
TLDR
- What: AliMark is a sentence-level LLM watermarking framework that reformulates watermarking as a bit sequence encoding and global alignment problem, utilizing a proactive sentence "Re-Structurer" and adaptive alignment to survive structural paraphrasing attacks.
- Who's at risk: LLM deployment platforms, plagiarism detection tools, and content provenance systems (e.g., enterprise RAG pipelines, code assistants, or academic integrity checkers) relying on prefix-based watermarks.
- Key number: Under aggressive GPT-3.5 text rewriting, AliMark maintains a detection rate of 66.6% TPR@5% on the Booksum dataset, whereas the state-of-the-art SemStamp baseline collapses to 22.0%.
As generative models like GPT-4o, Claude 3.5 Sonnet, and Google's Gemini become deeply integrated into writing workflows, identifying AI-generated content has transformed into a critical security and intellectual property challenge. Traditional token-level watermarking techniques are easily broken by minor token substitutions, prompting a shift toward sentence-level semantic watermarks. However, existing sentence-level approaches are highly fragile under structural changes like sentence splitting and merging, which are trivially executed by advanced paraphrasing models.
To address this vulnerability, researchers from the National University of Singapore have proposed AliMark, a robust sentence-level watermarking framework. AliMark shifts the paradigm from prefix-conditioned hashing to global bit-sequence alignment. By restructuring candidate texts at detection time and aligning semantic bit blocks, AliMark secures watermark persistence even when an attacker aggressively rewrites, splits, or merges sentences to evade detection.
Threat Model
| Attacker | Black-box API or local access to watermarked text outputs, with the ability to query advanced paraphrasing models (e.g., DIPPER, GPT-3.5-turbo). |
| Victim | LLM providers, platforms, or auditing frameworks attempting to track content provenance, protect copyright, or prevent plagiarism using sentence-level watermarks. |
| Goal | Evade detection by removing or corrupting the watermark signature while preserving the original semantic meaning of the text. |
| Budget | Minimal computational budget (e.g., standard API calls costing less than $0.05 per paraphrased document), utilizing off-the-shelf sentence rewriters. |
Background & Problem Setup
Existing sentence-level watermarking schemes, such as SemStamp (Hou et al., NAACL 2024a), typically employ a prefix-conditioned design. The watermark signal of sentence is pseudo-randomly conditioned on the semantic representation of its preceding context .
While this prevents attackers from discovering the exact watermark pattern, it creates a cascading vulnerability. If an attacker splits or merges a single sentence, the context changes to . This destroys the pseudo-random relationship for all subsequent sentences, causing the entire downstream watermark signal to collapse.
Unlike token-level alignment schemes such as those proposed by Kuditipudi et al. (TMLR 2024) which handle token insertions/deletions, sentence-level structural attacks require reasoning over semantic boundaries.
Comparison of LLM Watermarking Paradigms
| Watermarking Paradigm | Core Mechanism | Robustness to Synonym Swapping | Robustness to Sentence Splitting/Merging | Main Fragility / Overhead |
|---|---|---|---|---|
| Token-Level (e.g., KGW, Kirchenbauer et al., ICML 2023) | Logit manipulation during token sampling. | Low | Low | Broken easily by basic synonym paraphrasing. |
| Token-Level Alignment (e.g., Kuditipudi et al., TMLR 2024) | Token sequence alignment using Levenshtein distance. | Low | Low | Intolerant to sentence-level structural edits. |
| Prefix-Based Sentence-Level (e.g., SemStamp, Hou et al., NAACL 2024a) | Semantic hashing conditioned on preceding sentence. | High | Low | Single sentence split/merge cascades into total signal loss. |
| AliMark (Ours) | Global bit sequence encoding + Adaptive block alignment. | High | High | Q candidate generation overhead during inference. |
Methodology
AliMark mitigates structural cascading errors by removing inter-sentence prefix dependencies entirely. Instead, it relies on a global secret bit sequence and reformulates detection as a block-level sequence alignment problem.
