defense 2026

Functional Subspace Watermarking for Large Language Models

Zikang Ding 1,2, Junhao Li 3, Suling Wu 1, Junchi Yao 1,2, Hongbo Liu 1, Lijie Hu 2

1 University of Electronic Science and Technology of China

2 Mohamed bin Zayed University of Artificial Intelligence

3 South China University of Technology

0 citations
α

Published on arXiv

2603.18793

Model Theft

OWASP ML Top 10 — ML05

Model Theft

OWASP LLM Top 10 — LLM10

Key Finding

Achieves superior detection accuracy and statistical verifiability under fine-tuning, quantization, pruning, and knowledge distillation attacks, outperforming existing SOTA methods

Functional Subspace Watermarking (FSW)

Novel technique introduced

Model watermarking utilizes internal representations to protect the ownership of large language models (LLMs). However, these features inevitably undergo complex distortions during realistic model modifications such as fine-tuning, quantization, or knowledge distillation, making reliable extraction extremely challenging. Despite extensive research on model-side watermarking, existing methods still lack sufficient robustness against parameter-level perturbations. To address this gap, we propose \texttt{\textbf{Functional Subspace Watermarking (FSW)}}, a framework that anchors ownership signals into a low-dimensional functional backbone. Specifically, we first solve a generalized eigenvalue problem to extract a stable functional subspace for watermark injection, while introducing an adaptive spectral truncation strategy to achieve an optimal balance between robustness and model utility. Furthermore, a vector consistency constraint is incorporated to ensure that watermark injection does not compromise the original semantic performance. Extensive experiments across various LLM architectures and datasets demonstrate that our method achieves superior detection accuracy and statistical verifiability under multiple model attacks, maintaining robustness that outperforms existing state-of-the-art (SOTA) methods.

Key Contributions

  • Functional subspace extraction via generalized eigenvalue problem for stable watermark anchoring
  • Adaptive spectral truncation strategy balancing robustness and utility
  • Vector consistency constraint preserving semantic performance during watermark injection

🛡️ Threat Analysis

Model Theft

Watermark is embedded IN THE MODEL WEIGHTS (internal representations/functional subspace) to prove ownership of the LLM itself — this is model IP protection, defending against model theft through fine-tuning, distillation, quantization, and redistribution.

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
training_time
Applications
model ownership protectionllm intellectual property defense
Read PDF arXiv

Similar Papers

defense

SeedPrints: Fingerprints Can Even Tell Which Seed Your Large Language Model Was Trained From

2025 2 cit.
Model Theft
92%
defense

PREE: Towards Harmless and Adaptive Fingerprint Editing in Large Language Models via Knowledge Prefix Enhancement

2025 0 cit.
Model Theft
92%
defense

DNF: Dual-Layer Nested Fingerprinting for Large Language Model Intellectual Property Protection

2026 3 cit.
Model Theft
92%
defense

Unlocking the Effectiveness of LoRA-FP for Seamless Transfer Implantation of Fingerprints in Downstream Models

2025 0 cit.
Model Theft
92%
defense

From Construction to Injection: Edit-Based Fingerprints for Large Language Models

2025 0 cit.
Model Theft
92%
defense

Antidistillation Fingerprinting

2026 0 cit.
Model Theft
92%
defense

CTCC: A Robust and Stealthy Fingerprinting Framework for Large Language Models via Cross-Turn Contextual Correlation Backdoor

2025 0 cit.
Model Theft
92%
defense

EditMark: Watermarking Large Language Models based on Model Editing

2025 0 cit.
Model Theft
92%