Go to MathAI 2026 Conference homepageBeyond Isolation: Effects of Defense Combinations on Evasion and Privacy Risks in Machine Learning
Keywords: Evasion Attacks, Privacy Attacks, Differential Privacy, Defense Interactions, Multi-Factor Security, Trusted AI
TL;DR: The paper analyzes joint defenses against evasion and privacy attacks, showing that their combination may cause synergy or degradation depending on the attack setting and chosen defense methods, requiring analysis rather than naïve stacking.
Abstract: Modern machine learning systems are increasingly required to withstand multiple threat vectors simultaneously, including evasion attacks and data privacy attacks. Yet most defenses are designed and evaluated in isolation, so their behavior under joint deployment remains poorly understood.
In this work, we study how combining defenses changes both robustness and privacy: do defenses reinforce each other, or do they interfere and weaken the intended guarantees? We focus on representative evasion defenses implemented through post-batch training modifications (e.g., gradient regularization) and combine them with privacy-preserving training based on differential privacy.
We evaluate four threat scenarios: no attacks, only evasion attacks, only privacy attacks, and simultaneous evasion and privacy attacks, using standard architectures and benchmark image classification setups. In addition to empirical results, we use analytic reasoning to interpret the observed interactions through the lens of optimization.
Our results show that interactions are non-trivial. Some combinations yield complementary gains, improving overall security without disproportionate utility loss, while others introduce clear conflicts that reduce robustness or increase leakage. These findings indicate that multi-factor protection cannot be achieved by naïvely stacking defenses and motivate evaluation frameworks that explicitly account for defense interactions in adversarial and privacy-sensitive settings.
Submission Number: 55
Loading