MergePrint: Robust Fingerprinting against Merging Large Language Models

W1. Missing important related works. The method of this paper is a backdoor-based model ownership verification method that intends to embed a specific behavior into the model. However, there have been some works investigating backdoor attacks against model merge (e.g., [1]). There are also many works focusing on watermarking LLMs in ways other than weight watermarking [2,3,4]. It may be better for the authors to include a discussion on these related works.

Thank you for pointing out these important related works. We have added a discussion of backdoor attacks to our related work section. While backdoor attacks against model merging have similarities to our problem, they cannot be used for model ownership claims as they do not satisfy our (R4) reliability requirement. In addition, we have expanded our review to include related research on fingerprinting and watermarking techniques aimed at establishing LLM ownership.

W2. Missing optimization details. This paper proposes a two-step optimization. However, it is not clear whether the two steps are performed alternatively in each epoch or whether the second step will be performed after the first one is completed. Additionally, this paper lacks a detailed description of the experimental settings, including the hyperparameters and the hardware.

In MERGEPRINT, we first complete OptI, and then execute OptP using the optimized input x obtained from the first step. We will include the pseudo-code in the camera ready. Additionally, we will include detailed experimental settings, including hyperparameters and the hardware.

W3. Missing hyperparameter study. This paper introduces two important hyperparameters, $\alpha_{x}$ and $\alpha_{w}$. These two hyperparameters may have a great impact on the effectiveness of this paper. The authors should present a hyperparameter study to investigate the impact of these hyperparameters.

Thank you for your important comment regarding the hyperparameters. We plan to conduct additional experiments to thoroughly investigate the effects of $\alpha_{x}$ and $\alpha_{w}$.

W4. Insufficient ablation study. This paper presents the ablation study of the input optimization step. The authors should also conduct an ablation study on the parameter optimization step. Also, it may be better to investigate the effect of the pseudo-merged model (i.e., perform the two-step optimization only on the fine-tuned model).

Regarding your concern about ablation studies, we believe our current experimental design is appropriate for the following reasons:

For the parameter optimization step, since the model parameters are not updated, an ablation study on harmlessness is unnecessary.

As for the input optimization step, we implement early stopping before the inputs become effective to minimize the risk of overclaiming due to the transferability of adversarial examples. Therefore, an ablation study for this step is also not required.

Regarding the effectiveness of the pseudo-merged model, similar evaluation can be achieved by setting the hyperparameter $\alpha$ to small values. In our experiments, we did not observe effectiveness under these conditions.

W5. The robustness of the fingerprint is not guaranteed. Although MergePrint is robust against model merge and the authors claim that fine-tuning is out of the scope, it does not mean that fine-tuning is not important in the real-world scenario. I highly recommend the authors conduct a study of the robustness of MergePrint against a wide range of attacks, such as fine-tuning, pruning, and distillation. If MergePrint can not resist these attacks, it should be noted as a limitation of this paper.

We fully recognize the importance of various attack methods, including fine-tuning, in real-world scenarios. While our study initially focused on model merging as it was identified as a key limitation in previous work, we acknowledge the need for a more comprehensive evaluation.

W6. Insufficient analysis of efficiency. The authors should report the time or the time complexity of MergePrint to help the readers better understand its efficiency.

MERGEPRINT takes only a few minutes to run. Neither of the two optimizations in MERGEPRINT requires many steps. Therefore, they are completed in a very short time. We will include the detailed times in the camera ready.

W7. Typos and grammatical mistakes. There are some typos and grammatical mistakes in this paper (e.g., lines 223-224). It may be better for the authors to proofread the paper and correct potential mistakes.

Thank you for pointing out the typographical and grammatical errors. We will carefully proofread the entire paper, including lines 223-224, and correct all textual errors.

W1. The related works in Section 1.1 are not sufficiently discussed. For example, the authors only talk about prior works on black-box model fingerprinting in Section 1.1. There are also a lot of works that embed fingerprints in the model weights (i.e., white-box setting). Furthermore, the problem of model ownership proof against model merging is more similar to model watermarking/fingerprinting in the federated learning setting (which has model aggregation that is similar to model merging). The authors should discuss the similarities and differences between the prior works in the FL setting and the one in this paper.

