A Fingerprint for Large Language Models
Zhiguang Yang Hanzhou Wu
School of Communication & Information
Engineering, Shanghai University
Shanghai 200444, China
[email protected]
[email protected]
Abstract—Recent advances show that scaling a pre-trained lan-
guage model could achieve state-of-the-art performance on many
downstream tasks, prompting large language models (LLMs) to
arXiv:2407.01235v1 [cs.CR] 1 Jul 2024
become a hot research topic in the field of artificial intelligence.
However, due to the resource-intensive nature of training LLMs
from scratch, it is urgent and crucial to protect the intellectual
property of LLMs against infringement. This has motivated the
authors in this paper to propose a novel black-box fingerprinting
technique for LLMs, which requires neither model training nor
model fine-tuning. We first demonstrate that the outputs of LLMs
span a unique vector space associated with each model. We model
the problem of ownership authentication as the task of evaluating
the similarity between the victim model’s space and the output’s
space of the suspect model. To deal with this problem, we propose
two solutions, where the first solution involves verifying whether
the outputs of the suspected large model are in the same space as
those of the victim model, enabling rapid identification of model
infringement, and the second one reconstructs the union of the
vector spaces for LLM outputs and the victim model to address
situations where the victim model has undergone the Parameter-
Efficient Fine-Tuning (PEFT) attacks. Experimental results indi-
cate that the proposed technique achieves superior performance
in ownership verification and robustness against PEFT attacks.
This work reveals inherent characteristics of LLMs and provides
a promising solution for ownership verification of LLMs in black-
box scenarios, ensuring efficiency, generality and practicality.
Index Terms—Intellectual property protection, large language
model, fingerprint, security, Transformer, deep learning.
I. I NTRODUCTION
Large Language Models (LLMs) have emerged as a cor-
nerstone of modern artificial intelligence, exhibiting remark-
able performance across various natural language processing
tasks due to their capability to generate human-like texts and
comprehend human language. Despite the substantial data
samples and computational resources required to train LLMs,
numerous developers continue to advance research by open-
sourcing their models. Many organizations and researchers,
including those behind well-known models such as LlaMA,
Gemma and Mistral [1]–[4], have released their well-trained
LLMs to the public. The thriving universe of LLMs is driven
by its entirely open-source nature. However, malicious users
may exploit developed LLMs for illegal purposes such as fine-
tuning with another pre-trained model without attribution or
stealing a model and claiming it as their own asset. Therefore,
safeguarding intellectual property rights of LLMs is essential,
Corresponding author: Hanzhou Wu (contact email:
[email protected]
) tial model-related information. In black-box scenarios, LLM
School of Communication & Information
Engineering, Shanghai University
Shanghai 200444, China
not solely to maintain commercial value but also to promote
the sustainable development of the open-source community.
Numerous studies have employed digital watermarking and
fingerprinting methods to protect deep neural network (DNN)
models. Uchida et al. [5] first introduced a regularization term
to constrain the network weights for embedding watermarks.
Subsequently, scholars have proposed various methodologies
to embed watermarks into the model parameters in white-box
scenarios, where the extractor can access the entirety of model
parameters [6]–[8]. However, the challenges in accessing all
the model parameters in various scenarios has led to a focus
on black-box techniques for model watermarking. Many wa-
termarking methods utilize backdoor techniques, constructing
specific input-output mappings and observing the output of
the DNN model for verification [9]–[11]. Generative models,
particularly image processing models, often produce contents
with high entropy and sufficient information capacity to ac-
commodate additional watermark information, which remains
highly imperceptible. Wu et al. [12] introduced a watermark
framework to make the output contents of the model contain
a certain watermark. Lukas et al. [13] proposed embedding
watermarks by fine-tuning the image generator, ensuring that
all images produced are watermarked. Fernandez et al. [14]
extended it to the diffusion model. Embedding watermarks
through backdoor and fine-tuning techniques compromises the
primary functionality of the model to a certain extent and
requires significant computational resources. Song et al. [15]
distinguished different generative models based on their arti-
facts and fingerprints, which can help alleviate this problem.