[ WATERMARKED TEXT GENERATION ]
Global Secret Bit Sequence s
+----+----+----+----+----+----+
| b1 | b2 | b3 | b4 | b5 | b6 | ...
+----+----+----+----+----+----+
|
Candidate Sentences (Q = 64)
+----------------------------+
| x_1: Today is very sunny. | ---> [Embedding] -> φ(e, V) -> Matches block?
| x_2: The weather is fine. |
+----------------------------+
|
Selected Sentence
1. Watermarked Text Generation
During generation, given a context , the LLM generates a candidate set of next sentences containing variations (with as default). AliMark's goal is to select a candidate whose semantic bit representation matches the -th block of the secret bit sequence .
- Semantic Embedding: The sentence embedding is extracted using a lightweight sentence encoder (such as
all-mpnet-base-v2). - Bit Extraction: The embedding is projected against pre-defined orthonormal secret vectors (with ). The -th bit of the candidate sentence is calculated as:
b^q_{(n-1)M+m} \leftarrow \varphi(e^q_n, v_m) = \begin{cases} 0, & \text{if } \langle e^q_n, v_m \rangle < 0 \ 1, & \text{otherwise} \end{cases}
3. **Selection**: The candidate whose extracted bits $b^q(n)$ best match the secret block $s(n)$ is appended to the text. --- ### 2. Watermarked Text Detection & Alignment When verifying if a text $X = \{x_1, \dots, x_N\}$ contains a watermark, AliMark uses a two-stage pipeline: #### Stage A: Re-Structurer (RS) Because paraphrasing models split and merge sentences, the detector proactively attempts to reconstruct the original sentence count. For an input text of $N$ sentences, the Re-Structurer generates a set of candidate texts $Y$: - **Re-merges**: Combines consecutive sentences $\{xi, xi+1\}$ into one sentence, producing $N-1$ candidates ($X^-$). - **Re-splits**: Midpoint splits for each sentence $xi$, producing $N$ candidates ($X^+$). - **Total Search Space**: $Y = \{X\} \cup X^- \cup X^+$. #### Stage B: Adaptive Bit Sequence Alignment (ABSA) For each candidate text $Y \in \mathcal{Y}$, the detector extracts the bit sequence $b_Y = \Phi_V(Y)$. To handle sentence additions or deletions, ABSA aligns $b_Y$ to variable-length candidates of the secret bit sequence $s^*_Y \in S^*_Y$. Aligning blocks of size $M$ requires a specialized distance metric. AliMark introduces the **Block Edit Distance (BED)**, computed via a dynamic programming table $D$: $$D[i, j] = \min \begin{cases} D[i-1, j] + M & \text{(Deletion of block } b_Y(i)\text{)} \\ D[i, j-1] + M & \text{(Insertion of block } s^*_Y(j)\text{)} \\ D[i-1, j-1] + h(b_Y(i), s^*_Y(j)) & \text{(Substitution cost via Hamming distance)} \end{cases}$$ BED is normalized by the maximum bit length to obtain the **Block Edit Rate (BER)** $r$. Using precomputed Monte Carlo estimations of the mean $\bar{\mu}$ and standard deviation $\bar{\sigma}$ under random bit sequences, the final watermark score is determined by the maximum $z$-score across all candidates:Z(X) = \max_{s^_Y \in S^_Y, Y \in \mathcal{Y}} \left( \frac{\bar{\mu}(M, N') - r}{\bar{\sigma}(M, N')} \right)
--- ### Detection Algorithm Pseudocode ```python def detect_watermark(text_X, secret_s, secret_V, M, alpha=0.5, beta=1.5): # Stage 1: Re-Structurer (RS) RS_candidates = [text_X] N = len(text_X) # Generate Re-Merge candidates for i in range(N - 1): merged = merge_sentences(text_X[i], text_X[i+1]) RS_candidates.append(text_X[:i] + [merged] + text_X[i+2:]) # Generate Re-Split candidates for i in range(N): split_a, split_b = split_sentence_at_midpoint(text_X[i]) RS_candidates.append(text_X[:i] + [split_a, split_b] + text_X[i+1:]) max_z_score = -float('inf') # Stage 2: Adaptive Bit Sequence Alignment (ABSA) for Y in RS_candidates: b_Y = extract_bit_signals(Y, secret_V) # size: