REEF: Representation Encoding Fingerprints for Large Language Models

Thank you for your great efforts in the review of this paper. We will try our best to answer all your questions. Please let us know if you still have further concerns, or if you are not satisfied with the current responses, so that we can further update the response ASAP.

---

Q1: "The security model and fingerprint verification setting are not clearly defined. The proposed method is only effective in a white-box scenario where the parameters of both the descendant models and the original model are publicly accessible. To avoid misunderstandings regarding potential applications in black-box scenarios, such as through API access, the paper should clarify the security model, including the verifier’s capabilities."

A1: Thank you for your valuable suggestions. We have followed your suggestions to clearly define the security model and fingerprint verification setting and revise the paper in Lines 089, 132-133, 185, and 535-536 of the updated version of manuscript.

• REEF performs LLM fingerprinting under the open-source LLMs' scenario, because REEF needs to use the feature representations from the inference process of LLMs. In this way, REEF is only effective in a white-box scenario (open-source LLMs) and cannot be applied to black-box scenarios, such as through API access.
• REEF is utilized to identify "whether the suspect model is a subsequent development of the victim model (e.g., Code-llama trained from Llama-2) or is developed from scratch (e.g., Mistral)" (Lines 30-32).

REEF verification details:

1. First, the process begins with extracting feature representations of the same samples (e.g., 200 samples from TruthfulQA as used in this paper) from model layers.
2. Then, the CKA method (Lines 184-194) is employed to calculate the similarity between the representation of the suspect model and that of the victim model.
3. Finally, if the CKA similarity exceeds a certain threshold (e.g., 0.8, as shown in the green region of Table 1), the suspect model is identified to be derived from the victim model; otherwise, it is not.

---

Q2: "The proposed fingerprint verification method is limited to direct descendant models of the original 'root' model and is not designed for verifying claims from these descendants against further generations. "

A2: Thank you. We acknowledge that REEF is designed to identify which victim model serves as the root origin of a suspect model and is not suitable for determining whether the suspect model is further developed from its descendant models. The latter one is also interesting and usually solved by watermark methods, which is beyond the scope of this paper. We look forward to exploring it in future research.

Q3: "This paper considers one single family of LLMs as a victim model. Generalization of results to other families of victim models would be interesting."

A3: Thank you for your insightful suggestions. We mainly conduct experiments on Llama, because it is one of the most popular LLMs with extensive subsequent developments. Nevertheless, we have followed your suggestions to conduct new experiments on two other families, where Qwen-2.5-7b and Mistral-7bareadditional victim models. Experimental results in the following table illustrate REEF's robust performance across various scenarios including fine-tuning, pruning, merging, and parameter perturbation on these distinct model families. This robustness across different families of LLMs highlights REEF's general effectiveness.

• Qwen family : Qwen-2.5-7b as the victim model.

• Mistral family : Mistral-7b as the victim model.

The above experiments and discussions are added in Appendix D.

---

Q4: "One of the observations of this paper is that 'CKA from a single layer is sufficient for fingerprint identification.' In order to relax the assumption of requiring access to intermediate representations of models for the proposed approach, how much does the detection performance degrade if we use only the last layer?"

A4: Thanks for your comments. We have followed your suggestions to report the CKA similarity between different layers of the victim model ( Llama-2-7b ) and its fine-tuned models ( Chinesellama-2-7b and Codellama-2-7b ), as well as unrelated models ( Mistral-7b and Qwen-1.5-7b ) in the following table. Although the CKA similarity at the last layer shows a decrease compared to mid-layers, the similarity between the victim model and its derived LLMs remains higher than with unrelated LLMs , indicating that REEF is still effective. However, we recommend using representations from intermediate layers for detection, as they provide superior discriminative power compared to the last layer.

Thank you for your great efforts in reviewing this paper and for your recognition of our work. We will try our best to answer all your questions. Please let us know if you still have further concerns, or if you are not satisfied with the current responses, so that we can further update the response ASAP.

---

Q1:"This paper creates that adversary by designing a customized loss function that maximizes the representational divergence between models. Is there any more effective way to create such an informed adversary? For example, designing a better loss function or performing other operations?"

A1: Thank you for your constructive comments. Beyond the customized loss function proposed in the original manuscript to evade detection by REEF (Lines 522-531 and 1241-1280 in the original manuscript), we have followed your suggestions to conduct new experiments to instantiate the informed adversary:

• We use the customized loss function (Lines 1257-1266 in the original manuscript) to fine-tune different numbers of layers of OPT-1.3B, including fine-tuning only the 12th layer (OPT-1.3B-FT-12th-Layer) and fine-tuning all layers (OPT-1.3B-FT-ALL-Layer) with the E2E NLG Challenge dataset. Then, we calculate their CKA similarity with OPT-1.3b, respectively. According to Figure 3 (Lines 216-232), the CKA similarity between the victim model and unrelated LLMs is usually lower than 0.5. In this way, the low CKA similarity demonstrates that the fine-tuned model has a large representational divergence with OPT-1.3B, thus bypassing the REEF detection. In the following table, OPT-1.3B-FT-12th-Layer fails to bypass the detection; while OPT-1.3B-FT-All-Layer achieves a low CKA similarity, but the high PPL shows that the fine-tuned model is unusable.

