Existing invasive (backdoor) fingerprints suffer from high-perplexity triggers that are easily filtered, fixed response patterns exposed by heuristic detectors, and spurious activations on benign inputs. We introduce \textsc{ForgetMark}, a stealthy fingerprinting framework that encodes provenance via targeted unlearning. It builds a compact, human-readable key--value set with an assistant model and predictive-entropy ranking, then trains lightweight LoRA adapters to suppress the original values on their keys while preserving general capabilities. Ownership is verified under black/gray-box access by aggregating likelihood and semantic evidence into a fingerprint success rate. By relying on probabilistic forgetting traces rather than fixed trigger--response patterns, \textsc{ForgetMark} avoids high-perplexity triggers, reduces detectability, and lowers false triggers. Across diverse architectures and settings, it achieves 100\% ownership verification on fingerprinted models while maintaining standard performance, surpasses backdoor baselines in stealthiness and robustness to model merging, and remains effective under moderate incremental fine-tuning. Our code and data are available at \href{https://github.com/Xuzhenhua55/ForgetMark}{https://github.com/Xuzhenhua55/ForgetMark}.
翻译:现有的侵入式(后门)指纹存在高困惑度触发词易被过滤、启发式检测器暴露的固定响应模式以及对良性输入的虚假激活等问题。本文提出 \textsc{ForgetMark},一种通过针对性遗忘编码来源的隐蔽指纹框架。该方法利用辅助模型和预测熵排序构建一个紧凑、人类可读的键值对集合,然后训练轻量级 LoRA 适配器以抑制原始键对应的值,同时保留模型的通用能力。所有权验证在灰盒/黑盒访问设置下进行,通过聚合似然证据和语义证据计算指纹成功率。\textsc{ForgetMark} 依赖概率性遗忘痕迹而非固定的触发-响应模式,从而避免了高困惑度触发词,降低了可检测性并减少了误触发。在多种模型架构和设置下,该方法在指纹模型中实现了 100\% 的所有权验证率,同时保持了标准性能;在隐蔽性和对模型合并的鲁棒性方面超越了后门基线,并在适度的增量微调下保持有效。我们的代码和数据公开于 \href{https://github.com/Xuzhenhua55/ForgetMark}{https://github.com/Xuzhenhua55/ForgetMark}。