The emergence of superior reasoning capabilities in LLMs
which require significant computational overhead, poses new
challenges for their protection. Xu et al. [16] specified a
confidential private key and embedded it as an instructional
backdoor, serving as a fingerprint. Zeng et al. [17] utilized
the internal parameters in Transformer [18] as a fingerprint to
identify the LLMs. Existing methods typically require white-
box access or fine-tuning to verify the copyright information.
In contrast, our proposed fingerprinting method can be imple-
mented in a black-box scenario without any fine-tuning.
We present a novel fingerprinting method for LLMs that
analyzes the output of the LLMs for model authentication.
LLMs generate semantically coherent and reasonable texts
by sampling from logits, which themselves contain substan-
providers often offer complete or partial logits vectors, en-
abling users to apply various sampling methods to generate
realistic contents. Carlini et al. [19] demonstrated the ability
to extract portions of a model solely through API access.
We implement LLM fingerprinting from a novel perspective,
identifying unique attributes of each LLM by analyzing their
logits output. Previous works have shown that the output of
LLMs resides in a linear subspace defined by their parame-
ters [20]–[22]. We retain the parameters of the victim model,
specifically the last linear layer. By querying the suspect model
and obtaining its output, we use the retained parameters to
determine the unique attribution of the suspect model. We
identify ownership authentication as comparing the similarity
between the victim model’s vector space and the suspect
model’s output space. We initially propose a method to swiftly
ascertain whether the output originates from the victim model
by determining its compatibility with the vector space formed
by the retained parameters. To address scenarios involving
Parameter-Efficient Fine-Tuning (PEFT) attacks, we develop
an alignment-verification method to determine if the suspect
model was derived through PEFT by comparing similarities.
Furthermore, through API access, we are able to reconstruct
complete logits from partial ones to verify ownership. Our
method enables ownership verification in black-box scenar-
ios solely through API access and does not depend on the
specific structure of LLMs. This ensures generalizability and
provides an effective and promising approach for copyright
protection of LLMs. Our experiments demonstrate that the
proposed method achieves supervisor verification performance
and robustness against PEFT attacks, without any compromise
in model functionality.
In summary, the main contributions of this work include:
• By analyzing the characteristics of LLMs from a novel
perspective, we demonstrate that their outputs can serve
as fingerprints for ownership verification.
• We propose two distinct methods for implementing own-
ership verification of LLMs: one quickly determines
whether the output originates from the victim model, and
the other verifies whether the suspected model has been
subjected to a PEFT attack from the victim model.
• We present a method to recover complete information for
fingerprint verification by obtaining partial logits through
API access.
The remainder of this paper is organized as follows: Section
II provides an overview of fingerprinting, PEFT and the threat
model. Section III explains the LLM fingerprinting method. In
Section IV, we detail the two proposed ownership verification
methods, followed by our experimental results and analysis in
Section V. Finally, we conclude this paper in Section VI.
II. P RELIMINARIES
A. Fingerprinting
The model provider releases the model Mθ , including its
complete structure and parameters. Once a model is released, it
may be stolen by malicious users who may either directly steal
it or fine-tune it and claim ownership. We protect the legitimate
rights of the model publisher by analyzing distinctive features
found in the parameters or output of the model as fingerprints.
In this study, we utilize the output of LLMs as fingerprints for
model verification.
B. Parameter-Efficient Fine-Tuning
Training or fine-tuning DNNs based on pre-training requires
substantial resources, particularly for LLMs, which demand
significant GPU memory. Recent research focuses on efficient
fine-tuning methods that achieve optimization with fewer
parameters [23]–[25]. Parameter-Efficient Fine-Tuning (PEFT)
is used to fine-tune a model with minimal parameters. Low-
Rank Adaptation (LoRA) [24] has become the de facto method
for PEFT, serving as the foundation for many other approaches
such as [25], [26]. In LoRA, the weight matrix WO is updated
by the formula WN = WO +∆W = WO +AB. During training,
WO remains fixed, while the two matrices A and B encompass
the least trainable parameters. This study uses LoRA to mimic
the PEFT attack.
