Defense against Unauthorized Distillation in Image Restoration via Feature Space Perturbation

TL;DR

Knowledge distillation attacks threaten intellectual property in image restoration by leaking a teacher's internal mappings. The authors propose Adaptive Singular Value Perturbation (ASVP), a runtime, feature-space defense that perturbs intermediate teacher features by amplifying the top-$k$ singular values with a factor $h$, while leaving the teacher's outputs intact. Across five restoration tasks, ASVP substantially degrades the student’s ability to learn (up to $4$ dB PSNR drop and large SSIM reductions) with minimal impact on the teacher, outperforming prior defenses. The approach is plug-and-play, requires no retraining, and scales to real-time inference, offering practical IP protection for open-source restoration models.

Abstract

Knowledge distillation (KD) attacks pose a significant threat to deep model intellectual property by enabling adversaries to train student networks using a teacher model's outputs. While recent defenses in image classification have successfully disrupted KD by perturbing output probabilities, extending these methods to image restoration is difficult. Unlike classification, restoration is a generative task with continuous, high-dimensional outputs that depend on spatial coherence and fine details. Minor perturbations are often insufficient, as students can still learn the underlying mapping.To address this, we propose Adaptive Singular Value Perturbation (ASVP), a runtime defense tailored for image restoration models. ASVP operates on internal feature maps of the teacher using singular value decomposition (SVD). It amplifies the topk singular values to inject structured, high-frequency perturbations, disrupting the alignment needed for distillation. This hinders student learning while preserving the teacher's output quality.We evaluate ASVP across five image restoration tasks: super-resolution, low-light enhancement, underwater enhancement, dehazing, and deraining. Experiments show ASVP reduces student PSNR by up to 4 dB and SSIM by 60-75%, with negligible impact on the teacher's performance. Compared to prior methods, ASVP offers a stronger and more consistent defense.Our approach provides a practical solution to protect open-source restoration models from unauthorized knowledge distillation.

Figures (9)

• Figure 1: Visual comparison under different $\beta$ values and corresponding SSIM scores for $T-\beta$ (teacher model) and $S-KD$ (distilled student model) on a low light enhancement task. This experiment explores the transfer of adversarial perturbation strategies from classification to restoration. As $\beta$ increases, the teacher's output degrades significantly due to amplified noise, whereas the student maintains relatively stable performance. This highlights the challenge of applying classification based defenses to generative tasks like image enhancement.
• Figure 2: Overview of the proposed framework. (a) Standard distillation where the student mimics intermediate features from the teacher. (b) ASVP perturbs features by amplifying the top-$k$ singular values with factor $h$ via SVD to block distillation.
• Figure 3: Visual results of super-resolution. Our method degrades student outputs while maintaining high fidelity reconstruction in the teacher.
• Figure 4: Low-light enhancement results. Our method suppresses student outputs while preserving teacher brightness and detail.
• Figure 5: Underwater enhancement results. Our method degrades student predictions while retaining clear, natural outputs in the teacher.