Copyright-Protected Language Generation via Adaptive Model Fusion

We thank the reviewer for recognizing the relevance of the problem we tackle with CP-Fuse and appreciate their positive feedback on our additional analysis and appendices. In our general comments, we have addressed concerns regarding potential slowdown in decoding time.

CP-Fuse for Stronger Baselines, e.g., LLama 3

We replicated the code generation experiments from the main paper (originally conducted with the StarCoder model) using LLaMA 3 to assess CP-Fuse’s performance with a stronger baseline and a precise utility measure via the pass@1 score. Specifically, we fine-tuned two LLaMA 3 base models using LoRA on separate splits from the APPS dataset, training each for 5 epochs (as opposed to 50 epochs in the main paper). We then evaluated first-shot test passing rates on HumanEval, APPS, and MBPP, comparing CP-Fuse to a single LLaMA 3 model trained on the combined splits without CP-Fuse.

As in the main paper, CP-Fuse shows no utility drop compared to the single model.

Comparison of CP-Fuse with a Single Model

The results above, along with the following from the StarCoder (code generation) and LLaMA 2 (fluency evaluation on WritingPrompts), confirm that CP-Fuse maintains comparable utility to a model trained on the full dataset.

Recommended Strategy for Splitting Datasets and CP-Fuse on Multiple Tasks

Our recommended strategy is to duplicate datasets for tasks that are not copyright-sensitive and use them to train all models, while partitioning sensitive tasks so that sensitive content only appears in one model's training data. This ensures that each model can independently perform well on the tasks, so merging them with CP-Fuse does not result in the performance drop that the reviewer was concerned about.

Following this approach, we conducted additional experiments with LLaMA 3, fine-tuning two base models on the APPS dataset and then on disjoint splits of (1) MathAbstract, (2) WritingPrompts, and (3) Alpaca general knowledge [1]. In these tests, we observed no quality drop in pass@1 scores on HumanEval, APPS, and MBPP after fine-tuning the additional datasets. Importantly, CP-Fuse combining the two models achieves scores similar to those of the single models.

Questions

Is there an n-gram threshold? There is no specific n-gram threshold. If a sequence is highly probable under both models, CP-Fuse can reproduce it by assigning similar weights to each model's distribution during fusion. Conversely, if only one model has seen the sequence, the reproduced length depends on how "common" it appears under the second model, even if it wasn’t part of its training data. The evolution of these weighting parameters across example sequences is shown in Figure 7

Will CP-Fuse be less effective on RLHF? The interaction between memorization and RLHF remains underexplored. The only study we are aware of is [2], which examines this issue in code generation and concludes that RLHF significantly reduces the likelihood of memorizing data used for reward modeling and reinforcement learning compared to SFT. The authors of [2] further state, "Because of this low risk, it may be possible to leverage sensitive and/or proprietary data during reward modeling." Therefore, we expect copyright infringement to be less of a concern in this setup. However, CP-Fuse could still be applied, and we anticipate it would exhibit similar behavior as with SFT.

[1] Taori, R., Gulrajani, I., Zhang, T., Dubois, Y., Li, X., Guestrin, C., ... & Hashimoto, T. B. (2023). Stanford alpaca: an instruction-following llama model (2023). URL https://github. com/tatsu-lab/stanford_alpaca, 1(9)

[2] Pappu, A., Porter, B., Shumailov, I., & Hayes, J. (2024). Measuring memorization in RLHF for code completion. arXiv preprint arXiv:2406.11715.

We thank the reviewer for their positive comments on our experimental evaluation and the clarity of our presentation. In our general comments, we have addressed the issues regarding the separability assumption and computational complexity.

Potential Ethical and Dual-Use Concerns

Thank you for highlighting this important point. We acknowledge that real-world applications of CP-Fuse could face legal restrictions related to dataset and model usage. Copyright protection for LLMs is complex and lacks clear legislative consensus on what constitutes infringement. We agree on the importance of discussing these concerns and will add a paragraph in the updated draft to acknowledge them, while refraining from specific recommendations, as these are the responsibility of organizations' legal departments.

Questions

Adversarial Attacks: The reviewer makes a valid point. While the balancing property in CP-Fuse provides some intuitive protection, our method could still be susceptible to adversarially crafted prompts. We envision CP-Fuse being used primarily in controlled environments, such as API setups, where only black-box attacks are feasible. We attempted GCG-like attacks [1] in this setting, but they were too computationally demanding and did not yield successful results given our resources. We believe future work could explore stronger attacks.

Experimental Details: Thank you for highlighting this. We have reported our infrastructure details (NVIDIA A40 GPUs) and CP-Fuse runtimes in the General Comments. We will include these, along with additional details on fine-tuning and other experimental settings, in the updated draft.

Ethical Concerns with Datasets and Models: As noted above, we will address ethical considerations related to model and data use. Additionally, we clarify that all datasets and models used in our experiments are publicly available from Hugging Face and do not involve real-world copyright-protected material.

[1] Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J. Z., & Fredrikson, M. (2023). Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043.

