Blackbox Model Provenance via Palimpsestic Membership Inference (2510.19796v1)

Abstract: Suppose Alice trains an open-weight LLM and Bob uses a blackbox derivative of Alice's model to produce text. Can Alice prove that Bob is using her model, either by querying Bob's derivative model (query setting) or from the text alone (observational setting)? We formulate this question as an independence testing problem--in which the null hypothesis is that Bob's model or text is independent of Alice's randomized training run--and investigate it through the lens of palimpsestic memorization in LLMs: models are more likely to memorize data seen later in training, so we can test whether Bob is using Alice's model using test statistics that capture correlation between Bob's model or text and the ordering of training examples in Alice's training run. If Alice has randomly shuffled her training data, then any significant correlation amounts to exactly quantifiable statistical evidence against the null hypothesis, regardless of the composition of Alice's training data. In the query setting, we directly estimate (via prompting) the likelihood Bob's model gives to Alice's training examples and order; we correlate the likelihoods of over 40 fine-tunes of various Pythia and OLMo base models ranging from 1B to 12B parameters with the base model's training data order, achieving a p-value on the order of at most 1e-8 in all but six cases. In the observational setting, we try two approaches based on estimating 1) the likelihood of Bob's text overlapping with spans of Alice's training examples and 2) the likelihood of Bob's text with respect to different versions of Alice's model we obtain by repeating the last phase (e.g., 1%) of her training run on reshuffled data. The second approach can reliably distinguish Bob's text from as little as a few hundred tokens; the first does not involve any retraining but requires many more tokens (several hundred thousand) to achieve high power.

• The paper introduces a permutation-based statistical test that leverages training order randomness to detect palimpsestic memorization in language models.
• The methodology employs both query and observational strategies, revealing strong correlations in log-likelihoods and n-gram overlaps with p-values as low as 1×10⁻⁸.
• Empirical evaluations across models, from TinyStories to 12B-parameter systems, validate the framework's robustness and its provable control over false positives.

Blackbox Model Provenance via Palimpsestic Membership Inference

Problem Formulation and Motivation

The paper addresses the challenge of establishing the provenance of LLMs and their generated text in a blackbox setting, where only limited access to the model or its outputs is available. Specifically, it considers the scenario where Alice trains a LLM and Bob produces either a derivative model or text using Alice's model, possibly violating terms of service or intellectual property rights. The central question is whether Alice can statistically prove that Bob's artifact (model or text) is derived from her training run, either by querying Bob's model (query setting) or by analyzing Bob's text (observational setting).

The authors formalize this as an independence testing problem, leveraging the inherent randomness in LLM training—particularly the random shuffling of training data. The null hypothesis is that Bob's artifact is independent of Alice's training run. The key insight is that LLMs exhibit palimpsestic memorization: they tend to memorize data seen later in training more strongly, and this memorization is detectable via correlations between model behavior and the order of training examples.

Methodology

Statistical Testing Framework

The core methodology is based on permutation testing. Given Alice's transcript (ordered training data) and Bob's artifact, the authors define test statistics that measure the correlation between the artifact and the training order. Under the null hypothesis (independence), these statistics have a known distribution, enabling exact p-value computation and provable control over false positives.

Algorithmically, the framework involves:

• Subsampling the transcript for computational efficiency.
• Computing a test statistic $\phi(\alpha, \beta)$ for the actual transcript and artifact.
• Generating $m$ random permutations of the transcript order, recomputing $\phi$ for each, and ranking the observed statistic to obtain a p-value.

Query Setting

In the query setting, Alice can prompt Bob's model and obtain log-likelihoods for her training examples. The primary test statistic is the Spearman rank correlation between the log-likelihoods assigned by Bob's model and the training order. A significant positive correlation indicates that Bob's model memorizes later-seen examples, consistent with derivation from Alice's model.

To increase statistical power, the authors introduce a reference model $\mu_0$ (independent of Alice's transcript) and compute the correlation of the log-likelihood ratio $\log(\mu_\beta(x^i)/\mu_0(x^i))$ with training order. This controls for inherent variation in text predictability.

If only token predictions (not probabilities) are available, log-probabilities can be estimated via repeated sampling.

Observational Setting

In the observational setting, Alice only observes text generated by Bob's model. Two approaches are proposed:

1. Partitioning: Train n-gram models on contiguous partitions of Alice's ordered training data. For Bob's text, count n-gram overlaps with each partition and correlate these counts with partition order.
2. Shuffling: Retrain copies of Alice's model from an intermediate checkpoint on different random shuffles of a subset of the training data. Evaluate the likelihood of Bob's text under the original and retrained models; a higher likelihood under the original ordering is evidence of derivation.

