{"id":"https://openalex.org/W7128515456","doi":"https://doi.org/10.48550/arxiv.2602.08401","title":"On Protecting Agentic Systems' Intellectual Property via Watermarking","display_name":"On Protecting Agentic Systems' Intellectual Property via Watermarking","publication_year":2026,"publication_date":"2026-02-09","ids":{"openalex":"https://openalex.org/W7128515456","doi":"https://doi.org/10.48550/arxiv.2602.08401"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.08401","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5125579600","display_name":"Liwen Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Wang, Liwen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125479351","display_name":"Zongjie Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zongjie","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125522282","display_name":"Yuchong Xie","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xie, Yuchong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125554988","display_name":"Shuai Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Shuai","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048358055","display_name":"Dongdong She","orcid":"https://orcid.org/0000-0001-6655-0468"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"She, Dongdong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125502984","display_name":"Wei (Vivian) Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Wei","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5116577611","display_name":"Juergen Rahmel","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rahmel, Juergen","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5125579600"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9535999894142151,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9535999894142151,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.006899999920278788,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.006200000178068876,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/digital-watermarking","display_name":"Digital watermarking","score":0.7993000149726868},{"id":"https://openalex.org/keywords/watermark","display_name":"Watermark","score":0.6545000076293945},{"id":"https://openalex.org/keywords/intellectual-property","display_name":"Intellectual property","score":0.5328999757766724},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.5145999789237976},{"id":"https://openalex.org/keywords/action","display_name":"Action (physics)","score":0.5047000050544739},{"id":"https://openalex.org/keywords/property","display_name":"Property (philosophy)","score":0.49459999799728394},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.44760000705718994},{"id":"https://openalex.org/keywords/domain","display_name":"Domain (mathematical analysis)","score":0.4456999897956848},{"id":"https://openalex.org/keywords/imitation","display_name":"Imitation","score":0.44350001215934753}],"concepts":[{"id":"https://openalex.org/C150817343","wikidata":"https://www.wikidata.org/wiki/Q875932","display_name":"Digital watermarking","level":3,"score":0.7993000149726868},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6687999963760376},{"id":"https://openalex.org/C164112704","wikidata":"https://www.wikidata.org/wiki/Q7974348","display_name":"Watermark","level":3,"score":0.6545000076293945},{"id":"https://openalex.org/C34974158","wikidata":"https://www.wikidata.org/wiki/Q131257","display_name":"Intellectual property","level":2,"score":0.5328999757766724},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5239999890327454},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.5145999789237976},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.5047000050544739},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.49459999799728394},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.44760000705718994},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.4456999897956848},{"id":"https://openalex.org/C126388530","wikidata":"https://www.wikidata.org/wiki/Q1131737","display_name":"Imitation","level":2,"score":0.44350001215934753},{"id":"https://openalex.org/C2780069185","wikidata":"https://www.wikidata.org/wiki/Q7977945","display_name":"Equivalence (formal languages)","level":2,"score":0.429500013589859},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.41659998893737793},{"id":"https://openalex.org/C13662910","wikidata":"https://www.wikidata.org/wiki/Q193139","display_name":"Trajectory","level":2,"score":0.3553999960422516},{"id":"https://openalex.org/C2780713532","wikidata":"https://www.wikidata.org/wiki/Q93158","display_name":"Edge of