Defensive Distillation

What is Defensive Distillation?

Defensive distillation is a technique used in the field of machine learning, specifically in the context of deep learning, to protect neural networks from adversarial attacks. Adversarial attacks are malicious inputs designed to deceive machine learning models into making incorrect predictions or classifications. These attacks can be particularly problematic in security-sensitive applications, such as facial recognition systems, autonomous vehicles, and malware detection.

The concept of defensive distillation was introduced by Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami in a paper titled "Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks," published in 2016. The technique builds upon the idea of knowledge distillation, where a smaller "student" network is trained to replicate the behavior of a larger "teacher" network. The student network learns from the soft probabilities (confidence scores) of the teacher network's output, rather than the hard labels typically used in supervised learning.

How Defensive Distillation Works

Defensive distillation involves two main stages:

  1. Training the Teacher Network: The first step is to train a teacher neural network on the original dataset using standard training procedures. After training, the teacher network's class probabilities, which contain more information than the hard labels, are used as soft targets for the next step.
  2. Training the Student Network: A student network, which can have the same or a different architecture as the teacher network, is then trained using the soft targets obtained from the teacher network. The student network learns to generalize better by mimicking the teacher's output distribution, which includes the confidence levels for each class.

The key insight behind defensive distillation is that the additional knowledge contained in the soft probabilities helps the student network become more robust to adversarial examples. The soft probabilities capture the relationships between different classes, providing the student with more nuanced information about the decision boundaries.

Benefits of Defensive Distillation

Defensive distillation offers several advantages:

  • Improved Robustness: By training on soft targets, the student network learns a smoother and more generalizable function, which makes it harder for adversaries to find inputs that result in incorrect classifications.
  • Transfer of Knowledge: Distillation allows the transfer of knowledge from a complex model to a simpler one, which can be beneficial when deploying models to devices with limited computational resources.
  • Model Compression: The student network can be smaller and more efficient than the teacher network, enabling faster inference times without a significant loss in accuracy.

Limitations and Challenges

While defensive distillation can enhance the security of neural networks, it is not without limitations and challenges:

  • Not Foolproof: Defensive distillation is not a silver bullet. Adversaries can potentially adapt their attack strategies to overcome the defense, especially if they have knowledge of the distillation process.
  • Computational Overhead: The process of training two networks (teacher and student) requires additional computational resources and time compared to training a single network.
  • Hyperparameter Tuning:

    The effectiveness of distillation depends on careful tuning of hyperparameters, such as the temperature parameter that controls the smoothness of the soft probabilities.


Defensive distillation is a promising approach to enhancing the robustness of neural networks against adversarial attacks. By leveraging the knowledge contained in the soft probabilities of a teacher network, a student network can learn to be more resilient to malicious inputs. However, as with any defensive technique, it is important to recognize its limitations and continue to develop and combine it with other defense strategies to ensure the security of machine learning systems.

As the arms race between attackers and defenders in the machine learning domain continues, techniques like defensive distillation play a crucial role in safeguarding the integrity and reliability of AI applications across various industries.

Please sign up or login with your details

Forgot password? Click here to reset