C. Threat Model
Our threat model includes a defender, known as the model
provider, and an adversary who controls a malicious user. The
adversary’s goal is to steal the model and claim ownership.
We assume the adversary can fine-tune the model using PEFT
attacks like LoRA [24] to evade detection. The defender, with
access to their own model’s parameters and the last linear layer
as a fingerprint, aims to verify ownership through API access
to the suspect model.
III. LLM F INGERPRINT
A. LLM Outputs Span A Vector Space
The transformer architecture has already become the base
of numerous models due to its exceptional performance across
a variety of tasks. LLMs are transformer-based models, with
their pipeline presented in Fig. 1. The input text is tokenized
and converted into word embeddings e, with the embedding
layer represented as a matrix of size |V| × h, where |V| is the
vocabulary size and h is the hidden size. The vocabulary size
is significantly larger than the hidden size. The embeddings
are processed by the transformer block with multiple layers,
each containing a multi-head self-attention mechanism and a
feed-forward layer, to calculate the intrinsic representation of
the input and produce the intermediate representation z. The
last linear layer maps z to logits s ∈ R|V| . The output of
LLMs is generated by sampling from the logits s. For clarity,
this analysis excludes Layer Normalization [27] and RMS
Normalization [28], as they primarily introduce additional
multiplication terms, which do not affect the conclusions.
Fig. 1. The illustration of the LLMs pipeline.
 It is worth noting that the logits s = Wz, where W ∈ R|V|×h
is the weight matrix of the last linear layer and the rank of W
is at most h. Every output produced by W is corresponding
to a vector s that will always lie within a subspace of R|V| ,
spanned by the columns of W, which is at most h-dimensional.
All possible outputs of the LLM logits will span a vector space
L isomorphic to the space spanned by the columns of W, since
they have the same dimensionality. Consequently, each LLM
is associated with a distinctive vector space L. This uniqueness
arises because the vector space R|V| encompasses an exceed-
ingly large number of potential subspaces for any subspace of
dimension h. For example, in the case of Gemma [3], with
h = 2048 and |V| = 256000, the number of subspaces is
extremely large. Due to variations in training initialization,
datasets, configurations and hardware, it is impossible for two
different LLMs to cover the same vector space. This property
allows us to use it as a fingerprint for LLMs and identify
their ownership. The model providers only need to retain the
parameters of the last linear layer in the model. Accessing the
API of the suspected model enables them to retrieve the logits,
thereby verifying the ownership.
B. Vector Space Reconstruction via API
We already demonstrated that the logits outputs from LLMs
span a vector space denoted as L, which we then utilized as the
fingerprint. Obtaining the full logits of a model is not always
feasible, as attackers aim to disclose minimal information to
evade detection by the victim. In this section, we investigate
a practical scenario in which our approach reconstructs the
vector space for fingerprint verification and only relies on
API access, enabling the retrieval of complete vocabulary
probabilities, top-k probabilities, or the top-1 probability.
1) Complete probabilities of the vocabulary: The API
provides the complete probabilities p over the vocabulary.
Probabilities p = softmax(s), all the elements of which are
non-negative and have a sum that is equal to 1. It means
that p is a point in the simplex ∆|V|−1 , which lies within a
|V| − 1 dimensional subspace of R|V| . Additionally, p is also
constrained by s. Due to normalization, the softmax function
does not have a well-defined inverse transformation. However,
if we omit it temporarily, and use the CLR (centered log-
ratio) transformation, we can obtain p′ that differs from the
original p by a constant bias. From the perspective of spatial
dimensions, this will introduce a one-dimensional deviation.
We can manually do one-dimensional correction and will not
affect the results, as h and |V| are both significantly greater
than 1. Therefore, we directly reconstruct the vector space P ′
spanned by p′ . The value of p′ is computed using Equation (1),
where g(·) represents the geometric mean of the input.