chaos","level":2,"score":0.3499000072479248},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.31709998846054077},{"id":"https://openalex.org/C108801101","wikidata":"https://www.wikidata.org/wiki/Q15032","display_name":"Steganography","level":3,"score":0.31690001487731934},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.3118000030517578},{"id":"https://openalex.org/C2778562939","wikidata":"https://www.wikidata.org/wiki/Q1298791","display_name":"Synchronization (alternating current)","level":3,"score":0.2989000082015991},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.29159998893737793},{"id":"https://openalex.org/C76178495","wikidata":"https://www.wikidata.org/wiki/Q4808784","display_name":"Asset (computer security)","level":2,"score":0.28610000014305115},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.2824000120162964},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.28060001134872437},{"id":"https://openalex.org/C85847156","wikidata":"https://www.wikidata.org/wiki/Q59015987","display_name":"Verifiable secret sharing","level":3,"score":0.27970001101493835},{"id":"https://openalex.org/C207685749","wikidata":"https://www.wikidata.org/wiki/Q2088941","display_name":"Domain knowledge","level":2,"score":0.272599995136261},{"id":"https://openalex.org/C2780581891","wikidata":"https://www.wikidata.org/wiki/Q15738686","display_name":"Copy protection","level":4,"score":0.2718000113964081},{"id":"https://openalex.org/C3073032","wikidata":"https://www.wikidata.org/wiki/Q15912075","display_name":"Information hiding","level":3,"score":0.26969999074935913},{"id":"https://openalex.org/C2780023022","wikidata":"https://www.wikidata.org/wiki/Q1338171","display_name":"Compensation (psychology)","level":2,"score":0.26260000467300415},{"id":"https://openalex.org/C157657479","wikidata":"https://www.wikidata.org/wiki/Q2367247","display_name":"Closed captioning","level":3,"score":0.2599000036716461},{"id":"https://openalex.org/C114289077","wikidata":"https://www.wikidata.org/wiki/Q3284399","display_name":"Statistical model","level":2,"score":0.25920000672340393}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.08401","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.08401","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.08401","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.08401","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.7636580467224121}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"evolution":[1],"of":[2,91,101],"Large":[3],"Language":[4],"Models":[5],"(LLMs)":[6],"into":[7,116],"agentic":[8,58,84,171],"systems":[9,28,59],"that":[10,26,152,167],"perform":[11],"autonomous":[12],"reasoning":[13,68],"and":[14,136],"tool":[15,104],"use":[16],"has":[17],"created":[18],"significant":[19],"intellectual":[20],"property":[21],"(IP)":[22],"value.":[23],"We":[24,126],"demonstrate":[25,151],"these":[27],"are":[29],"highly":[30],"vulnerable":[31],"to":[32,111,124,131],"imitation":[33,42],"attacks,":[34],"where":[35],"adversaries":[36],"steal":[37],"proprietary":[38],"capabilities":[39],"by":[40,96],"training":[41],"models":[43],"on":[44,161],"victim":[45],"outputs.":[46],"Crucially,":[47],"existing":[48],"LLM":[49],"watermarking":[50,79],"techniques":[51],"fail":[52],"in":[53],"this":[54],"domain":[55],"because":[56],"real-world":[57],"often":[60],"operate":[61],"as":[62],"grey":[63],"boxes,":[64],"concealing":[65],"the":[66,77,88,99,117,179,184],"internal":[67],"traces":[69],"required":[70],"for":[71,83,143],"verification.":[72,144],"This":[73,107],"paper":[74],"presents":[75],"AGENTWM,":[76],"first":[78],"framework":[80],"designed":[81],"specifically":[82],"models.":[85],"AGENTWM":[86,110,153,168],"exploits":[87],"semantic":[89],"equivalence":[90],"action":[92,119],"sequences,":[93],"injecting":[94],"watermarks":[95,180],"subtly":[97],"biasing":[98],"distribution":[100],"functionally":[102],"identical":[103],"execution":[105],"paths.":[106],"mechanism":[108],"allows":[109],"embed":[112],"verifiable":[113],"signals":[114],"directly":[115],"visible":[118],"trajectory":[120],"while":[121],"remaining":[122],"indistinguishable":[123],"users.":[125],"develop":[127],"an":[128],"automated":[129],"pipeline":[130],"generate":[132],"robust":[133],"watermark":[134],"schemes":[135],"a":[137],"rigorous":[138],"statistical":[139],"hypothesis":[140],"testing":[141],"procedure":[142],"Extensive":[145],"evaluations":[146],"across":[147],"three":[148],"complex":[149],"domains":[150],"achieves":[154],"high":[155],"detection":[156],"accuracy":[157],"with":[158],"negligible":[159],"impact":[160],"agent":[162],"performance.":[163],"Our":[164],"results":[165],"confirm":[166],"effectively":[169],"protects":[170],"IP":[172],"against":[173],"adaptive":[174],"adversaries,":[175],"who":[176],"cannot":[177],"remove":[178],"without":[181],"severely":[182],"degrading":[183],"stolen":[185],"model's":[186],"utility.":[187]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-11T00:00:00"}