ML Security PapersRemotely Detectable Robot Policy Watermarking
Michael Amir , Manon Flageat , Amanda Prorok
Published on arXiv
2512.15379
Model Theft
OWASP ML Top 10 — ML05
Key Finding
CoNoCo achieves strong, robust ownership verification of robot policies using purely remote observations (video and motion capture) without degrading policy performance, validated in simulation and real-world experiments.
CoNoCo (Colored Noise Coherency)
Novel technique introduced
The success of machine learning for real-world robotic systems has created a new form of intellectual property: the trained policy. This raises a critical need for novel methods that verify ownership and detect unauthorized, possibly unsafe misuse. While watermarking is established in other domains, physical policies present a unique challenge: remote detection. Existing methods assume access to the robot's internal state, but auditors are often limited to external observations (e.g., video footage). This ``Physical Observation Gap'' means the watermark must be detected from signals that are noisy, asynchronous, and filtered by unknown system dynamics. We formalize this challenge using the concept of a \textit{glimpse sequence}, and introduce Colored Noise Coherency (CoNoCo), the first watermarking strategy designed for remote detection. CoNoCo embeds a spectral signal into the robot's motions by leveraging the policy's inherent stochasticity. To show it does not degrade performance, we prove CoNoCo preserves the marginal action distribution. Our experiments demonstrate strong, robust detection across various remote modalities, including motion capture and side-way/top-down video footage, in both simulated and real-world robot experiments. This work provides a necessary step toward protecting intellectual property in robotics, offering the first method for validating the provenance of physical policies non-invasively, using purely remote observations.
Key Contributions
- Formalizes the 'Physical Observation Gap' challenge — the constraint that auditors can only observe robot behavior remotely (e.g., via video) rather than accessing internal model states
- Introduces CoNoCo (Colored Noise Coherency), the first robot policy watermarking scheme designed for remote detection, embedding a spectral signal into policy stochasticity with a proof that the marginal action distribution is preserved
- Demonstrates robust watermark detection across motion capture and video modalities in both simulated and real-world robotic experiments
🛡️ Threat Analysis
CoNoCo embeds a spectral watermark into the policy (model) itself via its stochastic action distribution, enabling an auditor to verify ownership of a deployed/stolen robot policy from external observations — this is model IP protection through ownership watermarking, not content provenance tracking.