Both approaches yield test statistics whose null distributions can be empirically estimated or approximated, allowing for p-value computation.

Empirical Evaluation

Query Setting Results

Extensive experiments are conducted on Pythia and OLMo model families (1B–12B parameters), as well as custom TinyStories models. The tests are applied to over 40 fine-tuned derivatives, including models subjected to supervised fine-tuning, preference optimization, and model souping.

• Strong numerical results: In all but six cases, p-values are at most $1 \times 10^{-8}$, indicating high statistical power.
• Robustness to continued pretraining: Significant correlations persist even after multiple epochs of training on reshuffled data, though the effect size diminishes.
• Model size dependence: Larger models exhibit stronger memorization effects and lower p-values.
• Reference model ablation: Using a reference model closely matched in architecture and training data yields the lowest p-values.

Figure 1: Log-likelihoods of pythia-6.9b-deduped show clear correlation with training order, while independently trained pythia-6.9b does not.

Figure 2: Evaluating a model on its own transcript demonstrates the effectiveness of the query-based test statistic.

Observational Setting Results

The observational tests are more challenging, requiring larger samples of Bob's text for high power.

• Partitioning approach: Several hundred thousand tokens are needed to achieve low p-values, limiting applicability to large-scale text analysis rather than short snippets.
• Shuffling approach: Retraining on as little as 2% of the pretraining data allows detection from a few hundred tokens of Bob's text. Finetuning the test models on Bob's text increases robustness to Bob's own finetuning, but requires more tokens.

Figure 3: Approximate p-values from applying obs to TinyStories models, varying the number of tokens in Bob's text and the amount of retraining/finetuning.

Figure 4: P-values for OLMo-7B are affected by the total number of tokens and the training step at which the sequence occurs.

Figure 5: Sampling from the start of a sequence yields smaller p-values across all sample sizes for OLMo-7B models.

Ablations and Scaling

• Sequence length and position: Sampling longer sequences and from the start of training examples increases test power.
• Model scale: Larger models and more retraining improve robustness to finetuning.
• Sampling temperature: Lower diversity in generated text (low temperature) reduces test effectiveness.

Figure 6: Query test statistic on pythia-6.9b-deduped across checkpoints shows persistent memorization effects.

Figure 7: P-values between order epoch and model epoch for 50k eval samples in TinyStories multi-epoch training.

Figure 8: Varying Bob's sampling temperature and number of total tokens affects p-value sensitivity.

Figure 9: Approximate p-values from obs on TinyStories models, varying retraining and finetuning.

Figure 10: Approximate p-values from obs on TinyStories models, varying Bob's sampling temperature.

Figure 11: Approximate p-values from obs on TinyStories models of different scales, showing improved detection with larger models.

Figure 12: Distribution of obs output under the null, demonstrating conservative p-value behavior.

Theoretical and Practical Implications

The proposed tests provide provable control over false positives via exact p-values, a property lacking in prior heuristic or fingerprinting-based approaches. The methodology is transparent (no private test sets or model modifications required) and noninvasive (no need to alter Alice's model or data).

Contradictory claim: The paper demonstrates that independently trained models on similar data can behave more similarly than actual derivative models, invalidating output-similarity-based heuristics.

From a practical standpoint, the query-based tests are feasible for model providers with API access, while the observational tests are more suitable for large-scale forensic analysis. The computational cost is dominated by the number of queries or retraining required, but subsampling and efficient permutation testing mitigate this.

Limitations and Future Directions

• Data disclosure: The tests require access to Alice's training data, which may be restricted due to copyright or competitive concerns.
• Token/sample complexity: Observational tests require large samples for high power; reducing this is an open problem.
• Compute cost: Retraining models for the shuffling approach is expensive, especially at scale.
• Privacy and copyright: The findings on palimpsestic memorization have implications for privacy leakage and copyright enforcement in LLMs.

Future work should focus on developing more lightweight observational tests, extending the methodology to other modalities, and exploring the privacy implications of order-sensitive memorization.

Conclusion

This paper introduces a rigorous statistical framework for blackbox model provenance via palimpsestic membership inference, leveraging the order-sensitive memorization properties of LLMs. The proposed tests achieve high power, transparency, and noninvasiveness, with strong empirical results across multiple model families and scales. The work advances the state of the art in model and text attribution, with significant implications for intellectual property enforcement, privacy, and the understanding of memorization dynamics in large-scale neural networks.