Interaction-Layer Watermarks to Detect LLM Knowledge Distillation

A recent preprint on arXiv (2605.16462v1) introduces interaction-layer antidistillation watermarks aimed at identifying unauthorized knowledge distillation from LLM APIs in use. Current protective measures, like green-list watermarks and cryptographic techniques, are susceptible to paraphrasing attacks that eliminate signals while retaining knowledge. This new approach shifts the trace to the teacher's interaction patterns by employing a system prompt that sporadically elicits behavioral indicators—such as explicit follow-up inquiries, low-frequency variations, or declarative rephrasing. An oblivious distiller adopts these behaviors, allowing the defender to perform audits through black-box queries with a human-validated LLM serving as a judge. This method tackles the issue of the defender lacking control over the attacker's training process and next-token logits.