TLDR: This research paper demonstrates that N-gram-based code watermarking schemes, used to identify AI-generated code, are not robust against code obfuscation. Through theoretical modeling and extensive experiments, the authors show that obfuscation, which alters code while preserving its functionality, can effectively nullify the detection capabilities of these watermarks, making them indistinguishable from unwatermarked code.
Large language models (LLMs) are increasingly being used to generate code, making it crucial to distinguish AI-generated code from human-written code. This distinction is important for tasks like identifying authorship, tracking content, and detecting misuse. To address this, N-gram-based watermarking schemes have emerged, which embed secret signals into the code during its generation for later detection.
However, the robustness of these watermarking schemes in code content has not been sufficiently evaluated. Many claims of robustness rely on defenses against simple code transformations or optimizations, which do not accurately simulate real-world attacks. In contrast, more sophisticated techniques like code obfuscation, which significantly alter code while preserving its functionality, have been largely unexplored in their impact on code watermarking.
This research focuses on the robustness of N-gram-based watermarking approaches for code. The authors formally model code obfuscation as a Markov random walk process to simulate an attack on watermarking schemes. They prove that N-gram-based watermarking cannot remain robust under a single, intuitive, and experimentally verified assumption: distribution consistency. This assumption suggests that the distribution of detectable N-gram features within an obfuscated code’s equivalent space remains similar to the distribution across all code.
The theoretical findings indicate that if the original false positive rate of watermarking detection is 𝜖pos, the ratio of watermarked code that the detector fails to identify after obfuscation will increase to 1 −𝜖pos. This effectively means the detection algorithm loses its ability to distinguish watermarked code from benign code.
To validate their theory, experiments were conducted on three state-of-the-art watermarking schemes (SWEET, WLLM, and SynthID), two large language models (LLaMA-3.1-8B-Instruct and DeepSeek-Coder-33B-Base), two programming languages (Python and JavaScript), four code benchmarks, and four different obfuscators (Python-Minifier, PyMinifier, JS Obfuscator, and UglifyJS). The results consistently showed that all watermarking detectors exhibited near coin-flipping detection abilities on obfuscated codes, with AUROC (Area Under the Receiver Operating Characteristic Curve) scores tightly clustering around 0.5. This means the detection performance degraded to random guessing after obfuscation, regardless of the model, watermarking scheme, or dataset used.
The study also confirmed the ‘distribution consistency’ assumption, finding it satisfied in 98.10% of cases during experiments. This strong empirical support reinforces the theoretical impossibility result. Even an ‘ideal’ watermarking scheme, designed with unrealistically high detection and quality-preserving capabilities, was shown to be vulnerable to obfuscation, with its AUROC dropping to near 0.5 after attack.
Also Read:
- Unmasking AI: New Research Advances in Detecting and Attributing Machine-Generated Text
- Decoding Data Memorization in Large Language Models
The paper acknowledges limitations, primarily that its scope is limited to N-gram-based watermarking schemes. However, given the widespread adoption and industrial deployment of these methods, the findings are highly relevant and timely. The authors suggest that future research should explore more semantically aware and transformation-resilient approaches to code watermarking to overcome these fundamental limitations. For more details, you can read the full paper here.
