Inferensys

Glossary

Collusion Attack

An attack where multiple malicious actors with differently watermarked copies of the same model compare their instances to isolate and remove the ownership identifiers.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
ADVERSARIAL IP THEFT

What is a Collusion Attack?

A collusion attack is a coordinated adversarial strategy where multiple malicious actors compare their uniquely watermarked copies of the same model to statistically isolate, identify, and remove the embedded ownership identifiers.

A collusion attack is a specific threat to digital watermarking and model fingerprinting schemes where multiple licensees, each possessing a copy of the model with a distinct identifier, pool their instances. By comparing the differences in parameters or output behavior, attackers can average out the unique watermark signals, effectively isolating the common underlying model weights and stripping away the proof-of-ownership.

This attack exploits the linear separability of independent watermarks. Defenses against collusion require entangled watermarking techniques that bind the identifier to the model's intrinsic feature representations, making statistical averaging destructive to task performance. The robustness of a watermarking scheme is often measured by the number of colluders required to successfully execute a removal attack without degrading fidelity preservation.

THREAT ANALYSIS

Key Characteristics of a Collusion Attack

A collusion attack is a coordinated attempt by multiple adversaries to defeat model watermarking by comparing their individually watermarked copies to isolate and remove the ownership identifier.

01

Differential Analysis

Attackers compare differently watermarked copies of the same model to identify parameter discrepancies. By analyzing weight differences or behavioral divergences between instances, they isolate the watermark signal from the model's core functionality. This exploits the fact that each copy's watermark is unique while the underlying model is identical.

2+
Minimum Colluders Required
02

Watermark Signal Isolation

The core mechanism involves statistical averaging or voting across multiple watermarked instances. When colluders overlay their copies, common features (the model) reinforce while divergent features (the watermarks) cancel out. This produces a clean, watermark-free model through simple signal processing techniques.

03

Attack Prerequisites

Successful collusion requires specific conditions:

  • Multiple distinct copies: Each colluder must possess a differently watermarked version of the same base model
  • White-box access: Attackers typically need full access to model weights for comparison
  • Coordination channel: A secure communication method between colluders
  • Sufficient diversity: The more watermarked copies available, the more effective the averaging attack
04

Countermeasure: Entangled Watermarking

Entangled watermarking defends against collusion by embedding the watermark deep within the model's essential feature representations. Rather than adding a separable signal, the watermark becomes intertwined with the model's functional parameters. Any attempt to average away the watermark simultaneously degrades the model's core performance, making collusion self-defeating.

05

Countermeasure: Fingerprint Diversity

Deploying non-linear fingerprinting schemes where each copy's identifier is embedded using different architectural locations or trigger sets prevents simple averaging. When watermarks are embedded in heterogeneous ways across copies, colluders cannot easily align and cancel them through comparison. This forces attackers to solve a more complex signal separation problem.

06

Real-World Impact

Collusion attacks represent a critical threat to model DRM in commercial deployments. If successful, attackers can produce an untraceable, watermark-free model for redistribution. This undermines model leasing business models and complicates legal enforcement of IP rights. The attack's effectiveness scales with the number of colluding licensees, making it particularly dangerous for widely distributed models.

High
Risk Severity
Model Leasing
Primary Target
COLLUSION ATTACKS

Frequently Asked Questions

A collusion attack is a coordinated attempt by multiple adversaries to defeat model watermarking and fingerprinting schemes. By pooling their individually watermarked copies of the same model, attackers can statistically isolate and remove ownership identifiers. Below are the most common questions about how these attacks work and how to defend against them.

A collusion attack is a coordinated intellectual property theft technique where multiple malicious actors, each possessing a differently watermarked copy of the same machine learning model, compare their instances to isolate and remove the embedded ownership identifiers. By averaging the weights, computing the statistical differences, or identifying the unique perturbations in each copy, attackers can separate the watermark signal from the model's core functionality. This attack exploits the fact that each distributed copy contains a distinct identifier (such as a unique fingerprint or trigger set), while the underlying model parameters remain largely identical. The goal is to produce a clean, untraceable model that retains high performance on the original task but no longer contains any verifiable proof of ownership.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.