• We designed an alternative approach using Wasserstein loss to maximize the divergence between the logits of the original and fine-tuned models. This loss function replaced the original customized loss function, with all other settings unchanged (Lines 1257-1267 in the original manuscript ). When evaluated on the lambada_openai dataset, the perplexity of the fine-tuned model reached 2375135, rendering the fine-tuned model unusable.

$\mathcal{L} _ {\text{W}} = \max ( \mathbb{E} _ {x \sim \mathcal{D}} [W(\text{LG} _ {\text{ori}}(x), \text{LG} _ {\text{ft}}(x)) ])$

where$W(\cdot, \cdot)$ represents the Wasserstein distance between two distributions (e.g., logits of the original and fine-tuned models)

While our attempts to bypass REEF detection were unsuccessful, exploring additional methods to instantiate the informed adversary remains a promising direction for further validating and ensuring REEF's reliability.

The above experiments and discussions are added in Appendix E.

---

Q2: " Can the performance of REEF be improved if we select/generate samples in a specific way instead of random sample selection?"

A2: Thank you for your suggestions. The performance of REEF can be improved by selecting or generating samples in a specific way. As illustrated in Figure 5 (Lines 432-443), REEF shows varying CKA similarities across different datasets, including TruthfulQA, SST2, ConfAIde, PKUSafeRLHF, and ToxiGen. Specifically, "the gap in the similarity between derived LLMs and unrelated LLMs varies by dataset, e.g., the gap is approximately 0.8 on TruthfulQA and about 0.5 on ToxiGen" (Lines 506-508). Therefore, selecting samples in specific datasets (e.g., TruthfulQA ) can improve REEF's performance.

---

Thank you for your great efforts in the review of this paper. We will try our best to answer all your questions. Please let us know if you still have further concerns, or if you are not satisfied with the current responses, so that we can further update the response ASAP.

---

Q1: "The novelty is limited in replacing similarity measures of the prior work."

A1: Thank you. The contribution of this paper is far extended beyond merely replacing the similarity measures from prior work. This paper proposes a novel feature perspective of LLM fingerprints, which is simple and effective as appreciated by Reviewers 4mRo and i9nF.

Protecting LLMs' intellectual properties (IPs) are nontrivial and challenging . LLMs' IPs are very important for model owners and third parties, because the training costs of LLMs are extremely expensive. Watermarking techniques are classical methods for protecting IPs, but suffer from extra training costs, decreasing the model’s general capabilities, and being sensitive to subsequent fine-tuning and pruning operations.

REEF is a novel and new perspective on LLMs' representation-based fingerprints . Specifically, REEF utilizes intrinsic feature representations to protect LLMs' IPs and it is training-free, maintaining general capabilities, and robust to various subsequent developments. Therefore, REEF is a fundamentally new solution to LLMs' fingerprints.

---

Q2: "There is a lack of theoretical analysis of proposed methods."

A2: Thank you. This paper has already included theoretical analysis in Lines 213-242 and Lines 810-1058. Specifically, Theorem 1 (Lines 213-235) theoretically proves that CKA is invariant to column-wise permutations and scaling transformations. Detailed derivations are provided in Appendix A (Lines 810-1058), which support the robustness of REEF. Consequently, Reviewer 4mRo comments that this paper "has already considered all important studies in its theoretical and empirical analyses."

---

Q3: "I'm confused about the first heatmap of Figure 6. It shows that the two LLMs trained on different datasets will have a high CKA similarity, which will lead the REEF to classify them into the same model. This means all models using the same architecture but trained by different datasets will share the same fingerprint. It doesn't make sense. "

A3: Thank you for your constructive suggestions. We acknowledge that Figure 6 may lead to misunderstanding. We have followed your suggestions to clarify and revise Figure 6 in the updated version of manuscript.

Figure 6 (a) indicates that the layer-wise CKA similarity between Llama-2-7b itself is almost 1, i.e., an LLM trained on the same dataset.

In contrast, Figure 6 (b) indicates LLMs with the same architecture but trained on different datasets have low CKA feature similarity between each other. The four heatmaps are similar to the results of the victim model and unrelated LLMs in Figure 3 (Lines 216-232). Therefore, REEF can distinguish between models with the same architecture but different pre-training data.

We would like to thank the reviewer for all the valuable comments and questions. We are grateful for your engagement in the rebuttal process.

Please feel free to share any other insightful suggestions. We would like to improve the paper with any valuable comments.

