FERD: Fairness-Enhanced Data-Free Adversarial Robustness Distillation

Zhengxiao Li; Liming Lu; Xu Zheng; Si Yuan Liang; Taric Chen; Yongbin Zhou; Shuchao Pang

FERD: Fairness-Enhanced Data-Free Adversarial Robustness Distillation

Zhengxiao Li, Liming Lu, Xu Zheng, Si Yuan Liang, Taric Chen, Yongbin Zhou, Shuchao Pang

Published: 26 Jan 2026, Last Modified: 02 Mar 2026ICLR 2026 PosterEveryoneRevisionsBibTeXCC BY 4.0

Keywords: Data-Free Robustness Distillation; Robust Fairness

Abstract: Data-Free Robustness Distillation (DFRD) aims to transfer the robustness from the teacher to the student without accessing the training data. While existing methods focus on overall robustness, they overlook the robust fairness issues, leading to severe disparity of robustness across different categories. In this paper, we find two key problems: (1) student model distilled with equal class proportion data behaves significantly different across distinct categories; and (2) the robustness of student model is not stable across different attacks target. To bridge these gaps, we present the first Fairness Enhanced data-free Robustness Distillation (FERD) framework to adjust the proportion and distribution of adversarial examples. For the proportion, FERD adopts a robustness guided class reweighting strategy to synthesize more samples for the less robust categories, thereby improving robustness of them. For the distribution, FERD generates complementary data samples for advanced robustness distillation. It generates Fairness-Aware Examples (FAEs) by enforcing a uniformity constraint on feature-level predictions, which suppress the dominance of class-specific non-robust features, providing a more balanced representation across all categories. Then, FERD constructs Uniform-Target Adversarial Examples (UTAEs) from FAEs by applying a uniform target class constraint to avoid biased attack directions, which distribute the attack targets across all categories and prevents overfitting to specific vulnerable categories. Extensive experiments on three public datasets demonstrate that FERD achieves state-of-the-art worst-class robustness and NSD under all adversarial attacks. For instance, FERD improves worst-class robustness by up to 11.3% and reduces NSD by 0.077 compared to the optimal baseline on CIFAR-10 with MobileNet-V2. Our code is available at: [https://github.com/mayaobuduyao/FERD](https://github.com/mayaobuduyao/FERD).

Supplementary Material: zip

Primary Area: transfer learning, meta learning, and lifelong learning

Submission Number: 18832

Loading