arxiv: 2604.11344 · v1 · submitted 2026-04-13 · 💻 cs.CR · cs.CL

Recognition: unknown

Geometry-Aware Localized Watermarking for Copyright Protection in Embedding-as-a-Service

Zhimin Chen , Xiaojie Liang , Wenbo Xu , Yuxuan Liu , Wei Lu

Authors on Pith no claims yet

Pith reviewed 2026-05-10 15:52 UTC · model grok-4.3

classification 💻 cs.CR cs.CL

keywords embedding as a servicewatermarkingcopyright protectionlocalized injectiongeometric fidelitymodel stealingrobust verificationmanifold anchors

0 comments

The pith

GeoMark separates watermark triggers from ownership attribution using geometry-aware anchors in embedding manifolds to protect EaaS models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents GeoMark as a way to break the robustness-utility-verifiability tradeoff in watermarking embedding-as-a-service systems. Existing trigger methods break under paraphrasing, transformation methods shift with dimension changes, and region methods risk false matches from accidental geometry. GeoMark selects a natural point inside the embedding manifold as the shared target, places explicit-margin anchors around it to separate regions, and injects the watermark signal only inside adaptive local neighborhoods. This keeps the trigger local while the attribution signal stays centralized and verifiable. Experiments across four datasets confirm that downstream tasks, geometric structure, and verification accuracy hold up under paraphrasing, dimensional shifts, and clustering-selection-elimination attacks.

Core claim

GeoMark achieves localized triggering and centralized attribution by using a natural in-manifold embedding as the shared watermark target, building geometry-separated anchors with explicit target-anchor margins, and restricting watermark injection to adaptive local neighborhoods around those anchors.

What carries the argument

Geometry-separated anchors with explicit target-anchor margins around a shared natural in-manifold embedding, which confines injection to local neighborhoods while keeping the ownership signal centralized and verifiable.

If this is right

Downstream task accuracy stays intact because watermark changes are restricted to small local neighborhoods.
Verification remains reliable after paraphrasing or dimension changes because the target point is chosen from the natural manifold.
False-positive risk drops because explicit margins prevent coincidental geometric matches outside the intended regions.
Ownership attribution works centrally even though the injection trigger is kept strictly local.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same local-neighborhood injection idea could be tested on embedding models for images or time-series data where manifold structure is also present.
If the anchor margins prove stable, the method might extend to multi-task or federated embedding services without extra coordination cost.
Scaling the adaptive neighborhood size with model dimension could be measured directly to see whether verification stability holds at larger embedding sizes.

Load-bearing premise

Natural in-manifold embeddings exist that can act as stable shared targets whose explicit margins survive paraphrasing, dimensional perturbation, and clustering attacks without raising false positives or hurting utility.

What would settle it

A measurable rise in false-positive rate or loss of verification accuracy when the same model is watermarked with GeoMark and then subjected to clustering-selection-elimination attack on a dataset whose embeddings lack clear natural manifolds.

Figures

Figures reproduced from arXiv: 2604.11344 by Wei Lu, Wenbo Xu, Xiaojie Liang, Yuxuan Liu, Zhimin Chen.

**Figure 2.** Figure 2: Overall framework of GeoMark. Given a shared in-manifold watermark target, GeoMark performs geometry-aware [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Effect of local coverage ratio on CSE reconstruction [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: Hyper-parameter analysis on the number of anchors [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗

**Figure 5.** Figure 5: Hyper-parameter analysis on local coverage ratio [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

read the original abstract

Embedding-as-a-Service (EaaS) has become an important semantic infrastructure for natural language and multimedia applications, but it is highly vulnerable to model stealing and copyright infringement. Existing EaaS watermarking methods face a fundamental robustness--utility--verifiability tension: trigger-based methods are fragile to paraphrasing, transformation-based methods are sensitive to dimensional perturbation, and region-based methods may incur false positives due to coincidental geometric affinity. To address this problem, we propose GeoMark, a geometry-aware localized watermarking framework for EaaS copyright protection. GeoMark uses a natural in-manifold embedding as a shared watermark target, constructs geometry-separated anchors with explicit target--anchor margins, and activates watermark injection only within adaptive local neighborhoods. This design decouples where watermarking is triggered from what ownership is attributed to, achieving localized triggering and centralized attribution. Experiments on four benchmark datasets show that GeoMark preserves downstream utility and geometric fidelity while maintaining robust copyright verification under paraphrasing, dimensional perturbation, and CSE (Clustering, Selection, Elimination) attacks, with improved verification stability and low false-positive risk.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