Q2: "How does one measure the false positive rate in general? "

A2: Thank you for your constructive suggestions. We define victim model identification using REEF as a binary classification task, where the goal is to correctly identify whether the suspect model is derived from the victim model. We consider CKA similarity scores above 0.5 as indicating that the suspect model originates from the victim model (Lines 266-167, 324-327 in the updated version of manuscript). REEF can identify the victim models among the 30 suspect models in Table 1 (Lines 324-352).

Additionally, we conduct new experiments where Qwen-2.5-7b and Mistral-7barevictim models. Experimental results of 8 new suspect models in the following table illustrate REEF's robustness across various scenarios including fine-tuning, pruning, merging, and parameter perturbation on these distinct model families.

• Qwen-2.5-7b as the victim model.

• Mistral-7b as the victim model.

According to the victim model identification results of REEF among the 38 models mentioned, the following confusion matrix indicates that the false positive rate among the measured 38 models is 0.

---

Q3: "It would also be interesting to see what happens when a model is fine-tuned to minimize its REEF score with the model it is derived from."

A3: Thank you for your constructive suggestions. We have already considered the case that fine-tuing a model and minimizing REEF score (Lines 522-531 and 1241-1280 in the original manuscript). Appendix D indicates that such a fine-tuning strategy fails to evade the detection of REEF.

Beyond the customized loss function in the original paper, we design two advanced operations and conduct new experiments to evaluate the effectiveness of REEF.

• We use the customized loss function (Lines 1257-1266 in the original manuscript) to fine-tune different numbers of layers of OPT-1.3B, including fine-tuning only the 12th layer (OPT-1.3B-FT-12th-Layer) and fine-tuning all layers (OPT-1.3B-FT-ALL-Layer) with the E2E NLG Challenge dataset. Then, we calculate their CKA similarity with OPT-1.3b, respectively. According to Figure 3 (Lines 216-232), the CKA similarity between the victim model and unrelated LLMs is usually lower than 0.5. In this way, the low CKA similarity demonstrates that the fine-tuned model has a large representational divergence with OPT-1.3B, thus bypassing the REEF detection. In the following table, OPT-1.3B-FT-12th-Layer fails to bypass the detection; while OPT-1.3B-FT-All-Layer achieves a low CKA similarity, but the high PPL shows that the fine-tuned model is unusable.

• We designed an alternative approach using Wasserstein loss to maximize the divergence between the logits of the original and fine-tuned models. This loss function replaced the original customized loss function, with all other settings unchanged (Lines 1257-1267 in the original manuscript). When evaluated on the lambada_openai dataset, the perplexity of the fine-tuned model reached 2375135, rendering the fine-tuned model unusable.

$\mathcal{L} _ {\text{W}} = \max \left( \mathbb{E} _ {x \sim \mathcal{D}} \left[W(\text{LG} _ {\text{ori}}(x), \text{LG} _ {\text{ft}}(x)) \right]\right)$

where$W(\cdot, \cdot)$ represents the Wasserstein distance between two distributions (e.g., logits of the original and fine-tuned models)

While our attempts to bypass REEF detection were unsuccessful, exploring additional methods to instantiate the informed adversary remains a promising direction for further validating and ensuring REEF's reliability.

Thank you for your great efforts in reviewing this paper and for your recognition of our work. We will try our best to answer all your questions. Please let us know if you still have further concerns, or if you are not satisfied with the current responses, so that we can further update the response ASAP.

---

Q1: "How does REEF perform on models that were independently trained on the same (possibly publicly available) dataset? Is there a risk of false positives here?"

A1: Thank you for your insightful suggestions. We have followed your suggestions to conduct new experiments to examine the performance of REEF on models independently trained on the same dataset.

Due to the complexity and opacity of pre-training, it is almost impossible to reproduce an identical pre-training process (same data order, same hyperparameters). We are here to independently train a new model on the same dataset but under different data orders and hyperparameter settings (e.g., learning rate, batch size.).

Specifically, we pre-trained a 1.5B model ( 1.5-pints-sft ) on the Expository-Prose-V1 dataset, which is used by 1.5-pints-2k LLM [c1]. Thus, we have two models that are independently trained on the same dataset as victim models to explore the risk of false positives.

Then, we choose 1.5-pints-dpo as the suspect model, which is obtained by conducting further safety alignment on the 1.5-pints-sft model. We perform REEF on 1.5-pints-dpo with 1.5-pints-sft and 1.5-pints-2k to test whether REEF can accurately identify its source from models trained independently on the same dataset. The following table indicates that REEF can still correctly identify the victim models from models that are independently trained on the same dataset, without false positives.

Furthermore, the table below presents our evaluation results for independently pre-trained models (1.5-pints-sft and 1.5-pints-dpo) compared to the models provided in the paper (1.5-pints-2k) across several datasets, demonstrating the models' reliable general capabilities.

The above experiments and discussions are added in Appendix F.

[c1] Tan, Calvin, and Jerome Wang. 1.5-Pints Technical Report: Pretraining in Days, Not Months--Your Language Model Thrives on Quality Data. arXiv preprint arXiv:2408.03506 (2024).