CSF: Black-box Fingerprinting via Compositional Semantics for Text-to-Image Models
This addresses the need for IP owners to enforce licenses in commercial API deployments where pre-deployment watermarking or internal access is unavailable, offering a novel detection mechanism.
The paper tackles the problem of detecting unauthorized use of fine-tuned text-to-image models under restrictive licenses by introducing CSF, a black-box fingerprinting method that uses compositional semantic prompts to attribute models to protected lineages, achieving controlled-risk decisions across 6 model families and 13 variants.
Text-to-image models are commercially valuable assets often distributed under restrictive licenses, but such licenses are enforceable only when violations can be detected. Existing methods require pre-deployment watermarking or internal model access, which are unavailable in commercial API deployments. We present Compositional Semantic Fingerprinting (CSF), the first black-box method for attributing fine-tuned text-to-image models to protected lineages using only query access. CSF treats models as semantic category generators and probes them with compositional underspecified prompts that remain rare under fine-tuning. This gives IP owners an asymmetric advantage: new prompt compositions can be generated after deployment, while attackers must anticipate and suppress a much broader space of fingerprints. Across 6 model families (FLUX, Kandinsky, SD1.5/2.1/3.0/XL) and 13 fine-tuned variants, our Bayesian attribution framework enables controlled-risk lineage decisions, with all variants satisfying the dominance criterion.