defense 2025

A unified Bayesian framework for adversarial robustness

Pablo G. Arce 1,2, Roi Naveiro 3, David Ríos Insua 1

1 Spanish National Research Council

2 Universidad Autónoma de Madrid

3 CUNEF Universidad

0 citations · 25 references · arXiv
α

Published on arXiv

2510.09288

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

The Bayesian framework recovers prior defenses as special cases and empirically demonstrates that explicitly modeling adversarial uncertainty improves robustness over deterministic defenses.

Bayesian Adversarial Robustness Framework

Novel technique introduced

The vulnerability of machine learning models to adversarial attacks remains a critical security challenge. Traditional defenses, such as adversarial training, typically robustify models by minimizing a worst-case loss. However, these deterministic approaches do not account for uncertainty in the adversary's attack. While stochastic defenses placing a probability distribution on the adversary exist, they often lack statistical rigor and fail to make explicit their underlying assumptions. To resolve these issues, we introduce a formal Bayesian framework that models adversarial uncertainty through a stochastic channel, articulating all probabilistic assumptions. This yields two robustification strategies: a proactive defense enacted during training, aligned with adversarial training, and a reactive defense enacted during operations, aligned with adversarial purification. Several previous defenses can be recovered as limiting cases of our model. We empirically validate our methodology, showcasing the benefits of explicitly modeling adversarial uncertainty.

Key Contributions

  • A statistically grounded Bayesian framework that models adversarial uncertainty via a stochastic channel, making all probabilistic assumptions explicit
  • Two derived defense strategies: a proactive defense (training-time, generalizing adversarial training) and a reactive defense (inference-time, generalizing adversarial purification)
  • Demonstration that prominent prior defenses (adversarial training, randomized smoothing, diffusion-based purification) are recoverable as limiting cases of the unified model

🛡️ Threat Analysis

Input Manipulation Attack

The paper directly targets adversarial evasion attacks (input manipulation at inference time) and proposes both a proactive defense (training-time, aligned with adversarial training) and a reactive defense (inference-time, aligned with adversarial purification) against them. The entire framework is built around defending against adversarial examples.

Details

Domains
vision
Model Types
cnntransformer
Threat Tags
training_timeinference_timewhite_boxdigital
Applications
image classification
Read PDF arXiv DOI

Similar Papers

defense

Explanation-Guided Adversarial Training for Robust and Interpretable Models

2026 0 cit.
Input Manipulation Attack
100%
defense

Erosion Attack for Adversarial Training to Enhance Semantic Segmentation Robustness

2026 0 cit.
Input Manipulation Attack
92%
defense

Expanding the Role of Diffusion Models for Robust Classifier Training

2026 0 cit.
Input Manipulation Attack
92%
defense

Robust Fine-Tuning from Non-Robust Pretrained Models: Mitigating Suboptimal Transfer With Adversarial Scheduling

2025 0 cit.
Input Manipulation Attack
92%
defense

Trans-defense: Transformer-based Denoiser for Adversarial Defense with Spatial-Frequency Domain Representation

2025 1 cit.
Input Manipulation Attack
92%
defense

Time-Efficient Evaluation and Enhancement of Adversarial Robustness in Deep Neural Networks

2025 0 cit.
Input Manipulation Attack
92%
defense

C-LEAD: Contrastive Learning for Enhanced Adversarial Defense

2025 1 cit.
Input Manipulation Attack
92%
defense

KoALA: KL-L0 Adversarial Detector via Label Agreement

2025 0 cit.
Input Manipulation Attack
92%