The Challenge of Identifying the Origin of Black-Box Large Language Models
Ziqing Yang, Yixin Wu, Yun Shen, Wei Dai, Michael Backes, Yang Zhang
TL;DR
The paper addresses the challenge of identifying the origin of black-box LLMs amid widespread unauthorized customization and licensing restrictions. It shows that existing passive AE-based fingerprints and proactive watermarking struggles to robustly identify derivatives, especially after fine-tuning. The authors propose PlugAE, a plug-in watermarking method that optimizes continuous adversarial token embeddings $e^a_{1:k}$ to minimize $L^{e}_{PlugAE}$ and embeds copyright tokens into the tokenizer without altering model weights, supported by theoretical and empirical evidence. This approach provides a practical path to provenance identification and informs policy discussions on IP protection and data governance in large-scale language models.
Abstract
The tremendous commercial potential of large language models (LLMs) has heightened concerns about their unauthorized use. Third parties can customize LLMs through fine-tuning and offer only black-box API access, effectively concealing unauthorized usage and complicating external auditing processes. This practice not only exacerbates unfair competition, but also violates licensing agreements. In response, identifying the origin of black-box LLMs is an intrinsic solution to this issue. In this paper, we first reveal the limitations of state-of-the-art passive and proactive identification methods with experiments on 30 LLMs and two real-world black-box APIs. Then, we propose the proactive technique, PlugAE, which optimizes adversarial token embeddings in a continuous space and proactively plugs them into the LLM for tracing and identification. The experiments show that PlugAE can achieve substantial improvement in identifying fine-tuned derivatives. We further advocate for legal frameworks and regulations to better address the challenges posed by the unauthorized use of LLMs.