DITTO: A Spoofing Attack Framework on Watermarked LLMs via Knowledge Distillation

• URL: http://arxiv.org/abs/2510.10987v2
• Date: Mon, 03 Nov 2025 02:23:39 GMT
• Title: DITTO: A Spoofing Attack Framework on Watermarked LLMs via Knowledge Distillation
• Authors: Hyeseon Ahn, Shinwoo Park, Suyeon Woo, Yo-Sub Han,
• Abstract summary: We introduce the threat of watermark spoofing, a sophisticated attack that allows a malicious model to generate text containing the authentic-looking watermark of a trusted, victim model.<n>By distilling knowledge from a watermarked teacher model, our framework allows an attacker to steal and replicate the watermarking signal of the victim model.<n>This work reveals a critical security gap in text authorship verification and calls for a paradigm shift towards technologies capable of distinguishing authentic watermarks from expertly imitated ones.
• Score: 7.366060554733598
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The promise of LLM watermarking rests on a core assumption that a specific watermark proves authorship by a specific model. We demonstrate that this assumption is dangerously flawed. We introduce the threat of watermark spoofing, a sophisticated attack that allows a malicious model to generate text containing the authentic-looking watermark of a trusted, victim model. This enables the seamless misattribution of harmful content, such as disinformation, to reputable sources. The key to our attack is repurposing watermark radioactivity, the unintended inheritance of data patterns during fine-tuning, from a discoverable trait into an attack vector. By distilling knowledge from a watermarked teacher model, our framework allows an attacker to steal and replicate the watermarking signal of the victim model. This work reveals a critical security gap in text authorship verification and calls for a paradigm shift towards technologies capable of distinguishing authentic watermarks from expertly imitated ones. Our code is available at https://github.com/hsannn/ditto.git.

Related papers

• Mitigating Watermark Forgery in Generative Models via Randomized Key Selection [33.12939822735328]
  A core security threat are forgery attacks where adversaries insert the provider's watermark into content.<n>Existing defenses resist forgery by embedding many watermarks with multiple keys into the same content.<n>We propose a defense that is provably forgery-resistant emphindependent of the number of watermarked content collected by the attacker.
  arXiv  Detail & Related papers  (2025-07-10T15:52:32Z)
• SEAL: Semantic Aware Image Watermarking [26.606008778795193]
  We propose a novel watermarking method that embeds semantic information about the generated image directly into the watermark.<n>The key pattern can be inferred from the semantic embedding of the image using locality-sensitive hashing.<n>Our results suggest that content-aware watermarks can mitigate risks arising from image-generative models.
  arXiv  Detail & Related papers  (2025-03-15T15:29:05Z)
• Can LLM Watermarks Robustly Prevent Unauthorized Knowledge Distillation? [75.99961894619986]
  This paper investigates whether student models can acquire the capabilities of teacher models through knowledge distillation while avoiding watermark inheritance.<n>We propose two categories of watermark removal approaches: pre-distillation removal through untargeted and targeted training data paraphrasing (UP and TP), and post-distillation removal through inference-time watermark neutralization (WN)
  arXiv  Detail & Related papers  (2025-02-17T09:34:19Z)
• RoboSignature: Robust Signature and Watermarking on Network Attacks [0.5461938536945723]
  We present a novel adversarial fine-tuning attack that disrupts the model's ability to embed the intended watermark.<n>Our findings emphasize the importance of anticipating and defending against potential vulnerabilities in generative systems.
  arXiv  Detail & Related papers  (2024-12-22T04:36:27Z)
• Black-Box Forgery Attacks on Semantic Watermarks for Diffusion Models [16.57738116313139]
  We show that attackers can leverage unrelated models, even with different latent spaces and architectures, to perform powerful and realistic forgery attacks.<n>The first imprints a targeted watermark into real images by manipulating the latent representation of an arbitrary image in an unrelated LDM.<n>The second attack generates new images with the target watermark by inverting a watermarked image and re-generating it with an arbitrary prompt.
  arXiv  Detail & Related papers  (2024-12-04T12:57:17Z)
• On the Learnability of Watermarks for Language Models [80.97358663708592]
  We ask whether language models can directly learn to generate watermarked text. We propose watermark distillation, which trains a student model to behave like a teacher model. We find that models can learn to generate watermarked text with high detectability.
  arXiv  Detail & Related papers  (2023-12-07T17:41:44Z)
• Towards Robust Model Watermark via Reducing Parametric Vulnerability [57.66709830576457]
  backdoor-based ownership verification becomes popular recently, in which the model owner can watermark the model. We propose a mini-max formulation to find these watermark-removed models and recover their watermark behavior. Our method improves the robustness of the model watermarking against parametric changes and numerous watermark-removal attacks.
  arXiv  Detail & Related papers  (2023-09-09T12:46:08Z)
• Invisible Image Watermarks Are Provably Removable Using Generative AI [47.25747266531665]
  Invisible watermarks safeguard images' copyrights by embedding hidden messages only detectable by owners. We propose a family of regeneration attacks to remove these invisible watermarks. The proposed attack method first adds random noise to an image to destroy the watermark and then reconstructs the image.
  arXiv  Detail & Related papers  (2023-06-02T23:29:28Z)
• Certified Neural Network Watermarks with Randomized Smoothing [64.86178395240469]
  We propose a certifiable watermarking method for deep learning models. We show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold. Our watermark is also empirically more robust compared to previous watermarking methods.
  arXiv  Detail & Related papers  (2022-07-16T16:06:59Z)
• Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal Attack for DNN Models [72.9364216776529]
  We propose a novel watermark removal attack from a different perspective. We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations. Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
  arXiv  Detail & Related papers  (2020-09-18T09:14:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.