p
 A. Overview
′
p = CLR(p) = log (1)
g(p)
2) Top-k probabilities: The API provides the top-k prob-
abilities, which are the k largest elements of p. In this
scenario, we assume that the provider allows the user to alter
token probabilities using logit bias through the API. This is
reasonable and commonly in practice. For example, OpenAI
includes it in their API1 . The bias is added to the specific logits
of the tokens before the softmax operation, the API returns the
top-k probabilities. Without loss of generality, we assume that
1, 2, . . . , m is the indices of the selected tokens, and the biased
probabilities distribution pb is calculated by Equation (2).
(
b b si + b i ∈ {1, . . . , m}
p = softmax(s ), where sbi = (2)
si otherwise
To address this scenario, we propose a method to recover
the complete probabilities p. For a given prompt to the model,
we can obtain the top-k probabilities. Suppose the reference
token has the highest probability without bias, denoted as the
reference probability pref . We then add a large bias b to the
other k − 1 tokens, pushing them into the top-k. This gives
us the biased probabilities pbi for the k − 1 tokens and the
biased probability pbref for the reference token. Finally, we can
calculate the unbiased probabilities pi for the k − 1 tokens
using Equation (3). Complete probabilities p can be obtained
by querying the model with the same prompt and adding the
bias b to all tokens in the vocabulary.
pbi
pi = × pref (3)
pbref
3) Top-1 probability: The API yields the highest probability
for a single output, akin to the top-k probabilities, with k
specifically set to 1. In this scenario, we present a method to
recover the complete probabilities p. Suppose we introduce
a substantial bias b to token i, thereby elevating it to the
top position, resulting in the biased probability pbi . We can
calculate the unbiased probability pi for token i using Equation
(4). Then, we can obtain the complete probabilities p by
querying the model with the same prompt and adding the bias
b to all tokens in the vocabulary.
1
pi = b (4)
eb−log pi
− eb + 1
It is noteworthy that theoretically, this method can poten-
tially recover the unbiased probability in the top-k scenario,
albeit demanding a significantly higher number of queries.
However, practical application is impeded by the presence of
exponential operations, which may induce numerical instabil-
ity, consequently impacting subsequent results. In contrast, the
method outlined in Section III-B2 solely involves proportional
operations, thus significantly mitigating issues stemming from
numerical instability.
IV. OWNERSHIP V ERIFICATION
The framework of ownership verification is illustrated in
Fig. 2. We propose two distinct methods to verify the owner-
ship of LLMs. The first method involves verifying whether the
1 https://help.openai.com/en/articles/5247780-using-logit-bias-to-alter-
token-probability-with-the-openai-api

Fig. 2. The framework of ownership verification.
outputs of the suspected model occupy the same space as those
of the victim model. This means that the suspected model and
the victim model share the same last linear layer, facilitating
the rapid identification of model infringement. Once the model
has been fine-tuned, indicating that the parameters of the
last linear layer have been altered, i.e., changes occur in the
vector space, making verification impossible. Therefore, we
introduce an alignment verification method to resolve this
challenge. This method calculates the joint space dimension
formed by the output vector space of the suspected model
and the parameter space of the victim model. Infringement is
determined by comparing the similarity of these two spaces.
B. Compatibility Testing
As demonstrated in Section III-A, the outputs of LLMs
span a vector space L isomorphic to the space spanned by the
columns of the last linear layer W. To simplify the expression,
we slightly abuse the notation by using L to represent the space
by the columns of the last linear layer W in the following
discussion. We retain the last linear layer of LLMs as private,
serving as the fingerprint of the victim model. The suspected
model is queried through the API to obtain its logits output s.
