defense 2025

Dynamic Dual-level Defense Routing for Continual Adversarial Training

Wenxuan Wang , Chenglei Wang , Xuelin Qian

Northwestern Polytechnical University

0 citations · 44 references · arXiv
α

Published on arXiv

2509.21392

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

DDeR achieves superior robust accuracy against all previously seen attacks across continual adversarial training stages on CIFAR-10 with ViT-B/16, overcoming catastrophic forgetting without storing historical training data.

DDeR (Dual-level Defense Routing)

Novel technique introduced

As adversarial attacks continue to evolve, defense models face the risk of recurrent vulnerabilities, underscoring the importance of continuous adversarial training (CAT). Existing CAT approaches typically balance decision boundaries by either data replay or optimization strategy to constrain shared model parameters. However, due to the diverse and aggressive nature of adversarial examples, these methods suffer from catastrophic forgetting of previous defense knowledge after continual learning. In this paper, we propose a novel framework, called Dual-level Defense Routing or DDeR, that can autonomously select appropriate routers to integrate specific defense experts, thereby adapting to evolving adversarial attacks. Concretely, the first-level defense routing comprises multiple defense experts and routers, with each router dynamically selecting and combining suitable experts to process attacked features. Routers are independently incremented as continuous adversarial training progresses, and their selections are guided by an Adversarial Sentinel Network (ASN) in the second-level defense routing. To compensate for the inability to test due to the independence of routers, we further present a Pseudo-task Substitution Training (PST) strategy, which leverages distributional discrepancy in data to facilitate inter-router communication without storing historical data. Extensive experiments demonstrate that DDeR achieves superior continuous defense performance and classification accuracy compared to existing methods.

Key Contributions

  • Dual-level Defense Routing (DDeR) framework using Mixture-of-Experts with dynamically grown routers to handle evolving adversarial attacks without catastrophic forgetting
  • Adversarial Sentinel Network (ASN) as a second-level router selector that assigns inputs to appropriate expert-routing configurations
  • Pseudo-task Substitution Training (PST) strategy enabling inter-router communication via distributional statistics without storing historical data, avoiding privacy concerns

🛡️ Threat Analysis

Input Manipulation Attack

Directly defends against adversarial input manipulation attacks (FGSM, Square Attack, BruSLeAttack) at inference time; the entire paper is a defense framework (DDeR) for continual adversarial training to maintain robustness as new adversarial attacks emerge.

Details

Domains
vision
Model Types
transformer
Threat Tags
inference_timedigitaluntargeted
Datasets
CIFAR-10
Applications
image classification
Read PDF arXiv DOI

Similar Papers

defense

Filtered-ViT: A Robust Defense Against Multiple Adversarial Patch Attacks

2025 0 cit.
Input Manipulation Attack
100%
defense

Adversarial robustness through Lipschitz-Guided Stochastic Depth in Neural Networks

2025 0 cit.
Input Manipulation Attack
91%
defense

SAFER: Sharpness Aware layer-selective Finetuning for Enhanced Robustness in vision transformers

2025 2 cit.
Input Manipulation Attack
91%
defense

Exposing and Defending the Achilles' Heel of Video Mixture-of-Experts

2026 1 cit.
Input Manipulation Attack
91%
defense

Calibrated Adversarial Sampling: Multi-Armed Bandit-Guided Generalization Against Unforeseen Attacks

2025 0 cit.
Input Manipulation Attack
83%
defense

Exact and Asymptotically Complete Robust Verifications of Neural Networks via Quantum Optimization

2026 0 cit.
Input Manipulation Attack
83%
defense

Unsupervised Robust Domain Adaptation: Paradigm, Theory and Algorithm

2025 0 cit.
Input Manipulation Attack
83%
defense

BiRQA: Bidirectional Robust Quality Assessment for Images

2026 0 cit.
Input Manipulation Attack
83%