Remotely Detectable Robot Policy Watermarking

Abstract: The success of machine learning for real-world robotic systems has created a new form of intellectual property: the trained policy. This raises a critical need for novel methods that verify ownership and detect unauthorized, possibly unsafe misuse. While watermarking is established in other domains, physical policies present a unique challenge: remote detection. Existing methods assume access to the robot's internal state, but auditors are often limited to external observations (e.g., video footage). This ``Physical Observation Gap'' means the watermark must be detected from signals that are noisy, asynchronous, and filtered by unknown system dynamics. We formalize this challenge using the concept of a \textit{glimpse sequence}, and introduce Colored Noise Coherency (CoNoCo), the first watermarking strategy designed for remote detection. CoNoCo embeds a spectral signal into the robot's motions by leveraging the policy's inherent stochasticity. To show it does not degrade performance, we prove CoNoCo preserves the marginal action distribution. Our experiments demonstrate strong, robust detection across various remote modalities, including motion capture and side-way/top-down video footage, in both simulated and real-world robot experiments. This work provides a necessary step toward protecting intellectual property in robotics, offering the first method for validating the provenance of physical policies non-invasively, using purely remote observations.

• The paper introduces CoNoCo, a colored noise watermarking strategy that preserves the action distribution while enabling robust remote detection of robot policies.
• It leverages spectral coherency and frequency-domain analysis to achieve near-perfect detection (ROC AUC ≈ 1.0) without degrading policy performance.
• Experimental results across diverse robotic environments demonstrate scalable IP protection and resilience against adversarial attacks.

Remotely Detectable Robot Policy Watermarking: Technical Analysis and Implications

Motivation and Problem Formalization

The increasing sophistication and commercial relevance of machine learning-derived policies in robotics elevates the issue of intellectual property protection, especially as these policies become valuable assets deployed in real-world systems. Existing watermarking approaches are primarily designed for digital domains with white-box access (internal states, action logs), making them unsuited for robotic scenarios where only remote, noisy, and filtered observations—such as camera or motion capture data—may be available for auditing. This remote detection challenge, termed the "Physical Observation Gap," involves crucial difficulties: synchronization uncertainty, transformation via unknown physical dynamics, and severe interference and noise.

The paper formalizes this problem rigorously using a "glimpse sequence" framework, which models the limited, noisy, asynchronous access that a remote auditor has to observable robot behavior. The challenge is to design a watermarking protocol for stochastic continuous control policies that (i) preserves the marginal action distribution (thus maintaining utility and indistinguishability), and (ii) enables robust, owner-specific detection through external observations only.

Figure 1: The robot policy watermarking pipeline—from policy training and watermarking, deployment with remote observation, to external auditing using glimpses fed to a detection function.

The CoNoCo Watermarking Strategy

The authors introduce Colored Noise Coherency (CoNoCo), a frequency-domain watermarking method grounded in the injection of colored Gaussian noise (CGN) into the policy's stochastic action generation. Instead of traditional white Gaussian noise used for exploration, a band-limited colored noise signal (defined by a secret owner key and frequency band) is injected. This preserves the per-timestep action distribution due to linear normalization, as proven in Theorem 5.1. The watermark's energy is concentrated in frequencies not typically utilized by the primary policy behavior, thereby maximizing signal-to-interference-plus-noise ratio (SINR) without sacrificing robot performance.

For detection, CoNoCo leverages spectral coherency—a frequency-normalized metric invariant under linear time-invariant (LTI) filtering. This enables robust watermark extraction even when physical system dynamics transform the action signal, as the magnitude of coherency (|C_{XY}(f)|) remains maximized when the right secret key is used, irrespective of those dynamics (Theorem 5.2). Synchronization uncertainties are overcome through resampling and maximizing the detection statistic over hypothesized policy frequencies and time offsets.

Experimental Design and Modalities

The benchmark suite covers a range of environments (navigation, joint actuation) and detection scenarios: direct access (ground-truth actions), onboard physical sensors, and fully remote modalities (motion capture and single-view camera estimation). Policy training is decoupled from watermarking (post-PPO training), enabling fair comparison of watermarking strategies.