Thank you for your feedback on related works. We have expanded our related works section to include more LLM ownership verification, including the white box approach. We have also added discussions in the federated learning (FL) setting and clarified the similarities and differences with the model merging setting. A key difference we highlight between the FL and Model Merging frameworks is as follows: In federated learning, since the learning process itself is distributed, the primary goal is to protect the model parameters generated during the clients' learning processes from misappropriation. In contrast, our research aims to enable ownership claims when trained models are subsequently used in model fusion scenarios.

W2. The evaluation seems to be incomprehensive. For example, Section 5.2 mentions that the fingerprint y='transformers' in the model. It's not clear whether the performance of MergePrint is impacted by y.

In our experiments, we found that using less common strings for y results in higher initial loss values. This suggests that embedding uncommon fingerprint strings may have a greater impact on model performance. However, we did not observe significant variations in the robustness of the fingerprint itself based on the choice of the string.

Also, the optimized fingerprint input x is not given.

We provided the optimized fingerprint input x in Figure 4.

W1. Confidentiality Concerns: The paper acknowledges that highly memorized fingerprints with extremely low loss may still be vulnerable to adversarial attacks, such as membership inference. This is a significant limitation, as it undermines the security of the fingerprinting method.

MERGEPRINT employs input-output pairs with an extremely high degree of freedom, making it very difficult for attackers to estimate potential fingerprint candidates. Since membership inference attacks require knowledge of possible input-output pairs, we believe such attacks are highly challenging to execute against our system.

W2. Lack of Formal Validation: The process of verifying ownership claims through fingerprinting lacks formal validation. The authors do not utilize formal methods or cryptographic techniques, which could strengthen the credibility of the ownership claims.

Q3. Formal Methods: Is it feasible to integrate formal methods or cryptographic techniques into the fingerprinting process to provide stronger guarantees of ownership and security?

While our current approach does not incorporate formal verification methods, we emphasize that our work represents the first attempt to develop fingerprinting techniques specifically tailored for model merging scenarios, marking a significant contribution to the field. In our current framework, we consider that ownership claims can be reasonably established when fingerprints are detected with statistically significant frequency. While we agree that incorporating more rigorous formal validation would strengthen our method, we view this as an important direction for future work.

W3. Efficiency Trade-offs: While the paper claims that the fingerprinting procedure is efficient, the trade-off between efficiency and robustness is not thoroughly explored. For instance, the use of a low learning rate (1e-6) and the early stopping approach might lead to suboptimal results in some scenarios.

We would like to clarify that MERGEPRINT does not involve a trade-off between efficiency and robustness. Our choice of a relatively low learning rate (1e-6) is not driven by efficiency considerations. Rather, it reflects our technical assessment that conventional learning rates are unsuitable for training single input-output pairs in this specific context. Similarly, our implementation of early stopping is not motivated by efficiency concerns. This design choice aims to prevent fingerprint transfer to non-owner models by considering the transferability of adversarial examples. Therefore, we maintain that neither the low learning rate nor early stopping compromises robustness, and consequently, there is no trade-off with efficiency.

W4. Generalizability: The paper does not provide extensive evaluations across a diverse range of models and merging scenarios. The effectiveness of MERGEPRINT in more complex and varied environments remains uncertain.

Q1. Scalability: How well does MERGEPRINT scale to larger models and more complex merging scenarios? Are there any computational or resource limitations that need to be addressed?

While evaluating diverse scenarios is important, as we are the first to investigate fingerprinting methods for model merging, we prioritized establishing a clear problem setting and proposing the initial baseline method. More evaluation is definitely an important future direction.

W5. Ethical Considerations: The paper mentions the potential for malicious exploitation of the embedded secret information, but it does not delve deeply into the ethical implications and safeguards needed to prevent such misuse.

Q2. Adversarial Robustness: Can the method be extended to defend against more sophisticated adversarial attacks beyond membership inference? What additional measures can be taken to enhance the robustness of the fingerprints?

Q5. User Privacy: What are the potential privacy implications of embedding secret information into models, and how can user data be protected from potential leaks?