N_prime * M N_prime = len(b_Y) // M # Build candidate target secret lengths min_blocks = int(alpha * N_prime) max_blocks = int(beta * N_prime) for k in range(min_blocks, max_blocks + 1): s_candidate = secret_s[:k * M] r = calculate_block_edit_rate(b_Y, s_candidate, M) # Retrieve Monte Carlo stats mu_bar, sigma_bar = get_monte_carlo_stats(M, N_prime) z = (mu_bar - r) / sigma_bar if z > max_z_score: max_z_score = z return max_z_score ``` --- ## Key Results As described in Section 4.2, the authors evaluated AliMark using OPT-1.3B and Qwen3-1.7B backbones across the Booksum and C4 datasets. The text was subjected to several attacks, including sentence-to-sentence paraphrasers (Pegasus, Parrot) and advanced text-to-text models that heavily mutate sentence boundaries (DIPPER, GPT-3.5-turbo). The table below details detection performance (TPR@5% and AUROC) on the **Booksum** dataset using **OPT-1.3B** as the generator: | Attack Scenario | Metric | KGW <br>*(Token)* | EXP <br>*(Token-Align)* | SemStamp <br>*(Prefix-Semantic)* | PMark <br>*(Semantic)* | AliMark <br>**(Ours)** | | :--- | :--- | :---: | :---: | :---: | :---: | :---: | | **No Attack** | AUROC <br> TPR@5% | 100.0% <br> 100.0% | 99.2% <br> 98.8% | 98.3% <br> 91.4% | 99.5% <br> 97.0% | **100.0%** <br> **100.0%** | | **Pegasus** *(Sentence-level)* | AUROC <br> TPR@5% | 55.2% <br> 1.6% | 87.7% <br> 41.4% | 94.0% <br> 70.8% | 97.2% <br> \underline{86.0%} | **99.8%** <br> **95.6%** | | **Parrot** *(Sentence-level)* | AUROC <br> TPR@5% | 53.6% <br> 0.6% | 86.6% <br> 44.3% | 96.1% <br> 73.6% | 99.3% <br> \underline{93.0%} | **99.8%** <br> **96.6%** | | **DIPPER** *(Structural)* | AUROC <br> TPR@5% | 49.8% <br> 0.2% | 78.4% <br> 21.1% | 81.6% <br> 26.7% | 86.5% <br> \underline{30.4%} | **94.2%** <br> **61.6%** | | **GPT-3.5** *(Structural)* | AUROC <br> TPR@5% | 46.4% <br> 0.0% | 62.2% <br> 2.4% | 78.0% <br> 22.0% | 88.6% <br> \underline{33.0%} | **96.1%** <br> **66.6%** | ### Key Takeaways from the Results: 1. **Token-Level Vulnerability**: KGW is entirely neutralized under structural/paraphrasing rewriting, collapsing to near-random guessing (0.0% to 1.6% TPR@5%). 2. **Prefix-Based Fragility**: SemStamp suffers heavily under DIPPER and GPT-3.5 attacks (collapsing to 26.7% and 22.0% respectively), proving that structural context alterations render prefix models unusable. 3. **AliMark Robustness**: AliMark outperforms all baselines under strong structural attacks, maintaining **61.6% (DIPPER)** and **66.6% (GPT-3.5) TPR@5%** due to its adaptive block-alignment mechanism. --- ## Limitations & Open Questions Despite its breakthrough resilience, AliMark has a few structural bottlenecks: 1. **Single-Step Re-Structuring Constraint**: To maintain polynomial execution times, the Re-Structurer is constrained to a single-step operation ($a=1, b=0$ or $a=0, b=1$). If an attacker applies recursive structural perturbations (e.g., splitting a sentence and subsequently merging a fragment with an adjacent sentence), the current single-step RS will struggle to recover the exact boundary alignment. 2. **Computational Overhead during Generation**: Generating $Q=64$ candidate sentences for every sequence position adds computational latency. While the authors mitigate this via vLLM's optimized KV-cache framework, this overhead remains high for highly transactional real-time APIs. 3. **Short Text Sensitivity**: As evaluated in Table 10, when text contains only 4 sentences, AliMark's TPR@5% drops to **29.2%** under GPT-3.5 attacks. Hardening sentence-level signatures on ultra-short inputs remains an open question. --- ## What Practitioners Should Do If you are deploying LLM text tracking systems or building forensic auditing