iSeal: Encrypted Fingerprinting for Reliable LLM Ownership Verification

Given the high cost of large language model (LLM) training from scratch, safeguarding LLM intellectual property (IP) has become increasingly crucial. As the standard paradigm for IP ownership verification, LLM fingerprinting thus plays a vital role in addressing this challenge. Existing LLM fingerprinting methods verify ownership by extracting or injecting model-specific features. However, they overlook potential attacks during the verification process, leaving them ineffective when the model thief fully controls the LLM's inference process. In such settings, attackers may share prompt-response pairs to enable fingerprint unlearning or manipulate outputs to evade exact-match verification. We propose iSeal, the first fingerprinting method designed for reliable verification when the model thief controls the suspected LLM in an end-to-end manner. It injects unique features into both the model and an external module, reinforced by an error-correction mechanism and a similarity-based verification strategy. These components are resistant to verification-time attacks, including collusion-based fingerprint unlearning and response manipulation, backed by both theoretical analysis and empirical results. iSeal achieves 100 percent Fingerprint Success Rate (FSR) on 12 LLMs against more than 10 attacks, while baselines fail under unlearning and response manipulations.

Key Contributions

• First LLM fingerprinting method designed for reliable ownership verification when the model thief fully controls the suspected LLM's inference process end-to-end
• Dual-injection approach combining model-embedded features with an external module, reinforced by error-correction and similarity-based (non-exact-match) verification resistant to response manipulation
• Theoretical and empirical resistance to 10+ attacks including collusion-based fingerprint unlearning, achieving 100% FSR across 12 LLMs where all baselines fail

🛡️ Threat Analysis

Details

Similar Papers