Copyright Traps for Large Language Models

TL;DR

The paper addresses the challenge of determining whether copyrighted content was used to train LLMs, especially when models do not exhibit natural memorization. It introduces copyright traps—purposefully inserted, document-specific sequences— and evaluates them with a randomized controlled setup by training a 1.3B LLM (CroissantLLM) on 3 trillion tokens. Findings show that existing document-level MIAs fail for smaller models, but long, high-repetition trap sequences enable reliable detection (AUC up to ~0.748), with detectability amplified by higher perplexity and contextual information. The work provides causal insights into memorization, highlights practical implications for data sharing and detector design, and releases model and trap data to support further study.

Abstract

Questions of fair use of copyright-protected content to train Large Language Models (LLMs) are being actively debated. Document-level inference has been proposed as a new task: inferring from black-box access to the trained model whether a piece of content has been seen during training. SOTA methods however rely on naturally occurring memorization of (part of) the content. While very effective against models that memorize significantly, we hypothesize--and later confirm--that they will not work against models that do not naturally memorize, e.g. medium-size 1B models. We here propose to use copyright traps, the inclusion of fictitious entries in original content, to detect the use of copyrighted materials in LLMs with a focus on models where memorization does not naturally occur. We carefully design a randomized controlled experimental setup, inserting traps into original content (books) and train a 1.3B LLM from scratch. We first validate that the use of content in our target model would be undetectable using existing methods. We then show, contrary to intuition, that even medium-length trap sentences repeated a significant number of times (100) are not detectable using existing methods. However, we show that longer sequences repeated a large number of times can be reliably detected (AUC=0.75) and used as copyright traps. Beyond copyright applications, our findings contribute to the study of LLM memorization: the randomized controlled setup enables us to draw causal relationships between memorization and certain sequence properties such as repetition in model training data and perplexity.

Figures (4)

• Figure 1: Memorization throughout training. The Ratio MIA performance (AUC) for synthetically generated trap sequences (of varying sequence length), repeated 1,000 times in a book, evaluated on intermediate checkpoints of the target LLM.
• Figure 2: The distribution of reference model perplexity $\mathcal{P}_{\textit{LM}_{\text{ref}}}$ computed on 1,000 sequences each of length $L_{\text{ref}}(M_D) = \{25, 50, 100\}$. The sequences are randomly sampled from the 500 books in $D_\textit{NM}$ (see Sec. \ref{['sec:dataset']})
• Figure 3: The relationship between Ratio MIA AUC and trap sequence perplexity (bucketized) in the $L_\text{ref}=100$, $n_\text{rep}=1000$ setup. Pearson correlation coefficient is 0.715 with p-value = 0.02.
• Figure 4: Perplexity of naturally occurring duplicates in The Pile. Each duplicate is a sequence of 100 GPT-2 tokens, repeated $n_\text{rep}$ times in the dataset. Each data point represents a median of 100 randomly drawn samples.