iSeal: Encrypted Fingerprinting for Reliable LLM Ownership Verification
It addresses a critical security gap for LLM owners by enabling reliable intellectual property protection against verification-time attacks, though it is incremental as it builds on existing fingerprinting paradigms.
The paper tackles the problem of verifying ownership of large language models (LLMs) when attackers control the inference process, proposing iSeal, a fingerprinting method that achieves 100% Fingerprint Success Rate on 12 LLMs against over 10 attacks, while baselines fail under unlearning and response manipulations.
Given the high cost of large language model (LLM) training from scratch, safeguarding LLM intellectual property (IP) has become increasingly crucial. As the standard paradigm for IP ownership verification, LLM fingerprinting thus plays a vital role in addressing this challenge. Existing LLM fingerprinting methods verify ownership by extracting or injecting model-specific features. However, they overlook potential attacks during the verification process, leaving them ineffective when the model thief fully controls the LLM's inference process. In such settings, attackers may share prompt-response pairs to enable fingerprint unlearning or manipulate outputs to evade exact-match verification. We propose iSeal, the first fingerprinting method designed for reliable verification when the model thief controls the suspected LLM in an end-to-end manner. It injects unique features into both the model and an external module, reinforced by an error-correction mechanism and a similarity-based verification strategy. These components are resistant to verification-time attacks, including collusion-based fingerprint unlearning and response manipulation, backed by both theoretical analysis and empirical results. iSeal achieves 100 percent Fingerprint Success Rate (FSR) on 12 LLMs against more than 10 attacks, while baselines fail under unlearning and response manipulations.