Zero-Sacrifice Persistent-Robustness Adversarial Defense for Pre-Trained Encoders
Zhuxin Lei, Ziyuan Yang, Yi Zhang
TL;DR
This paper introduces ZePAD, a novel defense method for pre-trained encoders that provides persistent robustness against adversarial examples across multiple tasks with only a single fine-tuning, without sacrificing benign performance.
Contribution
ZePAD is a dual-branch structure that enhances adversarial resistance and preserves benign performance, enabling a single fine-tuning to defend against diverse downstream adversarial attacks.
Findings
Achieves up to 29.20% improvement in benign performance.
Achieves up to 73.86% gain in adversarial robustness.
Effective across 11 SSL methods and 6 datasets.
Abstract
The widespread use of publicly available pre-trained encoders from self-supervised learning (SSL) has exposed a critical vulnerability: their susceptibility to downstream-agnostic adversarial examples (DAEs), which are crafted without knowledge of the downstream tasks but capable of misleading downstream models. While several defense methods have been explored recently, they rely primarily on task-specific adversarial fine-tuning, which inevitably limits generalizability and causes catastrophic forgetting and deteriorates benign performance. Different with previous works, we propose a more rigorous defense goal that requires only a single tuning for diverse downstream tasks to defend against DAEs and preserve benign performance. To achieve this defense goal, we introduce Zero-Sacrifice Persistent-Robustness Adversarial Defense (ZePAD), which is inspired by the inherent sensitivity of…
Peer Reviews
Decision·ICLR 2026 Poster
1. **Novelty and Conceptual Contribution:** - The paper introduces the idea of “zero-sacrifice lifelong adversarial defense”, reframing adversarial robustness as a feature combination problem rather than a tradeoff problem. - The dual-branch design (MPAE + BMP) and the federated confidence fusion mechanism are novel and well-motivated. 2. **Comprehensive Empirical Evaluation:** - Extensive experiments across multiple SSL encoders (e.g., SimCLR, BYOL, MoCo, DINO) and datasets (CIFAR10, ImageNet,
1. **Methodological Clarity and Rigor:** - While conceptually interesting, some mathematical formulations (e.g., hybrid loss and cosine distance adjustment) lack detailed derivations and theoretical justification. - The Robust Federal Decision Mechanism (RFDM) is empirically defined, but its weighting function (Eq. 8) seems heuristic and not theoretically grounded. - There is no formal analysis of why confidence alignment is a robust signal or how it generalizes across tasks. 2. **Evaluation Li
1、The paper proposes a zero-sacrifice, lifelong adversarial defense method that not only maintainsbut also improves benign performance, while enhancing adversarial robustness. 2、Extensive experimental results demonstrate the effectiveness of the proposed method. 3、The paper is easy to follow.
1、The paper claims to build on the inherent sensitivity of neural networks to data characteristics, yet this idea is only briefly mentioned in the introduction (L54–57) without deeper investigation. No experimental validation, theoretical analysis, or concrete insight is provided to support this claim, which substantially undermines the rationale and validity of the proposed method. A more thorough analysis through exploratory experiments or theoretical justification is necessary. 2、The first a
1. The paper introduces ZeLAD, the first lifelong adversarial defense for pre-trained encoders that achieves robustness across multiple downstream tasks with a single tuning. Unlike prior task-specific adversarial training methods, ZeLAD generalizes effectively across SSL models and datasets, marking a substantial conceptual advancement in adversarial robustness research. 2. A major strength is ZeLAD’s dual-branch architecture: the Multi-Pattern Adversarial Enhancement (MPAE) branch for robustne
1. Although the paper compares ZeLAD to several classic defenses (e.g., TRADES, MART, Gen-AF), it does not include enough comparisons with the most recent or SSL-specific adversarial defense methods (only Table 7). This omission makes it harder to gauge ZeLAD’s relative progress within the latest research landscape. 2. The proposed approach requires multiple encoders and dual-branch inference, which could increase computational and memory overhead compared to single-encoder defenses. The paper p
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Ethics and Social Impacts of AI · Explainable Artificial Intelligence (XAI)