GeoMark separates watermark triggering from attribution via in-manifold targets and geometry-separated anchors, but the abstract gives no metrics or stability analysis to back the robustness claims.

read the letter

The main point is that this paper frames EaaS watermarking around a geometry-aware construction that picks a natural in-manifold embedding as the shared target, adds explicit margins to separated anchors, and restricts injection to adaptive local neighborhoods. This is meant to decouple where the watermark activates from what gets attributed for ownership, addressing the tension between robustness, utility, and low false positives that the authors say exists in trigger-based, transformation-based, and region-based prior work.

Referee Report

2 major / 2 minor

Summary. The paper proposes GeoMark, a geometry-aware localized watermarking framework for copyright protection in Embedding-as-a-Service (EaaS). It selects a natural in-manifold embedding as a shared watermark target, constructs geometry-separated anchors with explicit target-anchor margins, and restricts watermark injection to adaptive local neighborhoods. This design aims to decouple localized triggering from centralized attribution. Experiments on four benchmark datasets are claimed to show that GeoMark preserves downstream utility and geometric fidelity while remaining robust to paraphrasing, dimensional perturbation, and CSE attacks, with improved verification stability and low false-positive risk.

Significance. If the empirical claims hold, GeoMark could meaningfully advance EaaS watermarking by addressing the robustness-utility-verifiability tension through explicit geometric margins and adaptive neighborhoods. The decoupling of trigger location from attribution target offers a potentially useful separation not present in prior trigger-based, transformation-based, or region-based approaches, provided the margins remain stable without utility degradation.

major comments (2)

Abstract: The abstract states experimental outcomes on four datasets but supplies no metrics, baselines, attack implementations, or statistical details; the central robustness and utility-preservation claims therefore cannot be evaluated from the provided text.
Framework construction (likely §3): The design relies on the existence and stability of natural in-manifold embeddings serving as reliable shared targets with explicit target-anchor margins that survive paraphrasing, dimensional perturbation, and CSE attacks; no formal invariance proof, bound on margin stability, or analysis of adaptive-neighborhood behavior under perturbation is supplied, which is load-bearing for the claimed decoupling of localized triggering from centralized attribution.

minor comments (2)

The acronym CSE is introduced in the abstract without prior expansion; consider spelling it out on first use.
Consider adding a dedicated table or section summarizing quantitative results (e.g., verification accuracy, utility metrics, false-positive rates) with direct comparisons to baselines.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback. We address each major comment below, indicating planned revisions where appropriate.

read point-by-point responses

Referee: Abstract: The abstract states experimental outcomes on four datasets but supplies no metrics, baselines, attack implementations, or statistical details; the central robustness and utility-preservation claims therefore cannot be evaluated from the provided text.

Authors: We agree that the current abstract is high-level and omits quantitative details. In the revised version we will expand the abstract to include key metrics (e.g., downstream task accuracy retention, attack success rates under paraphrasing/dimensional perturbation/CSE), the four benchmark datasets, and brief references to the baselines and statistical evaluation protocol used in the experiments. revision: yes
Referee: Framework construction (likely §3): The design relies on the existence and stability of natural in-manifold embeddings serving as reliable shared targets with explicit target-anchor margins that survive paraphrasing, dimensional perturbation, and CSE attacks; no formal invariance proof, bound on margin stability, or analysis of adaptive-neighborhood behavior under perturbation is supplied, which is load-bearing for the claimed decoupling of localized triggering from centralized attribution.

Authors: The referee correctly notes that the paper provides no formal invariance proof or analytic bounds. Our contribution is empirical: the geometry-separated anchors and adaptive neighborhoods are shown, across four datasets, to maintain sufficient target-anchor margins under the listed attacks while preserving utility. We will add a dedicated subsection (likely in §3 or a new §4.5) that reports quantitative margin-stability statistics, sensitivity plots for neighborhood size, and observed bounds derived from the experimental perturbations. This will strengthen the empirical grounding for the decoupling claim without claiming a general proof. revision: partial

standing simulated objections not resolved

A general formal proof of margin invariance under arbitrary paraphrasing, dimensional, and clustering perturbations in embedding space.

