AttnDiff: Attention-based Differential Fingerprinting for Large Language Models

Dezhang Kong; Haobo Zhang; Junxian Li; Meng Han; Shangfeng Sheng; Zhenhua Xu

arxiv: 2604.05502 · v1 · submitted 2026-04-07 · 💻 cs.CR · cs.LG

AttnDiff: Attention-based Differential Fingerprinting for Large Language Models

Haobo Zhang , Zhenhua Xu , Junxian Li , Shangfeng Sheng , Dezhang Kong , Meng Han This is my paper

Pith reviewed 2026-05-10 19:28 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords LLM fingerprintingmodel provenanceattention patternsintellectual propertydifferential analysiswhite-box verificationsemantic conflictsmodel laundering

0 comments

The pith

Differential attention from conflicting prompts creates stable fingerprints that identify LLM derivatives despite fine-tuning, pruning, or merging.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Protecting the origins of open-weight large language models requires a way to check whether a suspect model comes from a specific source even after common changes. The paper develops a white-box approach that uses pairs of minimally altered prompts to create semantic conflicts and records how the model's attention layers respond differently to each. These differential patterns are condensed into short spectral descriptions and compared across models with a kernel-based similarity measure. Results across multiple model families show that versions sharing the same base stay highly similar while unrelated families diverge sharply. This setup allows verification with as few as five to sixty probes drawn from different domains.

Core claim

AttnDiff extracts fingerprints from models via intrinsic information-routing behavior. It probes minimally edited prompt pairs that induce controlled semantic conflicts, captures differential attention patterns, summarizes them with compact spectral descriptors, and compares models using CKA. Across Llama-2/3 and Qwen2.5 (3B--14B) and additional open-source families, it yields high similarity for related derivatives while separating unrelated model families (e.g., >0.98 vs. <0.22 with M=60 probes). With 5--60 multi-domain probes, it supports practical provenance verification and accountability.

What carries the argument

Differential attention patterns from minimally edited prompt pairs that create semantic conflicts, condensed into spectral descriptors and measured by centered kernel alignment.

If this is right

Provenance checks become feasible with only 5 to 60 multi-domain probes.
Related model variants retain similarity above 0.98 while unrelated families fall below 0.22.
The method holds across Llama-2/3, Qwen2.5, and other open families ranging from 3B to 14B parameters.
Verification works after PPO/DPO fine-tuning, pruning/compression, and model merging.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If attention patterns prove more stable than weights, model releases could include optional fingerprint metadata to simplify later audits.
The same probe construction might be adapted to detect whether a fine-tuned model still carries the original routing signature even when weights have changed substantially.
Repeated application across successive derivatives could trace long chains of model reuse without needing access to training data.
Developers might incorporate the probe set into release checklists so downstream users can confirm a model's claimed lineage.

Load-bearing premise

Differential attention patterns reflect an intrinsic model identity that remains stable through fine-tuning, pruning, compression, and merging.

What would settle it

A derivative model obtained by fine-tuning, pruning, or merging shows similarity below 0.5 to its claimed source, or an unrelated model family shows similarity above 0.5, under the same set of 60 probes.

Figures

Figures reproduced from arXiv: 2604.05502 by Dezhang Kong, Haobo Zhang, Junxian Li, Meng Han, Shangfeng Sheng, Zhenhua Xu.

**Figure 1.** Figure 1: ATTNDIFFpipeline. Left: construct M origin/corrupted prompt pairs (p, p˜) via a single-word pivot substitution. Right: extract causal attention maps over L layers and H heads, compute ∆A = A˜ − A, and summarize ∆A by SVD with TopK(σ) (largest K singular values). Concatenating over heads/layers and stacking over pairs yields the fingerprint matrix F. Parentheses denote dimensions (e.g., N, H, L, M). tensors… view at source ↗

**Figure 2.** Figure 2: Impact of sample size ( [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗

**Figure 3.** Figure 3: Visualization of single-sample layer–head [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗

**Figure 4.** Figure 4: Visualization of the 2D adaptive average pooling used to align origin/corrupted attention matrices to a [PITH_FULL_IMAGE:figures/full_fig_p018_4.png] view at source ↗

**Figure 5.** Figure 5: Layer-wise CKA similarity matrices for repre [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗

**Figure 6.** Figure 6: Layer-wise similarity trends for representative related, pruned, and unrelated model pairs under our [PITH_FULL_IMAGE:figures/full_fig_p019_6.png] view at source ↗

**Figure 7.** Figure 7: ProFlingo workflow. A short trigger prefix is optimized to induce a target response; a suspect model is [PITH_FULL_IMAGE:figures/full_fig_p021_7.png] view at source ↗

**Figure 8.** Figure 8: Radar comparison of AttnDiff and baseline fingerprinting methods across deployment transformations. [PITH_FULL_IMAGE:figures/full_fig_p022_8.png] view at source ↗

