Defensive distillation is a model hardening technique where a second 'student' model is trained on the softmax probability vectors produced by a previously trained 'teacher' model, rather than on hard class labels. By using these soft labels—which contain class probability ratios at a higher distillation temperature—the student learns a smoother loss landscape. This process effectively reduces the amplitude of adversarial gradients, making it harder for an attacker to compute a perturbation direction using methods like the Fast Gradient Sign Method (FGSM).
Glossary
Defensive Distillation

What is Defensive Distillation?
Defensive distillation is a security mechanism that trains a second neural network using the soft probability outputs of a first model to smooth the decision surface and reduce sensitivity to adversarial perturbations.
The defense operates by extracting knowledge about relative class similarities from the teacher and encoding it into the student's weights, a process that masks the model's sensitivity to input variations. However, security researchers later demonstrated that defensive distillation is vulnerable to black-box transferability attacks and can be bypassed by more sophisticated iterative attacks like Projected Gradient Descent (PGD). It is now understood primarily as a form of gradient masking rather than true adversarial robustness, serving as a foundational case study in the arms race between attacks and defenses.
Key Characteristics of Defensive Distillation
Defensive distillation is a security technique that trains a second model using the soft probability outputs of a first model. This process smooths the loss surface and reduces the amplitude of adversarial gradients, making it harder for attackers to craft effective perturbations.
Knowledge Transfer via Soft Labels
The core mechanism involves training a student model on the class probability vectors produced by a teacher model, rather than on hard one-hot labels. These soft labels encode inter-class similarities, providing richer information about the decision boundary. The student learns to mimic the teacher's output distribution, effectively transferring knowledge about the relative confidence between classes.
Temperature Scaling in the Softmax
A critical hyperparameter T (temperature) is introduced into the softmax function: softmax(z/T). At training time, a high temperature (e.g., T=100) is used to soften the probability distribution, exposing the dark knowledge of the teacher. At inference time, the temperature is reset to T=1, restoring crisp probabilities. This scaling is what smooths the loss landscape.
Gradient Magnitude Reduction
The primary defensive effect is a dramatic reduction in the magnitude of the model's gradients with respect to the input. By training on soft targets, the student model's loss surface becomes smoother. This directly counters gradient-based attacks like FGSM and PGD, which rely on steep gradients to compute effective perturbations. The attacker finds a flattened, uninformative loss landscape.
Jacobian Regularization Effect
Training with soft labels implicitly performs Jacobian regularization. The student model is penalized for having large derivatives of its output with respect to its input. This forces the model to be less sensitive to small input variations, which is the exact vulnerability that adversarial examples exploit. The model learns a more stable and generalizable input-output mapping.
Vulnerability to Re-Adaptive Attacks
Defensive distillation is not a panacea. It is known to be vulnerable to white-box attacks that account for the distillation process. Attackers can craft perturbations using the distilled model's own gradients, or bypass the gradient masking by using transferability from a non-distilled surrogate model. The defense provides obscurity, not a provable robustness guarantee.
Architecture-Agnostic Application
The technique is independent of the underlying neural network architecture. It can be applied to feedforward networks, convolutional neural networks, and other differentiable classifiers. The only requirement is that the teacher and student models share the same output dimensionality. This makes it a flexible, drop-in defense strategy during the training pipeline.
Frequently Asked Questions
Clear, technical answers to the most common questions about defensive distillation, a neural network hardening technique that uses soft probability labels to smooth decision boundaries and resist adversarial manipulation.
Defensive distillation is a model hardening technique that trains a second neural network (the student) using the soft probability outputs of a first network (the teacher), rather than hard class labels. The teacher model is first trained normally on the original dataset. Its final softmax layer is modified with a temperature parameter T > 1, which softens the output probabilities, revealing class similarities. These soft labels—containing relative probabilities across all classes—are then used to train the student model with the same high temperature. At inference time, the temperature is reset to 1. This process smooths the model's loss surface, making it less sensitive to small input perturbations that adversarial attacks exploit. The technique was introduced by Papernot et al. in 2016 as a defense against evasion attacks like FGSM and JSMA.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Defensive Distillation does not exist in isolation. Understanding its relationship to attack vectors, alternative defenses, and failure modes is critical for security engineers hardening ML systems.
Adversarial Training
The primary alternative to distillation. Instead of smoothing the model with soft labels, this technique directly injects adversarial examples into the training set with correct labels.
- Mechanism: Solves a min-max optimization problem, training on worst-case perturbations.
- Distillation vs. Training: Distillation is a static post-processing step; adversarial training is an active data augmentation.
- Current Consensus: Adversarial training generally provides stronger empirical robustness than distillation alone.
Gradient Masking
The primary failure mode of Defensive Distillation. This occurs when a defense causes the model's gradients to become useless or misleading to an attacker.
- Obfuscated Gradients: Distillation can flatten the loss surface near training points, causing gradient-based attacks to fail numerically.
- False Security: The model appears robust against weak attacks but remains vulnerable to black-box attacks or attacks that circumvent the masked gradients.
- Detection: If a one-step attack (FGSM) fails but a multi-step attack (PGD) succeeds, gradient masking is likely present.
Projected Gradient Descent (PGD)
The standard benchmark attack used to evaluate defenses like distillation. PGD is an iterative, multi-step variant of the Fast Gradient Sign Method.
- How it works: Takes many small gradient steps, projecting the result back onto an epsilon-ball around the original input after each step.
- Why it matters: PGD reliably breaks gradient masking defenses. If a distilled model survives strong PGD, the robustness is likely genuine.
- Evaluation Standard: Any claim of adversarial robustness must report accuracy against PGD with a specified perturbation budget.
Carlini & Wagner Attack (C&W)
An optimization-based attack that directly minimizes the perturbation distance required to cause misclassification, rather than relying solely on gradient steps.
- Objective Function: Minimizes a loss that balances the Lp-norm distance from the original input and the misclassification confidence.
- Distillation Breaker: The original C&W paper demonstrated that Defensive Distillation provides zero robustness against this attack, exposing gradient masking.
- Key Insight: C&W uses the model's logits directly and optimizes with Adam, bypassing the flattened softmax surface that distillation relies on.
Adversarial Example Transferability
The property by which an adversarial example crafted to fool Model A also causes misclassification in independently trained Model B.
- Distillation's Role: The distilled student model has a different architecture and training trajectory than the teacher. Transferability between them is not guaranteed.
- Black-Box Threat: An attacker can train a surrogate model, craft white-box attacks against it, and transfer them to the distilled target model.
- Defense Implication: Distillation does not inherently prevent transfer attacks; robustness must be evaluated against transferred examples from diverse surrogate architectures.
Robustness Certificate
A formal, verifiable guarantee that a model's prediction will remain constant for any perturbation within a specified Lp-norm radius.
- Distillation's Limitation: Defensive Distillation provides no formal certificate. Its robustness is purely empirical and can be broken by stronger attacks.
- Certified Alternatives: Techniques like Randomized Smoothing provide provable guarantees by adding Gaussian noise and aggregating predictions.
- Practical Trade-off: Certified defenses typically have lower clean accuracy than distillation, creating a utility-robustness tension.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us