Circularity Check

0 steps flagged

No circularity: GeoMark is a novel construction with no derivation chain reducing to inputs or self-citations

full rationale

The paper presents GeoMark as a new framework that selects a natural in-manifold embedding, constructs geometry-separated anchors with explicit margins, and restricts injection to adaptive neighborhoods. No equations, fitted parameters, or predictions are described that reduce by construction to prior inputs. The abstract and provided text frame the work as an original design addressing robustness-utility tension, with experimental validation on benchmarks rather than any self-referential derivation or load-bearing self-citation. The central claims rest on the proposed construction and empirical results, not on renaming or fitting that collapses to the inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review supplies no explicit parameters, axioms, or invented entities; all technical details are deferred to the full manuscript.

pith-pipeline@v0.9.0 · 5501 in / 1018 out tokens · 29490 ms · 2026-05-10T15:52:09.560175+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

45 extracted references · 17 canonical work pages · 8 internal anchors

[1]

Josh Achiam, Steven Adler, Sandhini Agarwal, Lama Ahmad, Ilge Akkaya, Floren- cia Leoni Aleman, Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al. 2023. Gpt-4 technical report.arXiv preprint arXiv:2303.08774 (2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023
[2]

Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet
[3]

In27th USENIX security symposium (USENIX Security 18)

Turning your weakness into a strength: Watermarking deep neural net- works by backdooring. In27th USENIX security symposium (USENIX Security 18). 1615–1631
[4]

James Beetham, Navid Kardan, Ajmal Mian, and Mubarak Shah. 2023. Dual student networks for data-free model stealing.arXiv preprint arXiv:2309.10058 (2023)

work page arXiv 2023
[5]

Vance W Berger and YanYan Zhou. 2014. Kolmogorov–smirnov test: Overview. Wiley statsref: Statistics reference online(2014)

2014
[6]

Zifeng Cheng, Zhonghui Wang, Yuchen Fu, Zhiwei Jiang, Yafeng Yin, Cong Wang, and Qing Gu. 2025. Contrastive prompting enhances sentence embeddings in llms through inference-time steering. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 3475–3487

2025
[7]

Marta R Costa-Jussà, James Cross, Onur Çelebi, Maha Elbayad, Kenneth Heafield, Kevin Heffernan, Elahe Kalbassi, Janice Lam, Daniel Licht, Jean Maillard, et al
[8]

No Language Left Behind: Scaling Human-Centered Machine Translation

No language left behind: Scaling human-centered machine translation. arXiv preprint arXiv:2207.04672(2022)

work page internal anchor Pith review arXiv 2022
[9]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019. 4171–4186

2019
[10]

Yuval Eldar, Michael Lindenbaum, Moshe Porat, and Yehoshua Y Zeevi. 1997. The farthest point strategy for progressive image sampling.IEEE transactions on image processing6, 9 (1997), 1305–1315

1997
[11]

Kawin Ethayarajh. 2019. How contextual are contextualized word represen- tations? Comparing the geometry of BERT, ELMo, and GPT-2 embeddings. In Proceedings of the 2019 conference on empirical methods in natural language pro- cessing and the 9th international joint conference on natural language processing (EMNLP-IJCNLP). 55–65

2019
[12]

Yuchen Fu, Zifeng Cheng, Zhiwei Jiang, Zhonghui Wang, Yafeng Yin, Zhengliang Li, and Qing Gu. 2025. Token prepending: A training-free approach for eliciting better sentence embeddings from llms. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 3168– 3181

2025
[13]

Jun Gao, Di He, Xu Tan, Tao Qin, Liwei Wang, and Tie-Yan Liu. 2019. Repre- sentation degeneration problem in training natural language generation models. arXiv preprint arXiv:1907.12009(2019)

work page arXiv 2019
[14]

Chi-Hsiang Hsiao, Yi-Cheng Wang, Tzung-Sheng Lin, Yi-Ren Yeh, and Chu- Song Chen. 2025. MegaRAG: Multimodal Knowledge Graph-Based Retrieval Augmented Generation. arXiv:2512.20626 [cs.AI] https://arxiv.org/abs/2512. 20626

work page internal anchor Pith review Pith/arXiv arXiv 2025
[15]

Kalpesh Krishna, Yixiao Song, Marzena Karpinska, John Wieting, and Mohit Iyyer. 2023. Paraphrasing evades detectors of ai-generated text, but retrieval is an effective defense.Advances in neural information processing systems36 (2023), 27469–27500

2023
[16]