**Figure 9.** Figure 9: Discovery stage: layer-wise column Gini coefficient (mean±SD) computed from the differential attention matrix ∆A under controlled semantic conflicts. We plot the metric against relative layer depth and show that Llama-2-7B derivatives follow highly similar trajectories while Qwen2.5-7B exhibits a consistently lower concentration regime [PITH_FULL_IMAGE:figures/full_fig_p024_9.png] view at source ↗

**Figure 10.** Figure 10: Discovery stage: visualization of key differential-attention structure metrics (mean over probe instances) for Qwen2.5-7B and Llama-2-7B derivatives. Llama-2-7B derivatives exhibit highly consistent metric profiles, while Qwen2.5-7B differs in multiple concentration-related dimensions. across probe instances. Validation (broader models): in fingerprint space, models from different sources occupy separat… view at source ↗

read the original abstract

Protecting the intellectual property of open-weight large language models (LLMs) requires verifying whether a suspect model is derived from a victim model despite common laundering operations such as fine-tuning (including PPO/DPO), pruning/compression, and model merging. We propose \textsc{AttnDiff}, a data-efficient white-box framework that extracts fingerprints from models via intrinsic information-routing behavior. \textsc{AttnDiff} probes minimally edited prompt pairs that induce controlled semantic conflicts, captures differential attention patterns, summarizes them with compact spectral descriptors, and compares models using CKA. Across Llama-2/3 and Qwen2.5 (3B--14B) and additional open-source families, it yields high similarity for related derivatives while separating unrelated model families (e.g., $>0.98$ vs.\ $<0.22$ with $M=60$ probes). With 5--60 multi-domain probes, it supports practical provenance verification and accountability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

AttnDiff gives a workable white-box fingerprint via differential attention but the laundering stability claim is the part that still needs tighter evidence.

read the letter

AttnDiff uses differential attention from minimally edited conflicting prompt pairs to fingerprint open-weight LLMs. The goal is provenance verification that survives fine-tuning, pruning, and merging. The specific pipeline—controlled prompt conflicts, attention difference capture, spectral descriptors, and CKA comparison—is not a routine extension of prior watermarking or output-based work. That combination is the actual novelty here. Experiments on Llama-2/3, Qwen2.5, and other families from 3B to 14B report strong separation: related derivatives stay above 0.98 similarity while unrelated families fall below 0.22, all with 5–60 multi-domain probes. The data efficiency and concrete numbers are the parts that work well. They show a practical path for accountability when models are redistributed in white-box settings. The main soft spot is the stability assumption. Attention routing often shifts under PPO/DPO, pruning, or merging, and if the spectral summaries move too much the high similarity scores would not hold for real derivatives. The abstract states the separation persists, but the laundering tests need explicit detail on how the operations were applied and what statistical checks confirm invariance. Without that, the central utility claim rests on an empirical premise that could fail outside the tested instances. This paper is for researchers and engineers working on model IP and provenance tools. Anyone already thinking about white-box signatures for open LLMs would find the method and numbers worth examining. It deserves peer review because the idea is grounded and the problem is timely; referees can tighten the robustness experiments and clarify the exact laundering protocols.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes AttnDiff, a white-box framework for LLM provenance verification. It extracts fingerprints by probing models with minimally edited prompt pairs that induce controlled semantic conflicts, capturing differential attention patterns, summarizing them via compact spectral descriptors, and comparing models with CKA similarity. The authors claim that across Llama-2/3, Qwen2.5 (3B-14B) and other open-source families, the method yields high similarity (>0.98) for related derivatives while separating unrelated families (<0.22) with M=60 probes, and remains effective for practical verification even after laundering operations such as fine-tuning (PPO/DPO), pruning/compression, and model merging.

Significance. If the reported robustness to laundering holds, the work would be significant for intellectual property protection of open-weight LLMs by offering a data-efficient, intrinsic-behavior-based fingerprinting approach that addresses a practical need in model accountability. The empirical separation between related and unrelated models is a notable strength, and the focus on white-box attention patterns provides a fresh angle compared to output-only or weight-based methods.

major comments (2)

Abstract: the central claim of robustness under laundering operations (fine-tuning, pruning, merging) is load-bearing for the provenance-verification utility, yet the abstract provides no specifics on how these operations were implemented on the tested models or the exact number of derivative instances evaluated per operation; without this, it is impossible to determine whether the >0.98 similarity persists beyond the particular cases examined.
Abstract: the reported separation (>0.98 vs. <0.22 with M=60 probes) is presented without accompanying details on probe construction, statistical tests, variance across runs, or raw similarity matrices, which undermines assessment of whether the distinction is reliable or sensitive to unstated choices in prompt editing and spectral summarization.

minor comments (2)

The acronym CKA is used without expansion or reference on first appearance; a brief definition or citation would improve accessibility for readers outside the kernel-methods community.
Consider including a summary table of similarity scores across all model pairs and laundering scenarios to make the cross-family and cross-operation results easier to parse at a glance.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We agree that the abstract would benefit from greater specificity regarding the laundering experiments and probe details to better support the central claims. We have revised the abstract accordingly while preserving its brevity. Below we respond point by point to the major comments.

read point-by-point responses

Referee: Abstract: the central claim of robustness under laundering operations (fine-tuning, pruning, merging) is load-bearing for the provenance-verification utility, yet the abstract provides no specifics on how these operations were implemented on the tested models or the exact number of derivative instances evaluated per operation; without this, it is impossible to determine whether the >0.98 similarity persists beyond the particular cases examined.