We believe that incorporating a trusted third party can enhance the protection of fingerprint input-output pairs and improve robustness against various adversarial attacks beyond membership inference attacks. For instance, we envision a system where a trusted third party manages fingerprint registration and verification using public-key cryptography. In this approach, model owners would encrypt their fingerprints using the third party's public key during registration, and ownership verification would be conducted by the third party using their private key for matching. This cryptographic framework would significantly strengthen fingerprint confidentiality and provide enhanced protection against various types of attacks.

W1. The method is overly simplistic, simulating resistance to model merging merely through weighted coefficient addition, lacking both innovation and theoretical proof of effectiveness.

Q1. Could you provide theoretical justification for using weighted coefficient addition to ensure fingerprint robustness in model merging?

We argue that the simplicity of our method is a strength rather than a limitation. We acknowledge that our method is simple. However, the simplicity of our approach makes the fingerprint implementation and understanding more accessible, thereby facilitating practical adoption by model owners. This characteristic is particularly significant in relation to (R5) Efficiency, which is one of our defined requirements for model fingerprinting. Furthermore, we would like to emphasize that this is the first study to propose effective fingerprinting against model merging. While we recognize the importance of theoretical analysis, we plan to address this as future work.

W2. The setting is limited, as the approach can only be applied to merging scenarios involving models derived from the same source. Additionally, the experiments are restricted to three merging techniques: Task-Arithmetic, TIES-merging, and DARE, limiting the generalizability of the results.

Q2. Have you considered testing MERGEPRINT in more complex or cross-origin model merging scenarios beyond Task-Arithmetic, TIES-merging, and DARE?

We believe our experimental setup adequately reflects standard model merging scenarios. Most model merging[1,2,3] occurs between models derived from the same base model, making our setting practical and common rather than limited.

The three merging techniques we evaluated - Task-Arithmetic, TIES-merging, and DARE - represent fundamental approaches in model merging. More advanced merging techniques typically preserve model characteristics better than these basic methods. Therefore, we expect our method's robustness to be even stronger against more sophisticated merging approaches. Consequently, we believe our current experimental setup sufficiently demonstrates the effectiveness of MergePrint.

W3. There are too few baseline methods used for comparison.

Q3. Are there plans to include more baseline methods for a comprehensive evaluation?

To the best of our knowledge, there have been no fingerprinting methods specifically designed for model merging scenarios. Furthermore, the study [4] demonstrates that existing watermarking techniques are vulnerable to model merging operations. However, we acknowledge your point about the limited number of baseline methods. To strengthen our comparative analysis, we plan to incorporate additional baseline methods which are designed for model ownership protection into our evaluation framework.

W4. The robustness experiments are relatively simple, embedding only one watermark in a single model during multi-model merging. It would be valuable to understand how the method performs with multiple models and multiple fingerprints.

Q4. How does MERGEPRINT perform with multiple fingerprints embedded in multiple models in multi-model merging scenarios?

We believe that there exists a trade-off between model performance and robustness in increasing the number of embedded fingerprints. While embedding multiple fingerprints would likely enhance robustness by increasing the probability that at least one fingerprint survives the merging process, it would also require more model update iterations, potentially leading to greater degradation in model performance. Our current experiments demonstrate that even a single fingerprint achieves substantial robustness. Given this strong performance and the potential trade-off with model quality, we initially focused on the single-fingerprint scenario.

[1] Xisen Jin, Xiang Ren, Daniel Preotiuc-Pietro, and Pengxiang Cheng. 2022. Dataless Knowledge Fusion by Merging Weights of Language Models. In International Conference on Learning Representations

[2] Enneng Yang, Li Shen, Zhenyi Wang, Guibing Guo, Xiaojun Chen, Xingwei Wang, and Dacheng Tao. 2024. Representation Surgery for Multi-Task Model Merging. arXiv preprint arXiv:2402.02705 (2024).

[3] Enneng Yang, Zhenyi Wang, Li Shen, Shiwei Liu, Guibing Guo, Xingwei Wang, and Dacheng Tao. 2023. AdaMerging: Adaptive Model Merging for Multi-Task Learning. arXiv preprint arXiv:2310.02575 (2023).

[4] Tianshuo Cong, Delong Ran, Zesen Liu, Xinlei He, Jinyuan Liu, Yichen Gong, Qi Li, Anyu Wang, and Xiaoyun Wang. Have you merged my model? on the robustness of large language model ip protection methods against model merging. arXiv preprint arXiv:2404.05188, 2024.