Figure 2: Experimental setup highlighting the range of glimpse modalities and robotic control tasks (navigation, force/torque control, and multi-joint actuation).

Baseline methods adapted from prior art include multi-sine wave (spread spectrum), pseudo-random correlation, and a continuous analogue of SynthID (“Tournament-based”)—each of which preserves marginal action distributions and employs synchronization maximization for remote detection.

Quantitative Results and Robustness Analysis

CoNoCo demonstrates strong quantitative performance across all metrics—detectability, anonymity, and reward preservation. Notably, it is the only baseline that maintains high detectability and anonymity; multi-sine wave achieves detectability but fails anonymity, whereas correlation-based and tournament-based approaches do not exhibit robust remote detection.

Figure 3: On the RoboMaster platform: (A) Example trajectories, (B) Detectability via ROC curves, (C) Anonymity (1 - ROC AUC with wrong key), and (D) Distribution of policy rewards for watermarked vs. original policies.

Across simulated and real robots, including velocity and force/torque controlled environments, CoNoCo achieves near-perfect ROC AUC detectability—approximately 1.0 with modest glimpse sequence lengths—without degrading policy reward distributions. Multi-dimensional averaging and band selection are shown to mitigate the impact of non-LTI dynamics and spectral smearing. Sensitivity studies reveal robustness to glimpse length, sequence dropouts, time-jitter, and projection angle deviations in remote sensing.

Figure 4: ROC, anonymity, and reward preservation across increasingly complex force/torque control benchmarks and glimpse types, supporting the generality of CoNoCo.

Figure 5: CoNoCo detectability saturates at ROC AUC~1.0 with glimpse lengths above 1000 timesteps in multiple environments.

Extensive adversarial analysis demonstrates CoNoCo's resilience: additive noise attacks degrade detectability only at noise levels that also cripple policy utility; band-stop filtering cannot remove the watermark without severe distortion to policy behavior; and structured jamming is mathematically futile without knowledge of the secret key (the sum power of independent CGN and jammer always increases). Policy distillation may, in principle, remove the watermark, but the practical data and performance cost for real-world policies renders this approach unattractive.

Figure 6: CoNoCo detection remains robust under additive noise, only failing as reward drops precipitously.

Figure 7: Band-stop filtering can destroy watermark detection but does so at the cost of major policy distortion.

Figure 8: Power spectral density analysis: structured jamming signal cannot cancel the watermark without the secret seed, confirming theoretical security.

Theoretical Contributions and Limitations

Theoretical results guarantee preservation of the action distribution under CGN watermarking and formalize the invariance of spectral coherency under linear dynamics. Detection score is directly characterized by SINR, linking robustness to policy exploration amplitude and choice of watermark frequency band.

Limitations chiefly relate to the quality and reliability of remote glimpses: occlusions, variable camera coverage, and extreme non-linear or time-varying dynamics present detection challenges outside the current practical scope, requiring further advances in computer vision for real-world deployment. CoNoCo relies on policy stochasticity; extending these principles to deterministic policies or policies with low exploration remains an open avenue.

Implications and Future Research

CoNoCo establishes a feasible paradigm for non-invasive, scalable, and robust auditing of robot policy provenance using only external sensors. This is particularly pertinent for regulatory safety compliance and forensic accountability post-incident, where onboard logs may be unavailable or compromised. The method enables policy-level IP protection and opens the door to trustworthy deployment of ML-driven robotic systems at scale.

Future work should address seamless integration with advanced visual tracking, adaptation to deterministic or hybrid control policies, and robust detection under occluded or multi-agent scenarios. Further research on cross-policy distillation attacks is necessary to fully characterize adversarial limitations.

Conclusion

Remotely Detectable Robot Policy Watermarking via Colored Noise Coherency offers a robust framework for IP protection and non-invasive auditing in robotics. The protocol achieves strong detectability and anonymity without impacting policy performance, remaining resilient against practical and theoretical adversarial manipulations. Given its applicability across diverse robotic modalities and its rigorous theoretical underpinnings, CoNoCo represents a technically significant advancement for AI-powered physical systems, with critical implications for security, provenance, and regulatory compliance.