A Watermark for Vision-Language-Action and World Action Models

📄 arXiv: 2606.23574v1 📥 PDF

作者: Yule Liu, Shuai Liu, Jiaheng Wei, Xinlei He

分类: cs.CR, cs.RO

发布日期: 2026-06-22


💡 一句话要点

提出关键潜在来源验证方法以保护VLA和WAM模型的知识产权

🎯 匹配领域: 支柱二:RL算法与架构 (RL & Architecture) 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 知识产权保护 视觉-语言-行动模型 世界行动模型 高斯噪声 指纹化技术 机器人控制 梯度优化 模型验证

📋 核心要点

  1. 现有的VLA和WAM模型在作为黑箱服务部署时,知识产权保护面临挑战,容易被对手复制或篡改。
  2. 提出的关键潜在来源验证方法通过对高斯噪声种子进行指纹化,确保模型输出在统计上保持一致,防止对手检测。
  3. 实验结果显示,该方法在两个代表性模型上均能可靠检测指纹,并在多种攻击下保持可检测性,任务性能几乎不变。

📝 摘要(中文)

视觉-语言-行动(VLA)模型和世界行动模型(WAM)是推动通用机器人控制的生成模型,能够将原始摄像头输入直接转化为运动指令。由于这些模型的训练需要专有数据和大量计算资源,因此其部署模型本身成为了有价值的知识产权。为了解决这一问题,本文提出了关键潜在来源验证方法,通过在生成前对高斯噪声向量的种子进行指纹化,确保模型的输出在统计上与普通运行相同,从而防止对手检测或移除指纹。在验证阶段,所有者通过授权访问运行可疑模型,记录机器人执行的动作通道,并通过梯度最大后验优化恢复种子,最终判断可疑模型是否属于所有者。

🔬 方法详解

问题定义:本文旨在解决VLA和WAM模型在作为黑箱服务时的知识产权保护问题。现有方法在防止模型被复制或篡改方面存在不足,容易被对手识别和攻击。

核心思路:提出的关键潜在来源验证方法通过对生成前的高斯噪声种子进行指纹化,确保模型的输出在统计上与普通运行无异,从而避免对手的检测和干扰。

技术框架:该方法分为两个主要阶段:注入阶段和验证阶段。在注入阶段,所有者将普通噪声种子替换为带有密钥的种子;在验证阶段,所有者通过授权访问可疑模型,记录输出并恢复种子。

关键创新:最重要的创新在于通过种子指纹化实现了模型的知识产权保护,与现有方法相比,避免了直接在模型输出中嵌入可识别的信号。

关键设计:在设计中,采用了梯度最大后验优化(MAP)来恢复种子,并通过密钥评分每次输出,最终聚合得出模型归属的决策。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果表明,该方法在两个不同的机器人模型上均能可靠检测指纹,且在输出侧移除攻击和权重级别编辑下仍保持可检测性。指纹检测的准确性高,且对任务性能影响微乎其微,展示了该方法的有效性和鲁棒性。

🎯 应用场景

该研究具有广泛的应用潜力,尤其是在机器人控制和智能系统领域。通过有效保护模型的知识产权,可以促进更多企业和研究机构在VLA和WAM模型上的投资与创新,推动智能机器人技术的发展与应用。

📄 摘要(原文)

Vision-language-action (VLA) models and world-action models (WAM) are the generative models now driving general-purpose robot control, turning raw camera input directly into motor commands. They are increasingly deployed as black-box services, where a partner runs the policy through an interface while the owner keeps the weights private. Training such a model takes proprietary data and heavy computational power, making the deployed model itself a valuable intellectual property. To address this, we propose the \emph{keyed latent-provenance verification} method, which fingerprints the policy through the seed of the Gaussian noise vector that the models draw before generation. At the injection stage, the owner swaps this seed for a keyed one with the same distribution as ordinary noise, so the fingerprinted actions are statistically identical to those of an ordinary run and an adversary watching the output finds no signal to detect or remove. At the verification stage, the owner runs the suspect model under authorized access and records the action channels the robot executes, a partial and possibly post-processed view of the policy's output. From this view, the verifier recovers the seed by gradient-based maximum a posteriori (MAP) optimization, tests it for the secret key to score each rollout, and aggregates these scores into a single decision on whether the suspect model belongs to the owner. We evaluate the method on two representative models across two robot suites. The experiments cover detection of the fingerprint, identification of which of several keys a suspect carries, robustness to a range of attacks, and an analysis of why the design works. Across both models, the fingerprint can be detected reliably with little change to task performance, and it remains detectable under output-side removal attacks and weight-level edits.