Inferensys

Glossary

Feature Squeezing

A lightweight detection defense that reduces the search space available to an adversary by squeezing out unnecessary input features, such as reducing color bit depth or applying spatial smoothing, and comparing model outputs.
Developer reviewing semantic search engine results on laptop, relevance scores visible, technical search demo.
INPUT COMPLEXITY REDUCTION

What is Feature Squeezing?

A lightweight detection defense that reduces the search space available to an adversary by squeezing out unnecessary input features, such as reducing color bit depth or applying spatial smoothing, and comparing model outputs.

Feature Squeezing is a defensive technique that detects adversarial examples by reducing the complexity of the input representation and comparing the model's prediction against the prediction on the original, unsqueezed input. By systematically eliminating extraneous or high-frequency features—such as reducing the color bit depth of an image from 8-bit to 4-bit or applying a median filter for spatial smoothing—the defense constricts the dimensional space an adversary can exploit to craft perturbations.

If the model's output diverges significantly between the squeezed and original inputs, the sample is flagged as potentially adversarial. Unlike adversarial training, feature squeezing does not require retraining the target model, making it a computationally cheap, model-agnostic wrapper suitable for real-time detection in deployed autonomous agents. However, it is vulnerable to adaptive attacks where the adversary crafts perturbations that survive the specific squeezing pipeline.

INPUT DIMENSIONALITY REDUCTION

Core Feature Squeezing Techniques

Feature squeezing reduces the degrees of freedom available to an adversary by coalescing input features, forcing the attacker to generate larger, more detectable perturbations to achieve misclassification.

01

Color Bit Depth Reduction

Reduces the bit depth of each color channel (e.g., from 8-bit to 4-bit) to collapse similar pixel values into a single value. This quantization eliminates the subtle, sub-pixel perturbations that adversarial attacks rely on.

  • Mechanism: Maps 256 distinct values per channel to 16 or fewer bins.
  • Effect: Forces the adversary to create perturbations large enough to cross quantization thresholds, making the attack visible or structurally detectable.
  • Trade-off: Minimal impact on human perception for natural images, but can degrade fine-grained classification on low-contrast medical imagery.
8-bit → 4-bit
Typical Squeeze Range
02

Spatial Smoothing (Median Filtering)

Applies a median filter or Gaussian blur to the input, replacing each pixel with the median or weighted average of its local neighborhood. This destroys the high-frequency, structured noise that characterizes adversarial perturbations.

  • Median Filter: Particularly effective against salt-and-pepper style adversarial noise and L0-bounded attacks.
  • Gaussian Blur: Smooths gradient-based perturbations like those from Projected Gradient Descent (PGD).
  • Kernel Size: A 2x2 or 3x3 kernel is standard; larger kernels risk destroying legitimate high-frequency features like text or fine edges.
2x2–3x3
Standard Kernel Size
03

Non-Local Means Denoising

A sophisticated squeezer that replaces each pixel with a weighted average of all pixels in the image, where weights are determined by the similarity of local patches. Unlike local smoothing, non-local means preserves fine structures and textures while removing adversarial noise.

  • Advantage: Superior preservation of edges and repetitive patterns compared to Gaussian or median filters.
  • Detection Logic: If the model's prediction on the denoised input diverges significantly from the original, the input is flagged as adversarial.
  • Cost: Computationally more expensive than simple spatial filters, making it a candidate for selective application on suspicious inputs.
Patch-Based
Similarity Metric
04

JPEG Compression Squeezing

Re-encodes the input image using a lossy JPEG compression codec to discard high-frequency components in the discrete cosine transform (DCT) domain. Adversarial perturbations, which often manifest as fragile high-frequency signals, are destroyed during the quantization of DCT coefficients.

  • Quality Factor: A lower quality setting (e.g., 75-85) applies more aggressive squeezing.
  • Limitation: Less effective against attacks that constrain perturbations to the low-frequency domain or those specifically designed to survive JPEG compression.
  • Synergy: Often combined with other squeezers in an ensemble to cover different attack vectors.
75–85
Typical Quality Factor
05

Joint Detection via Prediction Divergence

The core detection mechanism: compare the model's output vector on the original input against its output on the squeezed input. A significant L1 distance between the two probability distributions indicates an adversarial example.

  • Thresholding: A calibrated threshold on the L1 divergence score separates legitimate variations from adversarial manipulation.
  • Ensemble Squeezing: Applying multiple squeezers (e.g., bit reduction + median filter) and aggregating divergence scores increases detection robustness against adaptive attacks.
  • White-Box Resilience: Even if an attacker knows the squeezers are in place, they must generate perturbations large enough to survive all squeezers simultaneously, which often breaks the imperceptibility constraint.
L1 Distance
Divergence Metric
06

Thermometer Encoding

A discretization technique that represents each pixel value as a binary vector where the k-th bit is 1 if the pixel value exceeds a threshold k. This unary encoding linearizes the input space and breaks the differentiable relationship between pixel intensity and model output.

  • Mechanism: A pixel with value 0.7 becomes [1,1,1,1,1,1,1,0,0,0] for 10 discretization levels.
  • Defense Property: Gradient-based attacks like PGD cannot compute meaningful gradients through the discretized representation.
  • Cost: Expands input dimensionality by a factor equal to the number of discretization levels, increasing memory and compute requirements.
10x–256x
Dimensionality Expansion
FEATURE SQUEEZING EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about feature squeezing as a defense against adversarial examples in machine learning systems.

Feature squeezing is a lightweight adversarial example detection method that reduces the degrees of freedom available to an adversary by 'squeezing' unnecessary or redundant features from input samples before classification. The core mechanism works by applying one or more feature reduction transformations—such as reducing color bit depth from 8-bit to 4-bit per channel or applying a spatial smoothing filter like median blur—to both the original input and a suspect sample. The model then generates predictions for both the squeezed and unsqueezed versions. If the L1 distance between the two prediction vectors exceeds a calibrated threshold, the input is flagged as adversarial. This approach exploits a fundamental property of adversarial perturbations: they rely on the high-dimensional, fine-grained input space to encode their malicious signal. By coarsening that space, the perturbation is destroyed or significantly distorted, causing a measurable divergence in model output that is absent in clean, naturally robust samples.

DEFENSE COMPARISON

Feature Squeezing vs. Other Adversarial Defenses

Comparing Feature Squeezing against Adversarial Training, Randomized Smoothing, and Gradient Masking across key operational and security dimensions for agentic systems.

FeatureFeature SqueezingAdversarial TrainingRandomized Smoothing

Primary Mechanism

Input preprocessing & discrepancy detection

Data augmentation with adversarial examples

Noise injection & majority voting

Requires Model Retraining

Computational Overhead at Inference

Low (bit depth reduction, median filtering)

None (standard forward pass)

High (multiple noisy forward passes)

Provides Certified Guarantees

Defeated by Adaptive Attacks

Effective Against Zero-Day Attacks

Partial (detects anomalous inputs)

Low (fails on unseen attack types)

High (agnostic to attack type)

Suitable for Real-Time Agentic Systems

Vulnerable to Gradient Masking

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.