For a suspected model which is stolen from the victim model
and the last linear layer does alter, the output s will lie within
the vector space L. We can verify this by solving equation
Wx = s to determine whether s lies within the space L. If the
equation has a solution, the suspected model is considered to
be derived from the victim model. However, due to numerical
instability introduced by floating-point calculations, we instead
calculate the Euclidean distance d between s and the space L
to determine whether the suspected model is derived from the
victim model. The d is calculated by Equation (5), where x̂ is
the solution of the equation Wx = s.
d = ∥s − Wx̂∥ (5)
We set an error term e to represent the error introduced
by the numerical instability. If d < e, this implies that s is
compatible with the space L, suggesting that the suspected
model is derived from the victim model. If we only have access
to probabilities p and recover p′ using the method described
in Section III-B, we manually correct the one-dimensional
deviation by appending a constant column vector to W and
obtain W′ as shown in Equation (6).
W′ = [W, 1] (6)
′
We then use W instead of W to verify the ownership using
the same method described above.
C. Alignment Verification
In PEFT attacks, the suspect model has undergone fine-
tuning, altered its last linear layer. The attack changes the
victim model’s vector space L, preventing ownership verifica-
tion by the method described in Section IV-B. As in manifold
hypothesis, high-dimensional data can be compressed into a
low-dimensional latent space, and different tasks are governed
by distinct features in that space. Therefore, when fine-tuning
for a specific task, it is assumed to impact only a portion of
the space L, not the entire space. Especially, in PEFT attacks
like LoRA, the model is fine-tuned with a low-rank matrix.
The parameters are updated by WN = WO + ∆W, where ∆W
is a matrix which rank is no more than k. If there is substantial
overlap between the output space L of the suspect model
and the space spanned by the columns of the victim model
W, it indicates that the suspect model closely resembles the
victim model and may have been derived through unauthorized
replication.
In practice, we calculate the dimension formed by the union
of the output vector space of the suspect model and the
parameter space of the victim model, denoted as Lsum . If the
dimension of Lsum is close to that of L, it indicates that the
suspect model is derived from the victim model. Otherwise,
it is not. For matrices containing numerous floating-point
numbers, directly calculating the rank is not advisable, as it
can lead to significant errors due to numerical inaccuracies.
Instead, we introduce Algorithm 1 to calculate the dimension
difference ∆r between Lsum and L.
Once ∆r is obtained, it can be used to determine if the
suspect model is derived from the victim model. If ∆r is much
less than an order of magnitude compared to the hidden size
h, which indicates that the suspect model is indeed derived
from the victim model. In probabilities access scenarios, ∆r
will only experience a numerical disturbance of one, which
will not affect our results.
V. E XPERIMENT R ESULTS AND A NALYSIS
A. Experimental Setup
We employed Gemma [3] with a hidden size of 2048 as the
victim model and fine-tuned it by LoRA [24] as attack method.
The LoRA [24] module was applied to the query, key and
value module in attention mechanism [18] or the linear module
in the last layer. The ranks of LoRA [24] were set to 16, 32
and 64. The models were fine-tuned on the Alpaca dataset [29]
and the SAMSum dataset [30] to simulate different scenarios.
Additionally, we also compared with a new version termed as
Gemma-2, which shares the same structure but under a novel
training method, leading to substantial income and completely
different outputs for the identical inputs.
Algorithm 1 Pseudocode for dimension difference calculation TABLE II
Input: W: the parameter matrix of the last linear layer in the D IMENSION DIFFERENCE RESULTS ON VARIOUS MODEL VERSIONS AND
MODELS FINE - TUNED WITH DIFFERENT MODULES AND RANKS .
victim model; M: the suspected model; Q: the query set;
N : the least number of samples; e: the error term.
Output: ∆r: the dimension difference. full top-5 top-1
probabilities probabilities probability
1: Initialize ∆r = 0, n = 0, S = ∅.
