Defending Unauthorized Model Merging via Dual-Stage Weight Protection

TL;DR

This paper introduces MergeGuard, a dual-stage weight protection framework that prevents unauthorized model merging by disrupting compatibility while preserving the original model's performance.

Contribution

The paper proposes a novel dual-stage method to protect models from unauthorized merging, combining gradient redistribution and structured perturbations.

Findings

Reduces merged model accuracy by up to 90%

Maintains less than 1.5% performance loss on the original model

Effective on both vision and language models

Abstract

The rapid proliferation of pretrained models and open repositories has made model merging a convenient yet risky practice, allowing free-riders to combine fine-tuned models into a new multi-capability model without authorization. Such unauthorized model merging not only violates intellectual property rights but also undermines model ownership and accountability. To address this issue, we present MergeGuard, a proactive dual-stage weight protection framework that disrupts merging compatibility while maintaining task fidelity. In the first stage, we redistribute task-relevant information across layers via L2-regularized optimization, ensuring that important gradients are evenly dispersed. In the second stage, we inject structured perturbations to misalign task subspaces, breaking curvature compatibility in the loss landscape. Together, these stages reshape the model's parameter geometry such that merged models collapse into destructive interference while the protected model remains fully functional. Extensive experiments on both vision (ViT-L-14) and language (Llama2, Gemma2, Mistral) models demonstrate that MergeGuard reduces merged model accuracy by up to 90% with less than 1.5% performance loss on the protected model.