From Construction to Injection: Edit-Based Fingerprints for Large Language Models

Researchers propose a novel fingerprinting framework for large language models that combines Code-mixing Fingerprints (CF) and Multi-Candidate Editing (MCEdit) to protect against unauthorized redistribution and commercial misuse. The approach addresses key vulnerabilities in existing fingerprinting methods by balancing imperceptibility with robustness against defensive filtering and downstream model modifications.

This research addresses a critical security gap in LLM deployment: the inability to reliably verify ownership of models in black-box settings where operators actively defend against fingerprint detection. Traditional fingerprinting approaches face fundamental trade-offs—natural language triggers risk accidental activation while garbled fingerprints expose statistical patterns that become easy targets for filtering. The proposed solution leverages code-mixing, a linguistic phenomenon where speakers blend multiple languages, to create triggers that maintain high linguistic naturalness while remaining statistically complex enough to evade automated detection. Beyond construction challenges, the framework tackles injection durability through Multi-Candidate Editing, which embeds structurally redundant trigger-target pairs with sufficient margin separation to survive common model modifications like fine-tuning or pruning. This enables graceful performance degradation rather than complete fingerprint collapse. The research carries significant implications for the emerging LLM commercialization landscape, where model theft and unauthorized redistribution represent substantial financial risks. As foundation models become increasingly valuable assets, robust ownership verification mechanisms become essential infrastructure for developers and enterprises deploying proprietary systems. The work demonstrates that fingerprints can be embedded with negligible utility impact, addressing concerns that security measures degrade model performance. Moving forward, the effectiveness of these techniques will likely face adversarial pressure from bad actors developing counter-strategies, making this an ongoing arms race in model security. The framework's success depends on how well it generalizes across different model architectures and fine-tuning approaches in production environments.

• →Code-mixing fingerprints balance naturalness and imperceptibility by leveraging multilingual linguistic properties under complexity constraints.
• →Multi-Candidate Editing creates redundant, margin-separated mappings that survive model modifications while maintaining graceful degradation.
• →The framework achieves robust ownership verification with minimal impact on model utility and performance.
• →Black-box fingerprint detection remains vulnerable to defensive filtering, requiring sophisticated trigger design to overcome.
• →LLM ownership verification is becoming critical infrastructure as model theft and unauthorized redistribution increase in commercial deployment.