DITTO: A Spoofing Attack Framework on Watermarked LLMs via Knowledge Distillation
This reveals a critical security gap in text authorship verification, posing a threat to the integrity of watermarking systems used for content attribution.
The paper tackles the vulnerability of LLM watermarking by introducing a spoofing attack that allows a malicious model to generate text with the authentic-looking watermark of a trusted model, enabling misattribution of harmful content like disinformation; they demonstrate this by distilling knowledge from a watermarked teacher model to replicate the watermarking signal.
The promise of LLM watermarking rests on a core assumption that a specific watermark proves authorship by a specific model. We demonstrate that this assumption is dangerously flawed. We introduce the threat of watermark spoofing, a sophisticated attack that allows a malicious model to generate text containing the authentic-looking watermark of a trusted, victim model. This enables the seamless misattribution of harmful content, such as disinformation, to reputable sources. The key to our attack is repurposing watermark radioactivity, the unintended inheritance of data patterns during fine-tuning, from a discoverable trait into an attack vector. By distilling knowledge from a watermarked teacher model, our framework allows an attacker to steal and replicate the watermarking signal of the victim model. This work reveals a critical security gap in text authorship verification and calls for a paradigm shift towards technologies capable of distinguishing authentic watermarks from expertly imitated ones. Our code is available at https://github.com/hsannn/ditto.git.