FPEdit: Robust LLM Fingerprinting through Localized Parameter Editing
Shida Wang, Chaohu Liu, Yubo Wang, Linli Xu
TL;DR
FPEdit introduces a novel, resource-efficient method for embedding robust, natural language fingerprints into large language models through targeted weight modifications, ensuring model integrity and resistance to detection.
Contribution
The paper presents FPEdit, a new framework that uses knowledge editing to embed natural language fingerprints into LLMs with high robustness and minimal resource use, overcoming limitations of previous methods.
Findings
Achieves 95-100% fingerprint retention under various fine-tuning methods.
Maintains model performance on downstream tasks.
Embeds 10 fingerprint pairs into LLaMA2-7B in under 2 minutes with less than 30 GB GPU memory.
Abstract
Large language models represent significant investments in computation, data, and engineering expertise, making them extraordinarily valuable intellectual assets. Nevertheless, these AI assets remain vulnerable to unauthorized redistribution and commercial exploitation through fine-tuning or black-box deployment. Current fingerprinting approaches face a fundamental trade-off: intrinsic methods require full parameter access, while backdoor-based techniques employ statistically anomalous triggers easily detected and filtered by adversaries. To address these limitations, we introduce FPEdit, a novel framework that leverages knowledge editing to inject semantically coherent natural language fingerprints through sparse, targeted modifications to model weights. Our approach introduces Promote-Suppress Value Vector Optimization, which simultaneously enhances target token likelihood while…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
1. The method is well-motivated and designed carefully to satisfy the fingerprinting objectives. 2. The empirical results are very strong: 1. The inserted fingerprints are very robust: they persist after a broad selection of non-adversarial adaptation methods. 2. The inserted fingerprints incur almost no cost to the model utility, as shown in Tables 12-15 (Summary in Fig 3.) 3. The method is very computationally inexpensive and does not require full fine-tuning of the model. 4. I find
1. The proposed method does not consider the possibility of attacks that intentionally try to remove the fingerprint from the model. It is possible that the knowledge editing leaves a signature in the weights of the model that can be detected and reversed. Ideally, the paper should either consider this attack and justify why it is unlikely to succeed or explain why it is out of scope.
1. The paper uses natural looking fingeprints, which is more secure than other schemes. 2. The method is a straightforward application of knowledge editing to fingerprinting, making it easy for practitioners to adopt. 3. The persistence results of the fingerprints are good and appear to be well evaluated on a range of post-training methods. 4. I really appreciate the additional experiments in Appendix A.6, especially the false triggering analysis and the additional results on larger Qwen models
## Major 1. I believe that the core claimed novely of "promote-suppress value vector optimization" seems to be over-stated and not explained well. 1.1 Lines 293-306 or Table 1 do not motivate the need for this optimization in my opinion. I do not understand what is meant by "competing tokens" here. Is this based on the probabilities of the tokens under the fingerprinted model? If so the paper should explicitly show these probabilities. However, the proposed method applies suppression to *all*
1. I believe this paper addresses animportant issue of fingerprinting (which is definitely needed preserve the IP of models). 2. The paper assumes a realistic threat model, i.e., only black-box API access. 3. Employs natural language as fingerprints, which i believe makes the fingerprints more stealthy and practical. 4. Demonstrates very strong robustness performance with almost no utility drop.
While the paper shows very strong robustness performance, I have the following comments: 1. **Trusted Third Party Requirement**: - I believe FPEdit requires a trusted third party to store the fingerprints. Without this, anyone can find a set of questions and responses (since the responses used in the fingerprints are normal outputs, e.g., like ICLR for a conference) and claim ownership of the model and its fingerprint. The paper does not discuss this requirement or explicitly assume
- This paper introduces knowledge editing to embed fingerprints into LLM, which is novel. - The proposed methods are lightweight and robust against several downstream adaptations. - This paper is well organized.
- Vulnerability regarding the Context-free Key Vector Computation. The paper proposes a "Context-free Key Vector Computation" as a core part of its method, assuming triggers are processed in isolation. I suspect this is a brittle assumption that overlooks real-world deployment. In practice, models are almost always used with system prompts or preceding conversational context. This context-free design may lead to poor performance and low trigger success rates in realistic applications. It may be
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Scientific Computing and Data Management · Machine Learning in Materials Science