2: while n ≤ N do Gemma 1 1 1
3: Randomly sample a query q from Q Gemma-2 300 300 300
4: Get the logits outputs O = {s1 , s2 , . . . } by querying SAMSum
the suspected model M with q qkv-16 1 1 1
5: S ←S ∪O qkv-32 1 1 1
qkv-64 1 1 1
6: n = size(S) linear-16 11 11 11
7: end while linear-32 12 12 11
8: for i = 1, 2, . . . , n do linear-64 11 11 11
9: Solve Wxi = si to obtain x̂i Alpaca
10: Call Eq. (5) to determine di qkv-16 1 1 1
11: if di > e then qkv-32 1 1 1
12: ∆r = ∆r + 1 qkv-64 1 1 1
linear-16 16 16 16
13: end if linear-32 21 21 20
14: end for linear-64 22 22 21
15: return ∆r

TABLE I Table I. Each column corresponds to the results of d under dif-

C OMPATIBILITY TESTING RESULTS ON VARIOUS MODEL VERSIONS AND ferent API scenarios, while each row represents the outcomes
MODELS FINE - TUNED WITH DIFFERENT MODULES AND RANKS .
for different models. In the table, ‘qkv’ and ‘linear’ represent
LoRA module was applied to the query, key and value module
full logits full proba- top-5 prob- top-1 in the attention mechanism or the linear module in the last
bilities abilities probability
layer, respectively, with their suffixes indicating the rank of
Gemma 8.0 × 10−5 3.4 × 10−3 3.4 × 10−3 8.3 × 10−5 LoRA. The experimental results clearly reveal that for models
Gemma-2 5.5 × 105 5.5 × 105 5.5 × 105 5.5 × 105 fine-tuned on the last layer or not, a significant difference exits
SAMSum between them and other models. This distinction is adequate
qkv-16 9.7 × 10−5 1.4 × 10−4 1.4 × 10−4 1.0 × 10−4 for ascertaining ownership, verifying the effectiveness of the
qkv-32 8.5 × 10−5 3.6 × 10−3 3.6 × 10−3 9.6 × 10−5 proposed method. It is worth to note that although this is the
qkv-64 1.1 × 10−4 9.5 × 10−4 9.5 × 10−4 9.9 × 10−5 average results, this consistency will hold even with only a
linear-16 7.3 × 105 7.2 × 105 7.2 × 105 7.2 × 105
linear-32 6.9 × 105 6.8 × 105 6.8 × 105 6.9 × 105
few samples in practice, thus also enabling rapid verification.
linear-64 7.6 × 105 7.5 × 105 7.5 × 105 7.5 × 105
C. Alignment Verification Results
Alpaca
To minimize computational and time overhead, the value
qkv-16 8.3 × 10−5 5.7 × 10−4 5.7 × 10−4 8.4 × 10−4 of N was set to 300 in Algorithm 1, considering that the
qkv-32 7.0 × 10−5 2.8 × 10−3 2.8 × 10−3 8.5 × 10−5
qkv-64 6.8 × 10−5 1.6 × 10−4 1.6 × 10−4 8.1 × 10−5
value of ∆r is strictly constrained under the PEFT attacks. We
linear-16 6.8 × 105 6.7 × 105 6.7 × 105 6.7 × 105 obtained 300 complete probabilities through random queries
linear-32 6.7 × 105 6.6 × 105 6.6 × 105 6.6 × 105 and calculated results of ∆r to evaluate the effectiveness of
linear-64 6.9 × 105 6.8 × 105 6.8 × 105 6.9 × 105 the alignment verification method. We preserved the param-
eters of Gemma’s last linear layer and conducted ∆r across
various models. Table II presents the results of the dimension
difference calculation. Each row depicts the results of ∆r with
B. Compatibility Testing Results
different models using Algorithm 1, while each column shows
In the compatibility testing, we assume that malicious users the outcomes across various API scenarios. The configuration
might release their stolen model either in its original form or of PEFT attacks is the same as that in Section V-B. In the
after fine-tuning it. Fine-tuning is on the attention mechanism table, ‘qkv’ and ‘linear’ respectively denote LoRA module
in the intermediate layers or the last linear layer. We generated was applied to the query, key and value module in the attention
(or recovered) 300 complete logits (or probabilities) through mechanism or the linear module in the last layer, with their
random queries and calculated the average Euclidean distance suffixes indicating the rank of LoRA. We observe that the
d. We retained the parameters of Gemma’s last linear layer ∆r value of the Gemma and the model fine-tuned on the
and conducted verification experiments across various models. intermediate layers equals 1, which is the result of the CLR
The results of the compatibility testing method are presented in transformation. For the models fine-tuned on the last layer,
the ∆r value is close to the rank of LoRA and much less
than h, providing the evidence to ascertain that the suspected
model originates from the victim model. It is noteworthy that
models fine-tuned on the last layer exhibit approximately equal
values of ∆r despite having a larger rank, which is consistent
with the assumption of PEFT that the updated weights during
model fine-tuning have a low intrinsic rank. The intrinsic rank
is also influenced by the datasets and reflected in the values
of ∆r. Experiments show that the proposed method can verify
the copyright, despite PEFT attacks.