Authors: We agree that the abstract should reference the scope of the laundering evaluation to allow readers to assess the robustness claims. The full manuscript provides these details in the Experiments section, including the specific implementations (PPO/DPO fine-tuning on standard instruction datasets, magnitude-based pruning at multiple sparsity levels, and merging via established techniques such as linear interpolation) along with the number of derivative instances tested per operation and model family. We have revised the abstract to concisely note that robustness was evaluated across multiple derivative instances under each laundering operation. revision: yes
Referee: Abstract: the reported separation (>0.98 vs. <0.22 with M=60 probes) is presented without accompanying details on probe construction, statistical tests, variance across runs, or raw similarity matrices, which undermines assessment of whether the distinction is reliable or sensitive to unstated choices in prompt editing and spectral summarization.

Authors: We agree that the abstract would be strengthened by briefly indicating the methodological choices underlying the reported separation. Probe construction (minimally edited conflicting prompt pairs), spectral descriptor summarization, and CKA-based comparison are described in the Method section, with supporting analyses of variance across runs and similarity matrices provided in the supplementary material and experimental figures. We have updated the abstract to reference the use of M=60 multi-domain probes and the consistent separation observed across the evaluated model families. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical measurement framework

full rationale

The paper presents AttnDiff as a data-efficient white-box method that probes models with minimally edited prompt pairs, extracts differential attention patterns, summarizes them via spectral descriptors, and compares via CKA similarity. No equations, derivations, or first-principles results are claimed that reduce outputs to inputs by construction. No self-citations are invoked as load-bearing for uniqueness theorems or ansatzes. The reported similarities (>0.98 for derivatives, <0.22 for unrelated families) are experimental observations across Llama-2/3, Qwen2.5, and other families under laundering operations, not statistical predictions forced by fitted parameters. The central premise is an empirical assumption about attention pattern stability, which is externally falsifiable and does not collapse into self-definition or renaming of known results.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical derivations, free parameters, or new postulated entities are introduced; the work is an empirical measurement framework built on standard attention mechanisms and CKA similarity.

pith-pipeline@v0.9.0 · 5476 in / 1022 out tokens · 81190 ms · 2026-05-10T19:28:55.327705+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

probes minimally edited prompt pairs that induce controlled semantic conflicts, captures differential attention patterns, summarizes them with compact spectral descriptors, and compares models using CKA
IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

retains high similarity for related derivatives across fine-tuning (including PPO/DPO), pruning/compression, and merging

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

2 extracted references · 2 canonical work pages

[1]

[CYS+24] Jiacheng Cai, Jiahao Yu, Yangguang Shao, Yuhang Wu, and Xinyu Xing

Robust and efficient watermarking of large lan- guage models using error correction codes.Proceed- ings on Privacy Enhancing Technologies (PoPETs). Jiacheng Cai, Jiahao Yu, Yangguang Shao, and Yuhang Wu. 2024. UTF: Undertrained Tokens as Finger- prints: A Novel Approach to LLM Identification. Preprint, arXiv:2410.12318. Wei-Lin Chiang, Zhuohan Li, Zi Lin,...

work page arXiv 2024
[2]

stress test

Us- ing ˆyi =W x ∗ i and residual ri = ˆyi − 20 Figure 7: ProFlingo workflow. A short trigger prefix is optimized to induce a target response; a suspect model is then evaluated by its target response rate (TRR) over the query set. yi, we compute the coefficient of determi- nation R2 i = 1− P j r2 i,jP j(yi,j −¯yi)2 , and report mean_R2 = 1 N P i R2 i as t...

work page 2022

[1] [1]

[CYS+24] Jiacheng Cai, Jiahao Yu, Yangguang Shao, Yuhang Wu, and Xinyu Xing

Robust and efficient watermarking of large lan- guage models using error correction codes.Proceed- ings on Privacy Enhancing Technologies (PoPETs). Jiacheng Cai, Jiahao Yu, Yangguang Shao, and Yuhang Wu. 2024. UTF: Undertrained Tokens as Finger- prints: A Novel Approach to LLM Identification. Preprint, arXiv:2410.12318. Wei-Lin Chiang, Zhuohan Li, Zi Lin,...

work page arXiv 2024

[2] [2]

stress test

Us- ing ˆyi =W x ∗ i and residual ri = ˆyi − 20 Figure 7: ProFlingo workflow. A short trigger prefix is optimized to induce a target response; a suspect model is then evaluated by its target response rate (TRR) over the query set. yi, we compute the coefficient of determi- nation R2 i = 1− P j r2 i,jP j(yi,j −¯yi)2 , and report mean_R2 = 1 N P i R2 i as t...

work page 2022