Feature Squeezing is a defensive technique that detects adversarial examples by reducing the complexity of the input representation and comparing the model's prediction against the prediction on the original, unsqueezed input. By systematically eliminating extraneous or high-frequency features—such as reducing the color bit depth of an image from 8-bit to 4-bit or applying a median filter for spatial smoothing—the defense constricts the dimensional space an adversary can exploit to craft perturbations.
Glossary
Feature Squeezing

What is Feature Squeezing?
A lightweight detection defense that reduces the search space available to an adversary by squeezing out unnecessary input features, such as reducing color bit depth or applying spatial smoothing, and comparing model outputs.
If the model's output diverges significantly between the squeezed and original inputs, the sample is flagged as potentially adversarial. Unlike adversarial training, feature squeezing does not require retraining the target model, making it a computationally cheap, model-agnostic wrapper suitable for real-time detection in deployed autonomous agents. However, it is vulnerable to adaptive attacks where the adversary crafts perturbations that survive the specific squeezing pipeline.
Core Feature Squeezing Techniques
Feature squeezing reduces the degrees of freedom available to an adversary by coalescing input features, forcing the attacker to generate larger, more detectable perturbations to achieve misclassification.
Color Bit Depth Reduction
Reduces the bit depth of each color channel (e.g., from 8-bit to 4-bit) to collapse similar pixel values into a single value. This quantization eliminates the subtle, sub-pixel perturbations that adversarial attacks rely on.
- Mechanism: Maps 256 distinct values per channel to 16 or fewer bins.
- Effect: Forces the adversary to create perturbations large enough to cross quantization thresholds, making the attack visible or structurally detectable.
- Trade-off: Minimal impact on human perception for natural images, but can degrade fine-grained classification on low-contrast medical imagery.
Spatial Smoothing (Median Filtering)
Applies a median filter or Gaussian blur to the input, replacing each pixel with the median or weighted average of its local neighborhood. This destroys the high-frequency, structured noise that characterizes adversarial perturbations.
- Median Filter: Particularly effective against salt-and-pepper style adversarial noise and L0-bounded attacks.
- Gaussian Blur: Smooths gradient-based perturbations like those from Projected Gradient Descent (PGD).
- Kernel Size: A 2x2 or 3x3 kernel is standard; larger kernels risk destroying legitimate high-frequency features like text or fine edges.
Non-Local Means Denoising
A sophisticated squeezer that replaces each pixel with a weighted average of all pixels in the image, where weights are determined by the similarity of local patches. Unlike local smoothing, non-local means preserves fine structures and textures while removing adversarial noise.
- Advantage: Superior preservation of edges and repetitive patterns compared to Gaussian or median filters.
- Detection Logic: If the model's prediction on the denoised input diverges significantly from the original, the input is flagged as adversarial.
- Cost: Computationally more expensive than simple spatial filters, making it a candidate for selective application on suspicious inputs.
JPEG Compression Squeezing
Re-encodes the input image using a lossy JPEG compression codec to discard high-frequency components in the discrete cosine transform (DCT) domain. Adversarial perturbations, which often manifest as fragile high-frequency signals, are destroyed during the quantization of DCT coefficients.
- Quality Factor: A lower quality setting (e.g., 75-85) applies more aggressive squeezing.
- Limitation: Less effective against attacks that constrain perturbations to the low-frequency domain or those specifically designed to survive JPEG compression.
- Synergy: Often combined with other squeezers in an ensemble to cover different attack vectors.
Joint Detection via Prediction Divergence
The core detection mechanism: compare the model's output vector on the original input against its output on the squeezed input. A significant L1 distance between the two probability distributions indicates an adversarial example.
- Thresholding: A calibrated threshold on the L1 divergence score separates legitimate variations from adversarial manipulation.
- Ensemble Squeezing: Applying multiple squeezers (e.g., bit reduction + median filter) and aggregating divergence scores increases detection robustness against adaptive attacks.
- White-Box Resilience: Even if an attacker knows the squeezers are in place, they must generate perturbations large enough to survive all squeezers simultaneously, which often breaks the imperceptibility constraint.
Thermometer Encoding
A discretization technique that represents each pixel value as a binary vector where the k-th bit is 1 if the pixel value exceeds a threshold k. This unary encoding linearizes the input space and breaks the differentiable relationship between pixel intensity and model output.
- Mechanism: A pixel with value 0.7 becomes
[1,1,1,1,1,1,1,0,0,0]for 10 discretization levels. - Defense Property: Gradient-based attacks like PGD cannot compute meaningful gradients through the discretized representation.
