Recently, Google officially disclosedIts flagship AI model Gemini is suffering from commercialization-driven large-scale distillation attacks - inducing chatbots to leak internal mechanisms through repeated questions. Google said that the attacker systematically and repeatedly sent carefully designed prompt words to the model (more than 100,000 times in a single attack) in an attempt to reverse engineer Gemini's internal reasoning logic and decision-making mechanism to achieve model cloning or strengthen its own AI system.
These attacks are primarily carried out by "commercially motivated actors",Google judged that the people behind it were mostly AI private companies or research institutions hoping to gain a competitive advantage. A company spokesperson said that the source of the attack came from multiple regions around the world, but did not disclose any more information..
It is reported that distillation attack (also known as knowledge distillation) is originally a model compression technology that achieves model lightweighting by migrating the knowledge of a large "teacher model" into a small "student model".
The attacker collects the model's responses in different scenarios through systematic and structured massive questions, analyzes subtle differences such as response content, delay, and confidence, and builds Gemini's decision boundary and reasoning path map.Finally, the collected response data is used to train its own "student model" to replicate Gemini's core capabilities..
Google said that such distillation attacks are intellectual property theft, although major manufacturers have deployed mechanisms that can identify and block distillation attacks.But because mainstream large model services are open to everyone, they are still inherently vulnerable..
