage medium |
| KR102640438B1 (en) * | 2023-09-08 | 2024-02-23 | 강성필 | Method, apparatus and program for artificial intelligence-based story creation support service |
| CN117994119A (en) * | 2024-04-07 | 2024-05-07 | 中国科学技术大学 | Method for performing lossless image watermarking on diffusion model |
| CN118097682A (en) * | 2024-02-23 | 2024-05-28 | 中国电信股份有限公司 | Watermark character recognition method and device, nonvolatile storage medium and electronic equipment |
-
2024
- 2024-08-07 CN CN202411078474.8A patent/CN118608367B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030070075A1 (en) * | 2001-10-04 | 2003-04-10 | Frederic Deguillaume | Secure hybrid robust watermarking resistant against tampering and copy-attack |
| US20070014429A1 (en) * | 2005-07-14 | 2007-01-18 | Yuan He | Embedding and detecting watermarks |
| KR102640438B1 (en) * | 2023-09-08 | 2024-02-23 | 강성필 | Method, apparatus and program for artificial intelligence-based story creation support service |
| CN117494081A (en) * | 2023-11-13 | 2024-02-02 | 浙江大学 | Text watermark generation and detection method based on large language model with biased output |
| CN117494082A (en) * | 2023-11-17 | 2024-02-02 | 北京声智科技有限公司 | Watermark embedding method, device, equipment and storage medium |
| CN117272253A (en) * | 2023-11-23 | 2023-12-22 | 北京知呱呱科技有限公司 | Method for embedding and detecting digital watermark in large language model generated text |
| CN118097682A (en) * | 2024-02-23 | 2024-05-28 | 中国电信股份有限公司 | Watermark character recognition method and device, nonvolatile storage medium and electronic equipment |
| CN117994119A (en) * | 2024-04-07 | 2024-05-07 | 中国科学技术大学 | Method for performing lossless image watermarking on diffusion model |
Non-Patent Citations (1)
| Title |
|---|
| 叶天语;钮心忻;杨义先;: "多功能双水印算法", 电子与信息学报, no. 03, 15 March 2009 (2009-03-15) * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118885990A (en) * | 2024-09-19 | 2024-11-01 | 鹏城实验室 | Watermark detection method, device, equipment, storage medium and product using single detector |
| CN119357929A (en) * | 2024-10-10 | 2025-01-24 | 上海交通大学 | Double watermark embedding method for large language model |
| CN119152862A (en) * | 2024-11-12 | 2024-12-17 | 浙江大学 | Privacy-protected deep voice digital watermark streaming embedding and detecting method |
| CN119314497A (en) * | 2024-12-13 | 2025-01-14 | 杭州高新区(滨江)区块链与数据安全研究院 | Model watermarking method, device, computer equipment and storage medium for speech synthesis system |
| CN119962541A (en) * | 2025-04-09 | 2025-05-09 | 科大讯飞股份有限公司 | Watermark adding method, watermark detection method and watermark adding model training method |
| CN120354389A (en) * | 2025-06-16 | 2025-07-22 | 江苏省测绘资料档案馆 | High-precision map fragile watermark generation, embedding and verification method based on geometric features |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118608367B (en) | 2024-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN118608367B (en) | A watermark embedding and detection method and device for large model generated text | |
| US11922532B2 (en) | System for mitigating the problem of deepfake media content using watermarking | |
| Bartolini et al. | Image authentication techniques for surveillance applications | |
| Cui et al. | A robust FSM watermarking scheme for IP protection of sequential circuit design | |
| JP5193124B2 (en) | Digital watermark embedding method and apparatus | |
| KR20040098025A (en) | Watermaking a digital object with a digital signature | |
| US8307450B2 (en) | Method and system for hiding information in the instruction processing pipeline | |
| CN110958319A (en) | Method and device for managing infringement and evidence-based block chain | |
| KR102108192B1 (en) | Method, Apparatus and System for Inserting Watermark | |
| CN117376484B (en) | Electronic license anti-counterfeiting oriented generation type steganography method | |
| Alattar et al. | A system for mitigating the problem of deepfake news videos using watermarking | |
| CN109040760A (en) | The guard method of network image copyright information, device and storage medium | |
| CN118212698A (en) | Deep face forgery detection method and system based on active perception hash watermark | |
| CN101923700A (en) | A double-effect digital watermarking method | |
| CN116167807A (en) | Bill anti-counterfeiting method and device, electronic equipment and storage medium | |
| Müller et al. | Black-box forgery attacks on semantic watermarks for diffusion models | |
| Fernandez et al. | What lies ahead for generative ai watermarking | |
| CN102158768A (en) | MP4 file encapsulation format-based video authentication watermark embedding and extraction method | |
| Nyeem et al. | Counterfeiting attacks on block-wise dependent fragile watermarking schemes | |
| WO2019041769A1 (en) | Image processing method and application server | |
| CN112579994A (en) | Digital product content protection system and method based on artificial intelligence | |
| CN116127429B (en) | A data rights confirmation method based on symbol mapping coding and blockchain | |
| CN114547562B (en) | Method and device for adding and applying text watermark | |
| Mourya et al. | Strengthening Video Integrity and Anti-Duplication Measures with Blockchain Innovations | |
| Puhan et al. | Secure authentication watermarking for localization against the Holliman–Memon attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |