Accurate Weight-Matrix Fingerprint Identifies Large Language Models Trained from Scratch or Derived from Existing Bases

Protecting the considerable investment in large language models demands effective methods for verifying their origins, determining whether a model is newly trained or derived from existing work. Boyi Zeng, Lin Chen, Ziwei He, and Xinbing Wang, from Shanghai Jiao Tong University, alongside Zhouhan Lin from both Shanghai Jiao Tong University and the Shanghai Innovation Institute, now present a training-free fingerprinting technique that addresses this critical need. Their approach focuses on analysing weight matrices within the model, employing a sophisticated combination of mathematical techniques to overcome the challenges posed by common post-training modifications, such as fine-tuning and reinforcement learning. The team demonstrates exceptional robustness and accuracy on a large test set of models, achieving near-zero false positives and perfect scores across all classification metrics, while completing the entire process rapidly on standard hardware. This achievement establishes a strong foundation for reliable verification of model lineage and safeguards intellectual property in the rapidly evolving field of artificial intelligence.

It is crucial to determine whether a large language model (LLM) is trained from scratch or derived from an existing base model, given the substantial resources required for their training. Consequently, there is an urgent need for both model owners and third parties to establish this provenance. However, the intensive post-training processes that models typically undergo pose significant challenges to reliable identification. The core idea is that subtle alterations to the input, achieved through specific matrix transformations, can bypass defenses and affect the model’s behavior. The authors also propose defense mechanisms to mitigate these attacks, including input sanitization, adversarial training, and output monitoring. The attack, termed Attacking with Weight Manipulation (AWM), can extract sensitive information and control the model’s output. This research is significant for several reasons: it introduces a new and potentially dangerous attack vector against LLMs, has practical implications for applications such as chatbots and content generation, proposes defense mechanisms that could improve the security of LLMs, and underscores the importance of considering input-based vulnerabilities in LLM security.

LLM Provenance Revealed Through Weight Fingerprinting

This work presents a novel method for reliably identifying whether a large language model (LLM) was created from scratch or derived from an existing base model. Researchers developed a training-free fingerprinting technique based on analyzing weight matrices, achieving exceptional robustness against post-training manipulations. Experiments on a comprehensive testbed of models demonstrate exceptional performance, achieving perfect scores on all classification metrics while maintaining a near-zero risk of false positives. The method is computationally efficient, completing analysis within 30 seconds on standard hardware. Recognizing the challenge posed by extensive post-training modifications, the team developed a training-free fingerprinting technique based on analyzing weight matrices within the models. Evaluations on a comprehensive testbed of models demonstrated exceptional performance, achieving perfect scores on all classification metrics while maintaining a near-zero risk of false positives. The method is computationally efficient, completing analysis within 30 seconds on standard hardware.