pipelines, implement these mitigations: ### 1. Upgrade Detection Pipelines with a Sentence Re-Structurer Do not verify watermarked text purely in its raw state. Implement a preprocessing layer that generates re-split and re-merged sentence variants prior to extracting watermark embeddings. This can be configured globally in your verification API: ```python # Reference implementation for a production-ready single-step Re-Structurer def generate_reconstructed_candidates(sentences): candidates = [sentences] n = len(sentences) # Merges for i in range(n - 1): candidates.append(sentences[:i] + [f"{sentences[i]} {sentences[i+1]}"] + sentences[i+2:]) # Splits (split on midpoints/clausal boundaries) for i in range(n): words = sentences[i].split() if len(words) > 4: mid = len(words) // 2 split_a = " ".join(words[:mid]) split_b = " ".join(words[mid:]) candidates.append(sentences[:i] + [split_a, split_b] + sentences[i+1:]) return candidates ``` ### 2. Transition from Context-Dependent to Globally Indexed Bit Keys If using sentence-level watermarks, deprecate prefix-conditioned hashing models. Instead, map the generated sentences directly to indexed positions within a global, pseudo-random bit sequence $s$. This prevents local adversarial edits from corrupting down-stream signals. ### 3. Leverage High-Performance Sentence Embedders For bit identification, utilize highly optimized, domain-agnostic embedding models. The authors found that `all-mpnet-base-v2` yielded the most stable semantic representations for bit projection. Ensure these projection vectors ($V$) are orthogonalized using Gram-Schmidt process. --- ## The Takeaway AliMark proves that sentence-level watermarking can survive sophisticated, high-entropy paraphrasing attacks if we treat detection as a global sequence alignment problem. By anticipating sentence boundary modifications and employing a dynamic-programming-based Block Edit Distance, AliMark secures content tracking across highly adversarial environments. For enterprise LLM deployments where IP tracking is non-negotiable, moving away from fragile token or prefix-based signatures toward robust semantic alignment is the clear path forward. --- ## Den's Take Watermarking has historically been a game of whack-a-mole: token-level approaches are so brittle that a simple API call to a cheap rewriter obliterates them. AliMark’s shift to semantic block alignment is a highly promising, pragmatic step forward. By restructuring the candidate text at detection time rather than relying on strict, cascading context hashes, it makes watermarking viable in real-world environments where downstream users inevitably edit outputs. This resilience is critical. Consider a \$15M copyright dispute where a financial enterprise accuses a competitor of scraping and using its proprietary, synthetic financial analyses to train a rival model. Without a robust, paraphrase-resistant watermark, proving that content was machine-generated in court is a forensic nightmare. However, we must view watermarking not as a standalone silver bullet, but as part of a larger defense-in-depth strategy. In my previous overview of [Security in the Fine-Tuning Lifecycle of Large Language Models](/writing/security_in_the_finetuning_lifecycle_of_large_language_model), I argued that robust output attribution and verification mechanisms are absolutely vital for maintaining model provenance and compliance when upstream fine-tuning controls fail. AliMark provides the exact kind of mathematical resilience we need at this verification layer. Still, the security community must remain vigilant—the cat-and-mouse game between semantic watermarking and advanced, structure-aware paraphrasers is far from over.