Furthermore, to investigate the relationship between Gemma
and Gemma-2, we obtained 3000 probability vectors of
Gemma-2 and got the value of ∆r is 2052. This result implies
that the Gemma-2 has undergone extensive fine-tuning or
training from scratch compared to Gemma and also confirms
that the uniqueness of the proposed fingerprint. Note that the
value of ∆r is not exactly the same as h due to the accuracy
of numerical calculation, but they are of the same magnitude.
VI. C ONCLUSION
In this paper, we propose a novel fingerprinting method for
LLMs that is generalized and capable of verifying fingerprint
in a black-box scenario without requiring model training or
compromising in model functionality. Specifically, we analyze
the model’s outputs and present two methods for copyright ver-
ification. First, we introduce a comprehensive testing method
to swiftly ascertain whether the suspect model is identical
to the victim model. To address scenarios involving PEFT
attacks, we also propose an alignment verification method for
copyright verification. Furthermore, we develop a reconstruc-
tion method to recover the complete information under API
access. Our empirical study shows that our proposed method
achieves supervisor verification performance and robustness
against PEFT attacks. Our proposed method also reveals in-
herent characteristics of LLMs and offers a promising solution
for advancing ownership verification of LLMs.
ACKNOWLEDGEMENT
This work was supported by the Natural Science Foundation
of China under Grant Number U23B2023.
R EFERENCES
[1] H. Touvron, T. Lavril, G. Izacard et al., “Llama: Open and efficient
foundation language models,” arXiv preprint arXiv:2302.13971, 2023.
[2] H. Touvron, L. Martin, K. Stone et al., “Llama 2: Open foundation and
fine-tuned chat models,” arXiv preprint arXiv:2307.09288, 2023.
[3] G. Team, T. Mesnard, C. Hardin et al., “Gemma: Open models based
on gemini research and technology,” arXiv preprint arXiv:2403.08295,
2024.
[4] A. Q. Jiang, A. Sablayrolles, A. Mensch et al., “Mistral 7b,” arXiv
preprint arXiv:2310.06825, 2023.
[5] Y. Uchida, Y. Nagai, S. Sakazawa et al., “Embedding watermarks into
deep neural networks,” in Proceedings of the 2017 ACM International
Conference on Multimedia Retrieval, 2017, p. 269–277.
[6] J. Wang, H. Wu, X. Zhang et al., “Watermarking in deep neural networks
via error back-propagation,” Electronic Imaging, vol. 32, pp. 1–9, 2020.
[7] B. Darvish Rouhani, H. Chen, and F. Koushanfar, “Deepsigns: An
end-to-end watermarking framework for ownership protection of deep
neural networks,” in Proceedings of the Twenty-Fourth International
Conference on Architectural Support for Programming Languages and
Operating Systems, 2019, p. 485–497.
[8] P. Fernandez, G. Couairon, T. Furon et al., “Functional invariants to
watermark large transformers,” in IEEE International Conference on
Acoustics, Speech and Signal Processing, 2024, pp. 4815–4819.
[9] Y. Adi, C. Baum, M. Cisse et al., “Turning your weakness into a
strength: Watermarking deep neural networks by backdooring,” in 27th
USENIX Security Symposium, 2018, pp. 1615–1631.
