LLM Security Analysis
DistillGuard: Evaluating Defenses Against LLM Knowledge Distillation
Knowledge distillation from proprietary LLM APIs poses a growing threat to model providers, yet defenses against this attack remain fragmented and unevaluated. We present Distill-Guard, a framework for systematically evaluating output-level defenses against LLM knowledge distillation. We introduce a taxonomy of three defense categories—output perturbation, data poisoning, and information throttling—and evaluate nine defense configurations using a standardized pipeline with Qwen3-14B as teacher and Qwen2.5-7B-Instruct as student across three benchmarks (MATH-500, HumanEval+, MT-Bench). Our results reveal that, in a same-family distillation setting against a naive attacker, most output-level defenses are surprisingly ineffective: paraphrasing-based perturbation barely degrades distilled student quality, and data poisoning primarily impairs conversational fluency while leaving task-specific capabilities intact. Only chain-of-thought removal substantially impairs mathematical reasoning (31.4% vs. 67.8% baseline), though code generation remains unaffected. These findings demonstrate that the effectiveness of distillation defenses is highly task-dependent and that current output-level approaches are insufficient to broadly prevent knowledge theft.
By Bo Jiang • 8 Mar 2026
Key Findings & Executive Summary
DistillGuard reveals that current output-level defenses are largely ineffective against LLM knowledge distillation, with most methods failing to significantly impair student model quality. While some methods show task-specific degradation, a comprehensive defense remains elusive, highlighting a fundamental trade-off between protection and utility.
3
Defense Categories
9
Defense Configurations Evaluated
3
Evaluation Benchmarks
31.4%
Min. Math Reasoning (CoT Removal)
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Perturbation defenses modify the teacher's response to inject noise that degrades the distillation signal without making the response useless to legitimate users. However, semantic-preserving perturbation methods like paraphrasing are largely ineffective, as the core distillation signal remains intact. Our findings show minimal impact on student quality across tasks, and even some unexpected improvements, indicating that perturbation strength is not a useful defense knob. This limitation highlights a fundamental tension: any API output useful to legitimate users remains useful for distillation.
0.993
Average Distillation Effectiveness (DE) for Perturbation
| Defense Type | Key Characteristic | Effectiveness (DE) | Cost (DC) |
|---|---|---|---|
| Paraphrase α=0.3 | Light rephrasing | 0.990 | 0.030 |
| Paraphrase α=0.7 | Substantial rephrasing | 0.978 | 0.034 |
| Paraphrase α=1.0 | Complete rewrite | 1.012 | 0.070 |
Data poisoning defenses deliberately inject incorrect information into a fraction of responses, aiming for the student to internalize adversarial errors. While this approach degrades the model's conversational fluency (MT-Bench scores), it surprisingly leaves task-specific capabilities like mathematical reasoning and code generation largely unaffected. The asymmetry suggests that poisoned examples corrupt response style but not structured problem-solving. This defense introduces a trade-off, degrading API output quality for legitimate users proportionally to the poison rate.
0.974
Average Distillation Effectiveness (DE) for Poisoning
| Defense Type | Poison Rate (r) | MT-Bench DE | Overall DE | Overall DC |
|---|---|---|---|---|
| Corruption | 5% | 0.956 | 0.979 | 0.017 |
| Corruption | 15% | 0.945 | 0.962 | 0.052 |
| Corruption | 30% | 0.930 | 0.980 | 0.098 |
Information throttling defenses restrict the content of the teacher's response, especially chain-of-thought (CoT) reasoning traces, to reduce the supervisory signal for distillation. CoT removal proves to be the most effective defense, significantly impairing mathematical reasoning by forcing the student to learn from answer-only data, which can be actively harmful. However, its effect is task-dependent and does not impact code generation or conversational fluency as much. Token truncation has only moderate and diminishing effects.
0.463
Min. Distillation Effectiveness (DE) for CoT Removal (Math)
| Defense Type | Parameter | MATH DE | Overall DE | Overall DC |
|---|---|---|---|---|
| CoT Removal | Strip reasoning | 0.463 | 0.811 | 0.311 |
| Token Limit | L=512 | 0.950 | 0.986 | 0.046 |
| Token Limit | L=1024 | 0.994 | 0.985 | 0.014 |
Enterprise Process Flow
Teacher generation
→
Defense application
→
Student training
→
Evaluation
Advanced ROI Calculator
Estimate the potential return on investment for implementing robust LLM defense strategies in your enterprise.
Estimated Annual Savings
$0
Annual Hours Reclaimed
0
Implementation Roadmap
A typical phased approach to integrating effective LLM defense mechanisms within your enterprise.
Phase 01: Initial Assessment & Threat Modeling
Conduct a thorough analysis of current LLM API usage, identify vulnerable data points, and establish a baseline for potential knowledge distillation risks. Define specific defense objectives.
Phase 02: Pilot Defense Deployment
Select and implement a small-scale pilot of promising defense strategies (e.g., CoT removal for critical reasoning tasks). Monitor impact on both student distillation effectiveness and legitimate user experience.
Phase 03: Iterative Refinement & Expansion
Based on pilot results, refine defense configurations and progressively expand deployment. Explore advanced defenses like watermarking or query detection, and adapt to evolving attacker strategies.
Phase 04: Continuous Monitoring & Adaptation
Establish ongoing monitoring of API outputs for signs of distillation and regularly reassess defense efficacy. Stay abreast of new research and threats to maintain a proactive security posture.
Ready to Secure Your LLM Investments?
Don't let knowledge distillation erode your competitive edge. Schedule a free consultation with our AI security experts to design a tailored defense strategy for your enterprise.
Ready to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat