Protecting the Trace: A Principled Black-Box Approach Against Distillation Attacks
For developers of closed-source frontier models, this provides a principled and scalable solution to protect intellectual property and safety alignment against distillation attacks.
This work proposes TraceGuard, a black-box antidistillation method that poisons reasoning traces to prevent student models from learning from teacher models via distillation, while maintaining teacher performance. The method is grounded in a Stackelberg game formulation and achieves efficient protection without heavy fine-tuning or access to student model proxies.
Frontier models push the boundaries of what is learnable at extreme computational costs, yet distillation via sampling reasoning traces exposes closed-source frontier models to adversarial third parties who can bypass their guardrails and misappropriate their capabilities, raising safety, security, and intellectual privacy concerns. To address this, there is growing interest in building antidistillation methods, which aim to poison reasoning traces to hinder downstream student model learning while maintaining teacher performance. However, current techniques lack theoretical grounding, requiring either heavy fine-tuning or access to student model proxies for gradient based attacks, and often lead to a significant teacher performance degradation. In this work, we present a theoretical formulation of antidistillation as a Stackelberg game, grounding a problem that has so far largely been approached heuristically. Guided by the desired design properties our formulation reveals, we propose \texttt{TraceGuard}, an efficient, post-generation black-box method to poison sentences with high importance for teacher reasoning. Our work offers a scalable solution to share model insights safely, ensuring that the advancement of reasoning capabilities does not come at the cost of intellectual privacy or AI safety alignment.