Model Provenance Testing for Large Language Models

TL;DR

The paper tackles the problem of verifying whether a target LLM g was derived from a foundational model f using only black-box API access. It proposes a provenance tester that relies on output-token similarity across random prompts, controlled by diverse baselines, and evaluated with multiple hypothesis testing and Holm-Bonferroni correction to bound the family-wise error rate. On two large Hugging Face–based benchmarks (Bench-A and Bench-B) with hundreds of models, the approach achieves precision around $0.90$–$0.95$ and recall around $0.80$–$0.90$ using thousands of prompts, demonstrating practical viability for production use. The work further contributes practical optimizations—entropy-driven online prompt sampling and best-arm identification for offline querying—to reduce query costs without sacrificing accuracy, enabling scalable provenance verification in real-world deployments.

Abstract

Large language models are increasingly customized through fine-tuning and other adaptations, creating challenges in enforcing licensing terms and managing downstream impacts. Tracking model origins is crucial both for protecting intellectual property and for identifying derived models when biases or vulnerabilities are discovered in foundation models. We address this challenge by developing a framework for testing model provenance: Whether one model is derived from another. Our approach is based on the key observation that real-world model derivations preserve significant similarities in model outputs that can be detected through statistical analysis. Using only black-box access to models, we employ multiple hypothesis testing to compare model similarities against a baseline established by unrelated models. On two comprehensive real-world benchmarks spanning models from 30M to 4B parameters and comprising over 600 models, our tester achieves 90-95% precision and 80-90% recall in identifying derived models. These results demonstrate the viability of systematic provenance verification in production environments even when only API access is available.

Figures (7)

• Figure 1: Our model provenance tester that decides if model $g$ is derived from model $f$.
• Figure 2: Precision and recall of Bench-B (left) and Bench-A (right) with respect to smaller control set size.
• Figure 3: Precision and recall of the model provenance tester with different number of prompts on Bench-A (top) and Bench-B (bottom).
• Figure 4: Recall for Bench-B with different values of advanced prompt sampling ($k$).
• Figure 5: Precision/recall for Bench-B (left) and Bench-B (right) when advanced online prompt sampling with $k=64$ uses four times less prompts than no advanced sampling ($k=1$).