We thank the reviewer for recognizing the relevance and promise of our method and for their positive feedback on the clarity and quality of the manuscript. In our general comments, we have addressed concerns about potential inefficiencies of CP-Fuse.

Testing CP-Fuse on MMLU

Thank you for this suggestion. Initially, we did not conduct experiments on multi-class classification because copyright infringement in such a setting is less clearly defined. Instead, we focused on text and code generation. For completeness, we have now conducted a 5-shot MMLU evaluation using models fine-tuned on the MathAbstracts dataset, as described in the paper. The single models achieved a score of 44.7 (consistent with values reported in the literature [1]), while CP-Fuse combining the two models yielded a score of 44.9. These results indicate that CP-Fuse does not degrade utility in this classification setting.

CP-Fuse Under Attacks Involving Parameter Access

We acknowledge the reviewer's observation that CP-Fuse, as an inference-time strategy, relies on underlying models that could risk copyright infringement without protection. We envision CP-Fuse's primary application in API-like interactions or scenarios where users do not have access to model parameters. We will clarify this threat model in the updated draft. Additionally, as demonstrated in Section 4.3, CP-Fuse can be combined with other methods to guard against more powerful, white-box attacks.

Questions

Alternative Protection Strategies: We consider model fusion a promising approach to copyright protection and are unaware of alternative methods with similar properties to CP-Fuse (e.g., the balancing property) that operate with a single model. Our literature review primarily identified filtering strategies, which have significant limitations, as discussed in Section 4.2.

Why LCS Was Excluded from Analysis: If the reviewer refers to the longest contiguous subsequence between two sequences, this is what we denote as the exact matching (EM) metric (see Appendix D.5.1 for a description of all metrics). Could the reviewer confirm if this is the metric in question?

Relevance of Balancing Property: We approach copyright protection from a verbatim (and quasi-verbatim) reproduction perspective. In Section 3.3 and Appendix A.7, we detail how the balancing property, under our separability assumptions, helps prevent such infringement. Our experiments further validate its effectiveness.

Connection to MoE: There is indeed a connection between CP-Fuse and Mixture of Experts, particularly in how both dynamically select which model to "activate"—MoE based on the input prompt and CP-Fuse based on the history of the currently decoded sequence. However, MoE focuses on efficiency and model capacity, whereas CP-Fuse targets copyright protection.

[1] Touvron, H., Martin, L., Stone, K., Albert, P., Almahairi, A., Babaei, Y., ... & Scialom, T. (2023). Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288.

We thank the reviewer for acknowledging the novelty of our method and the thoroughness of our experimental evaluation. In our general comment, we have addressed concerns regarding the separability of the copyright assumption and computational complexity.

Effectiveness in Real-World Scenarios

We recognize that the effectiveness of CP-Fuse in real-world applications requires further exploration. Our experiments focus on verbatim (and quasi-verbatim) reproduction of protected material as a straightforward case of potential copyright infringement. However, copyright protection for LLMs currently lacks clear legislative definitions—ongoing lawsuits have yet to reach conclusions [1, 2]. Establishing concrete guidelines for real-world applications is beyond the scope of our work. If the reviewer has specific use cases, tasks, or datasets in mind, we welcome suggestions for additional experiments.

Questions

Impact of Separability Assumption: Addressed in the General Comments.

Scaling CP-Fuse to Larger or More Models: We have partially addressed this in the General Comments. While we currently lack resources to scale CP-Fuse to very large models (e.g., 70B parameters), efficient parallelization can mitigate inefficiencies. The main limitations are communication overhead between GPUs and solving the grid search, which remains extremely fast (~$10^{-4}$ seconds for large batch sizes). Adding more models is up to practitioners; two models already offer significant protection, and adding more may require extra hardware and increase communication overhead.

Scaling CP-Fuse to More Copyrighted Data: Our experiments already simulate an extreme case by treating all data as copyright-protected, requiring the model to avoid reproducing any training samples even after overfitting.

Generalization to Other Modalities: This is an exciting question! CP-Fuse can be adapted to other autoregressive generative models, such as those used in image generation. It extends to models that use decoding algorithms for selection from a discrete set (pixels, audio frames, etc.) without significant modifications. Our experiments demonstrate merits in text and code; we leave exploration in other modalities for future work.

[1] Grynbaum, M. M., & Mac, R. (2023). The Times sues OpenAI and Microsoft over AI use of copyrighted work. The New York Times, 27.

[2] Brittain, B. 2023. Pulitzer-winning authors join OpenAI, Microsoft copyright lawsuit. Reuters.

We have updated the draft with the following changes:

1. We added Section B in the Appendix, "Discussion on the Separability of Copyright Assumption" (previously "Limitations"), where we further discuss the assumption and include the points discussed in the reviews: experiments with partial overlap, ethical limitations, and recommended strategies for splitting datasets and tasks.

2. We added Section D.1, "Computational resources," with a discussion on the additional overhead due to the grid search and details on the infrastructure, fine-tuning, and decoding times.

3. In Section 4.4, we specified the threat model and the nature of the adversary one would expect in such a setup.

Please let us know if we have overlooked anything.