- Cost: Expands input dimensionality by a factor equal to the number of discretization levels, increasing memory and compute requirements.
Frequently Asked Questions
Clear, technical answers to the most common questions about feature squeezing as a defense against adversarial examples in machine learning systems.
Feature squeezing is a lightweight adversarial example detection method that reduces the degrees of freedom available to an adversary by 'squeezing' unnecessary or redundant features from input samples before classification. The core mechanism works by applying one or more feature reduction transformations—such as reducing color bit depth from 8-bit to 4-bit per channel or applying a spatial smoothing filter like median blur—to both the original input and a suspect sample. The model then generates predictions for both the squeezed and unsqueezed versions. If the L1 distance between the two prediction vectors exceeds a calibrated threshold, the input is flagged as adversarial. This approach exploits a fundamental property of adversarial perturbations: they rely on the high-dimensional, fine-grained input space to encode their malicious signal. By coarsening that space, the perturbation is destroyed or significantly distorted, causing a measurable divergence in model output that is absent in clean, naturally robust samples.
Feature Squeezing vs. Other Adversarial Defenses
Comparing Feature Squeezing against Adversarial Training, Randomized Smoothing, and Gradient Masking across key operational and security dimensions for agentic systems.
| Feature | Feature Squeezing | Adversarial Training | Randomized Smoothing |
|---|---|---|---|
Primary Mechanism | Input preprocessing & discrepancy detection | Data augmentation with adversarial examples | Noise injection & majority voting |
Requires Model Retraining | |||
Computational Overhead at Inference | Low (bit depth reduction, median filtering) | None (standard forward pass) | High (multiple noisy forward passes) |
Provides Certified Guarantees | |||
Defeated by Adaptive Attacks | |||
Effective Against Zero-Day Attacks | Partial (detects anomalous inputs) | Low (fails on unseen attack types) | High (agnostic to attack type) |
Suitable for Real-Time Agentic Systems | |||
Vulnerable to Gradient Masking |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Feature squeezing is part of a broader defensive toolkit. These related concepts cover the attack vectors it mitigates and complementary detection strategies.
Adversarial Example
An input to a machine learning model that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect classification with high confidence. Feature squeezing aims to neutralize these perturbations by reducing the input's degrees of freedom.
- Target: Image classifiers, object detectors, speech-to-text
- Mechanism: Adds carefully calculated noise to exploit model blind spots
- Example: A panda photo with added noise classified as a gibbon at 99.3% confidence
Evasion Attack
A type of adversarial attack performed at inference time where the attacker modifies the input sample to cause misclassification without altering the underlying model. Feature squeezing is a direct countermeasure to evasion attacks.
- Attack surface: Deployed models exposed to user-provided inputs
- Key distinction: Does not require training data access, only query access
- Defense approach: Squeezing removes the perturbation space attackers rely on
Gradient Masking
A phenomenon where a defense gives a false sense of security by producing non-useful or zero gradients. While feature squeezing can cause gradient masking if implemented naively, proper evaluation with adaptive attacks reveals true robustness.
- Risk: Defenders believe their model is secure when it is not
- Detection: Test against black-box and transfer attacks, not just white-box
- Best practice: Always evaluate squeezed models against attacks that account for the squeezing pipeline
Adversarial Training
A defensive technique that augments the training dataset with adversarially perturbed examples labeled with the ground-truth class. Unlike feature squeezing—which is a detection method applied at inference—adversarial training builds robustness directly into the model's decision boundaries.
- Complementary use: Train robustly, then squeeze at runtime for defense-in-depth
- Cost: Increases training time by 3-10x depending on attack iterations
- Standard benchmark: PGD-based adversarial training on CIFAR-10 and ImageNet
Adaptive Attack
An attack methodology that assumes full knowledge of a defense mechanism and is specifically designed to circumvent it. For feature squeezing, an adaptive attacker would incorporate the squeezing operations into their optimization loop.
- Evaluation standard: The only valid way to measure true defense efficacy
- Example: Attacker uses differentiable approximations of bit-depth reduction
- Key insight: If a defense fails against an adaptive attack, it provides no real security
Certified Robustness
A formal, provable guarantee that a model's prediction will not change for any input perturbation within a specified Lp-norm bound. Unlike feature squeezing's empirical detection approach, certified robustness provides mathematical certainty.
- Techniques: Randomized smoothing, interval bound propagation
- Trade-off: Certified methods typically reduce clean accuracy more than empirical defenses
- Complementary role: Use certification for safety-critical components, squeezing for runtime monitoring

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us