[10] X. Zhao, H. Wu, and X. Zhang, “Watermarking graph neural networks
by random graphs,” in IEEE International Symposium on Digital Foren-
sics and Security, 2021, pp. 1–6.
[11] Y. Liu, H. Wu, and X. Zhang, “Robust and imperceptible black-box
dnn watermarking based on fourier perturbation analysis and frequency
sensitivity clustering,” IEEE Transactions on Dependable and Secure
Computing, 2024.
[12] H. Wu, G. Liu, Y. Yao, and X. Zhang, “Watermarking neural networks
with watermarked images,” IEEE Transactions on Circuits and Systems
for Video Technology, vol. 31, no. 7, pp. 2591–2601, 2021.
[13] N. Lukas and F. Kerschbaum, “PTW: Pivotal tuning watermarking for
Pre-Trained image generators,” in 32nd USENIX Security Symposium,
2023, pp. 2241–2258.
[14] P. Fernandez, G. Couairon, H. Jégou et al., “The stable signature: Root-
ing watermarks in latent diffusion models,” in International Conference
on Computer Vision, 2023, pp. 22 409–22 420.
[15] H. J. Song, M. Khayatkhoei, and W. AbdAlmageed, “Manifpt: Defin-
ing and analyzing fingerprints of generative models,” arXiv preprint
arXiv:2402.10401, 2024.
[16] J. Xu, F. Wang, M. D. Ma et al., “Instructional fingerprinting of large
language models,” arXiv preprint arXiv:2401.12255, 2024.
[17] B. Zeng, C. Zhou, X. Wang et al., “Huref: Human-readable fingerprint
for large language models,” arXiv preprint arXiv:2312.04828, 2023.
[18] A. Vaswani, N. Shazeer, N. Parmar et al., “Attention is all you need,”
in Advances in Neural Information Processing Systems, vol. 30, 2017.
[19] N. Carlini, D. Paleka, K. D. Dvijotham et al., “Stealing part of a
production language model,” arXiv preprint arXiv:2403.06634, 2024.
[20] Z. Yang, Z. Dai, R. Salakhutdinov et al., “Breaking the softmax bottle-
neck: A high-rank rnn language model,” in International Conference on
Learning Representations, 2018.
[21] M. Finlayson, J. Hewitt, A. Koller et al., “Closing the curious case
of neural text degeneration,” in International Conference on Learning
Representations, 2024.
[22] M. Finlayson, S. Swayamdipta, and X. Ren, “Logits of api-protected
llms leak proprietary information,” arXiv preprint arXiv:2403.09539,
2024.
[23] N. Houlsby, A. Giurgiu, S. Jastrzebski et al., “Parameter-efficient
transfer learning for NLP,” in International Conference on Machine
Learning, vol. 97, 2019, pp. 2790–2799.
[24] E. J. Hu, Y. Shen, P. Wallis et al., “LoRA: Low-rank adaptation
of large language models,” in International Conference on Learning
Representations, 2022.
[25] T. Dettmers, A. Pagnoni, A. Holtzman et al., “Qlora: Efficient finetuning
of quantized llms,” Advances in Neural Information Processing Systems,
vol. 36, 2024.
[26] F. Meng, Z. Wang, and M. Zhang, “Pissa: Principal singular values and
singular vectors adaptation of large language models,” arXiv preprint
arXiv:2404.02948, 2024.
[27] J. L. Ba, J. R. Kiros, and G. E. Hinton, “Layer normalization,” arXiv
preprint arXiv:1607.06450, 2016.
[28] B. Zhang and R. Sennrich, “Root mean square layer normalization,” in
Advances in Neural Information Processing Systems, vol. 32, 2019.
[29] Y. Dubois, X. Li, R. Taori et al., “Alpacafarm: A simulation framework
for methods that learn from human feedback,” Advances in Neural
Information Processing Systems, vol. 36, 2024.
[30] B. Gliwa, I. Mochol, M. Biesek et al., “SAMSum corpus: A human-
annotated dialogue dataset for abstractive summarization,” in 2nd Work-
shop on New Frontiers in Summarization, 2019, pp. 70–79.