Double-I Watermark: Protecting Model Copyright for LLM Fine-tuning

TL;DR

This paper introduces 'Double-I watermark', a novel method for embedding verifiable watermarks into fine-tuned LLMs using backdoor data paradigms, enhancing model copyright protection during commercial fine-tuning.

Contribution

The paper proposes a new watermarking technique that embeds watermarks into LLMs during fine-tuning using instruction and input triggers, improving robustness and practicality.

Findings

Effective watermark embedding during fine-tuning.

High robustness and imperceptibility of watermarks.

Successful verification across various fine-tuning methods.

Abstract

To support various applications, a prevalent and efficient approach for business owners is leveraging their valuable datasets to fine-tune a pre-trained LLM through the API provided by LLM owners or cloud servers. However, this process carries a substantial risk of model misuse, potentially resulting in severe economic consequences for business owners. Thus, safeguarding the copyright of these customized models during LLM fine-tuning has become an urgent practical requirement, but there are limited existing solutions to provide such protection. To tackle this pressing issue, we propose a novel watermarking approach named ``Double-I watermark''. Specifically, based on the instruct-tuning data, two types of backdoor data paradigms are introduced with trigger in the instruction and the input, respectively. By leveraging LLM's learning capability to incorporate customized backdoor samples into the dataset, the proposed approach effectively injects specific watermarking information into the customized model during fine-tuning, which makes it easy to inject and verify watermarks in commercial scenarios. We evaluate the proposed "Double-I watermark" under various fine-tuning methods, demonstrating its harmlessness, robustness, uniqueness, imperceptibility, and validity through both quantitative and qualitative analyses.