Parikh, Nicolas Papernot, and Mohit Iyyer

Kalpesh Krishna, Gaurav Singh Tomar, Ankur P. Parikh, Nicolas Papernot, and Mohit Iyyer. 2020. Thieves on Sesame Street! Model Extraction of BERT-based APIs. In8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26-30, 2020. OpenReview.net. https://openreview. net/forum?id=Byl5NREFDr

2020
[17]

Chankyu Lee, Rajarshi Roy, Mengyao Xu, Jonathan Raiman, Mohammad Shoeybi, Bryan Catanzaro, and Wei Ping. 2024. Nv-embed: Improved techniques for training llms as generalist embedding models.arXiv preprint arXiv:2405.17428 (2024)

work page internal anchor Pith review arXiv 2024
[18]

Hao Li, Yubing Ren, Yanan Cao, Yingjie Li, Fang Fang, and Xuebin Wang
[19]

arXiv:2512.16439 [cs.CR] https://arxiv.org/abs/2512.16439

From Essence to Defense: Adaptive Semantic-aware Watermarking for Embedding-as-a-Service Copyright Protection. arXiv:2512.16439 [cs.CR] https://arxiv.org/abs/2512.16439

work page arXiv
[20]

Xianming Li and Jing Li. 2024. Bellm: Backward dependency enhanced large language model for sentence embeddings. InProceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers). 792–804

2024
[21]

Yupei Liu, Jinyuan Jia, Hongbin Liu, and Neil Zhenqiang Gong. 2022. Stolenen- coder: stealing pre-trained encoders in self-supervised learning. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2115–2128

2022
[22]

Ilya Loshchilov and Frank Hutter. 2017. Decoupled weight decay regularization. arXiv preprint arXiv:1711.05101(2017)

work page internal anchor Pith review Pith/arXiv arXiv 2017
[23]

Elias Lumer, Alex Cardenas, Matt Melich, Myles Mason, Sara Dieter, Vamse Ku- mar Subbiah, Pradeep Honaganahalli Basavaraju, and Roberto Hernandez. 2025. Comparison of Text-Based and Image-Based Retrieval in Multimodal Retrieval Augmented Generation Large Language Model Systems. arXiv:2511.16654 [cs.CL] https://arxiv.org/abs/2511.16654

work page arXiv 2025
[24]

Vangelis Metsis, Ion Androutsopoulos, and Georgios Paliouras. 2006. Spam filtering with naive bayes-which naive bayes?. InCEAS, Vol. 17. Mountain View, CA, 28–69

2006
[25]

Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. InProceedings of the IEEE/CVF confer- ence on computer vision and pattern recognition. 4954–4963

2019
[26]

Wenjun Peng, Jingwei Yi, Fangzhao Wu, Shangxi Wu, Bin Bin Zhu, Lingjuan Lyu, Binxing Jiao, Tong Xu, Guangzhong Sun, and Xing Xie. 2023. Are you copying my model? protecting the copyright of large language models for eaas via backdoor watermark. InProceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers...

2023
[27]

Rashmi R and Vidyadhar Upadhya. 2025. Multimodal RAG for Unstructured Data:Leveraging Modality-Aware Knowledge Graphs with Hybrid Retrieval. arXiv:2510.14592 [cs.LG] https://arxiv.org/abs/2510.14592

work page arXiv 2025
[28]

Yaling Shen, Zhixiong Zhuang, Kun Yuan, Maria-Irina Nicolae, Nassir Navab, Nicolas Padoy, and Mario Fritz. 2025. Medical multimodal model stealing attacks via adversarial domain alignment. InProceedings of the AAAI Conference on Artificial Intelligence, Vol. 39. 6842–6850

2025
[29]

Anudeex Shetty, Yue Teng, Ke He, and Qiongkai Xu. 2024. WARDEN: Multi- Directional Backdoor Watermarks for Embedding-as-a-Service Copyright Pro- tection. InProceedings of the 62nd Annual Meeting of the Association for Computa- tional Linguistics (Volume 1: Long Papers), Lun-Wei Ku, Andre Martins, and Vivek Srikumar (Eds.). Association for Computational Li...

work page doi:10.18653/v1/2024.acl-long.725 2024
[30]

Anudeex Shetty, Qiongkai Xu, and Jey Han Lau. 2025. WET: Overcoming Paraphrasing Vulnerabilities in Embeddings-as-a-Service with Linear Trans- formation Watermarks. InProceedings of the 63rd Annual Meeting of the Asso- ciation for Computational Linguistics (Volume 1: Long Papers), Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher Pilehvar...

