The Geometry of Model Theft: Distillation Forensics, Adversarial Erasure, and the Illusion of Spoofing
Description
Recent disclosures of industrial-scale knowledge distillation — including campaigns comprising millions of fraudulent API exchanges targeting frontier models [Anthropic, 2026] — have made post-hoc detection of model theft a critical security requirement. Building on a formally-verified framework of log-prob order-statistic geometry, we investigate the adversarial resilience of neural network identity across 72 experimental checkpoints. We establish a Two-Layer Identity Hypothesis: a model’s structural identity (weights-regime geometry) is empirically invariant to distillation (within acceptance threshold epsilon across all 18 protocols), while its functional identity (API-regime Poisson Point Process residuals) predictably transfers to the student, converging up to 52% toward the teacher’s template.
Stress-testing this forensic channel against a white-box adversary, we find that functional provenance is geometrically coupled to the knowledge transfer objective. Adversarial erasure gradients are consistently dominated by the distillation loss, achieving only a transient suppression that rebounds within one epoch. Passive fine-tuning on fresh data erases the trace more effectively than any adversarial method, but at a measurable cost to general capability — revealing a Pareto frontier with no favorable region for the adversary. This establishes API forensics as a time-sensitive detective control (“The Tripwire”) and weights-regime identity as the immutable anchor (“The Vault”).
Finally, we observe an apparent vulnerability: a cross-family adversarial spoofing attack achieves 69.4% convergence toward a decoy’s fingerprint, while same-family spoofing catastrophically fails. We resolve this paradox by mapping the PPP-residual vector space, revealing that models cluster by capability topology, not corporate lineage. Cross-family “spoofing” is a spatial illusion caused by a narrow 7.8 degree alignment between the decoy and the primary distillation trajectory (R2 = 0.995), whereas same-family decoys are anti-aligned. Across all adversarial interventions, the underlying Gumbel universality (delta_norm) remains invariant (CV = 1.9%).
We conclude that during active distillation, an adversary cannot simultaneously acquire a teacher’s capabilities and erase or redirect the forensic trace. In this setting, the geometry forbids it.
The Neural Network Identity Series — Mathematical foundations, empirical validation, and governance frameworks for verifying which model is running
Newest addition:
Technical Note: The Disappearing Window — AI Logprob Access Withdrawal and the Structural Verifiability of Frontier Model Contracts (DOI: 10.5281/zenodo.20362098)
-
Paper 1: The δ-Gene: Inference-Time Physical Unclonable Functions from Architecture-Invariant Output Geometry (DOI: 10.5281/zenodo.18704275)
-
Paper 2: Template-Based Endpoint Verification via Logprob Order-Statistic Geometry (DOI: 10.5281/zenodo.18776711)
-
Paper 3: The Geometry of Model Theft: Distillation Forensics, Adversarial Erasure, and the Illusion of Spoofing (DOI: 10.5281/zenodo.18818608)
-
Paper 4: Provenance Generalization and Verification Scaling for Neural Network Forensics (DOI: 10.5281/zenodo.18872071)
-
Paper 5: Beneath the Character: The Structural Identity of Neural Networks — Mathematical Evidence for a Non-Narrative Layer of AI Identity (DOI: 10.5281/zenodo.18907292)
- Paper 6: Which Model Is Running?: Structural Identity as a Prerequisite for Trustworthy Zero-Knowledge Machine Learning (DOI: 10.5281/zenodo.19008116)
-
Paper 7: The Deformation Laws of Neural Identity (DOI: 10.5281/zenodo.19055966)
- Paper 8: What Counts as Proof? — Admissible Evidence for Neural Network Identity Claims (DOI: 10.5281/zenodo.19058540)
-
Paper 9: Composable Model Identity — Formal Hardening of Structural Attestations in the Enterprise Identity Stack (DOI: 10.5281/zenodo.19099911)
- Paper 10:Where Identity Comes From: Path Sensitivity and Endpoint Underdetermination in Neural Network Training (DOI: 10.5281/zenodo.19118807)
-
Paper 11: Post-Hoc Disclosure Is Not Runtime Proof: Model Identity at Frontier Scale (DOI: 10.5281/zenodo.19216634)
- Paper 12: Family-Dependent Response to Reasoning Distillation Across Structural and Functional Identity Layers (DOI: 10.5281/zenodo.19298857)
- Paper 13: Safety-Alignment Removal as a Model-Identity Failure — Structural Evidence from Published Weight-Level Mutation Checkpoints (DOI: 10.5281/zenodo.19383019)
- Technical Note: Agent Identity Is Not Model Identity (DOI: 10.5281/zenodo.19240883)
- Technical Note: Gap Invariance: Why PPP Measurements Are Domain-Independent by Construction (DOI: 10.5281/zenodo.19275524)
- Technical Note: Measured Model Substitution Under Valid Agent Credentials (DOI: 10.5281/zenodo.19342848)
- Technical Note: Artifact Identity Is Not Runtime Identity — Trustfall Lite and the Boundary of File-Level Model Verification (DOI: 10.5281/zenodo.20019127)
- Formal Verification Stack for Neural Network Structural Identity (IT-PUF Coq Proofs) (DOI: 10.5281/zenodo.18930621)
Copyright (c) 2026 Anthony Ray Coslett / Fall Risk AI, LLC. All Rights Reserved.
Confidential and Proprietary.
Patent Pending (Applications 63/982,893, 63/990,487, 63/996,680, 64/003,244).
Files
geometry_of_model_theft.pdf
Files
(546.9 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:0d44bfb54f6a03fbcf0544a654b8ffff
|
546.9 kB | Preview Download |
Additional details
Identifiers
Software
- Repository URL
- https://github.com/fallrisk-ai/trustfall-lite
- Development Status
- Active