2025
[31]

Richard Socher, Alex Perelygin, Jean Wu, Jason Chuang, Christopher D Manning, Andrew Y Ng, and Christopher Potts. 2013. Recursive deep models for semantic compositionality over a sentiment treebank. InProceedings of the 2013 conference on empirical methods in natural language processing. 1631–1642

2013
[32]

Gemini Team, Rohan Anil, Sebastian Borgeaud, Jean-Baptiste Alayrac, Jiahui Yu, Radu Soricut, Johan Schalkwyk, Andrew M Dai, Anja Hauth, Katie Millican, et al. 2023. Gemini: a family of highly capable multimodal models.arXiv preprint arXiv:2312.11805(2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023
[33]

Hugo Touvron, Thibaut Lavril, Gautier Izacard, Xavier Martinet, Marie-Anne Lachaux, Timothée Lacroix, Baptiste Rozière, Naman Goyal, Eric Hambro, Faisal Azhar, et al. 2023. Llama: Open and efficient foundation language models.arXiv preprint arXiv:2302.13971(2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023
[34]

Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart
[35]

In25th USENIX security symposium (USENIX Security 16)

Stealing machine learning models via prediction {APIs}. In25th USENIX security symposium (USENIX Security 16). 601–618
[36]

Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. 2017. Embedding watermarks into deep neural networks. InProceedings of the 2017 ACM on international conference on multimedia retrieval. 269–277

2017
[37]

Eric Wallace, Mitchell Stern, and Dawn Song. 2020. Imitation Attacks and De- fenses for Black-box Machine Translation Systems. InProceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP), Bonnie Webber, Trevor Cohn, Yulan He, and Yang Liu (Eds.). Association for Computa- tional Linguistics, Online, 5531–5546. doi:10.18...

work page doi:10.18653/v1/2020.emnlp-main.446 2020
[38]

Zongqi Wang, Baoyuan Wu, Jingyuan Deng, and Yujiu Yang. 2025. Robust and Minimally Invasive Watermarking for EaaS. InFindings of the Association for Computational Linguistics: ACL 2025, Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher Pilehvar (Eds.). Association for Computational Linguistics, Vienna, Austria, 2167–2191. doi:10.18653/v1/...

work page doi:10.18653/v1/2025.findings-acl.112 2025
[39]

Fangzhao Wu, Ying Qiao, Jiun-Hung Chen, Chuhan Wu, Tao Qi, Jianxun Lian, Danyang Liu, Xing Xie, Jianfeng Gao, Winnie Wu, et al. 2020. Mind: A large-scale dataset for news recommendation. InProceedings of the 58th annual meeting of the association for computational linguistics. 3597–3606

2020
[40]

An Yang, Anfeng Li, Baosong Yang, Beichen Zhang, Binyuan Hui, Bo Zheng, Bowen Yu, Chang Gao, Chengen Huang, Chenxu Lv, et al. 2025. Qwen3 technical Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Chen et al. report.arXiv preprint arXiv:2505.09388(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[41]

Shufan Yang, Zifeng Cheng, Zhiwei Jiang, Yafeng Yin, Cong Wang, Shiping Ge, Yuchen Fu, and Qing Gu. 2025. RegionMarker: A Region-Triggered Semantic Watermarking Framework for Embedding-as-a-Service Copyright Protection. arXiv:2511.13329 [cs.CL] https://arxiv.org/abs/2511.13329

work page arXiv 2025
[42]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting intellectual property of deep neural networks with watermarking. InProceedings of the 2018 on Asia conference on computer and communications security. 159–172

2018
[43]

Xiang Zhang, Junbo Zhao, and Yann LeCun. 2015. Character-level convolutional networks for text classification.Advances in neural information processing systems 28 (2015)

2015
[44]

Xueyan Zhang, Jinman Zhao, Zhifei Yang, Yibo Zhong, Shuhao Guan, Linbo Cao, and Yining Wang. 2025. UORA: Uniform orthogonal reinitialization adaptation in parameter efficient fine-tuning of large models. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 11709–11728

2025
[45]

Jinman Zhao, Xueyan Zhang, Jiaru Li, Jingcheng Niu, Yulan Hu, Erxue Min, and Gerald Penn. 2025. Tiny Budgets, Big Gains: Parameter Placement Strategy in Parameter Super-Efficient Fine-Tuning. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing. 6326–6344

2025