Defensive distillation is a training procedure that transfers knowledge from a complex teacher model to a simpler student model using soft labels—probability vectors over classes rather than hard one-hot labels. The student is trained on these softened outputs at a high temperature setting, which encodes information about class similarities and decision boundary geometry. This process smooths the model's loss surface, making it significantly harder for an attacker to find the precise input perturbations needed to force a misclassification.
Glossary
Defensive Distillation

What is Defensive Distillation?
Defensive distillation is a robustness technique that trains a model on the soft probability outputs of another model to smooth its decision surface and resist adversarial examples.
Originally proposed as a defense against evasion attacks, the technique works by reducing the amplitude of adversarial gradients. When an adversary attempts to craft a perturbed input, the flattened loss landscape provides minimal directional guidance, causing gradient-based attacks like the Fast Gradient Sign Method to fail. However, subsequent research demonstrated that defensive distillation alone is not a complete security solution, as it remains vulnerable to more sophisticated attacks such as the Carlini & Wagner attack, which can circumvent the gradient masking effect.
Key Characteristics of Defensive Distillation
Defensive distillation is a training-time countermeasure that smooths a model's decision surface by transferring knowledge from soft probability outputs, making it significantly harder for attackers to discover adversarial perturbations.
Knowledge Distillation Pipeline
The process involves a two-stage training paradigm. An initial teacher model is trained on hard labels with high temperature softmax to produce class probability vectors rich in inter-class similarity information. A second student model, architecturally identical, is then trained on these soft labels rather than ground-truth hard labels.
- Teacher Model: Trained with temperature T > 1 to soften probability distributions
- Student Model: Learns the full decision surface topology, not just decision boundaries
- Temperature Parameter: Controls the smoothness of the transferred knowledge
Gradient Masking Effect
Defensive distillation reduces the sensitivity of the model's loss surface in the vicinity of training points. The soft label training forces the student model to output probabilities that change extremely slowly when inputs are perturbed, effectively flattening the loss landscape.
- Adversarial gradient magnitudes become near-zero
- Attackers cannot reliably compute the direction of steepest ascent
- The Jacobian of the model becomes numerically unstable for gradient-based attacks
Temperature Scaling Mechanics
The distillation temperature T is the critical hyperparameter. During teacher training, the softmax function becomes softmax(z/T), where higher T values produce softer, more uniform probability distributions that encode relative class similarities.
- T=1: Standard softmax, minimal knowledge transfer
- T > 20: Near-uniform distribution, maximal smoothing
- At inference, the student uses T=1 for standard classification confidence
Attack Resistance Profile
Defensive distillation provides strong resistance against white-box gradient-based attacks like the Fast Gradient Sign Method (FGSM) and Jacobian-based Saliency Map Attack (JSMA). However, it is vulnerable to black-box transfer attacks and adaptive attacks that account for the distillation defense.
- FGSM Success Rate: Reduced from 90%+ to below 5% on MNIST
- C&W Attack: Carlini & Wagner demonstrated adaptive attacks can bypass distillation
- Defense-in-Depth: Should be combined with adversarial training for comprehensive robustness
Computational Overhead
The primary cost is training two identical models sequentially. The teacher and student share the same architecture, doubling the training time compared to standard training. However, inference cost is identical to the base model since only the student is deployed.
- Training Cost: 2x standard training time
- Inference Cost: No additional overhead
- Memory Footprint: No increase at deployment
Limitations and Adaptive Attacks
Defensive distillation is not a provable defense. Nicholas Carlini and David Wagner demonstrated that constructing a modified loss function that accounts for the temperature scaling can successfully generate adversarial examples against distilled models.
- Adaptive Attackers: Can reverse-engineer the distillation temperature
- Transfer Attacks: Adversarial examples crafted on an undefended surrogate model often transfer
- Certified Robustness: Distillation provides no formal mathematical guarantees
Defensive Distillation vs. Related Defenses
A technical comparison of defensive distillation against other primary defense mechanisms used to harden models against adversarial examples and gradient-based attacks.
| Feature | Defensive Distillation | Adversarial Training | Randomized Smoothing |
|---|---|---|---|
Defense Mechanism | Trains a second model on soft labels from a first model to smooth the decision surface | Augments training data with adversarial examples to improve boundary resilience | Adds random noise to inputs during inference and aggregates predictions for certified guarantees |
Primary Threat Mitigated | Gradient-based evasion attacks (FGSM, PGD) | Evasion attacks and distributional shift | Norm-bounded adversarial perturbations |
Certified Robustness | |||
Training Overhead | Moderate (two sequential training runs) | High (generating adversarial examples each epoch) | Low (no adversarial training required) |
Inference Overhead | Low (single forward pass) | Low (single forward pass) | High (multiple noisy forward passes) |
Gradient Masking Risk | |||
Typical Accuracy Trade-off | Minimal on clean data | 2-5% reduction on clean data | 3-8% reduction on clean data |
Attack Transferability Resistance | Moderate (smooths gradients but can be circumvented by adaptive attacks) | High (model learns robust features) | High (provable radius guarantee) |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about defensive distillation, its mechanisms, and its role in securing machine learning models against adversarial threats.
Defensive distillation is a robustness technique that trains a second model (the student) on the soft probability outputs (soft labels) of a previously trained model (the teacher), rather than on hard ground-truth labels. The process works in two phases: first, a teacher model is trained conventionally on the original dataset at a high temperature setting T in the softmax layer, which produces a smoother probability distribution over classes. Second, a student model with identical architecture is trained using the teacher's softmax outputs as labels, also at temperature T. At inference time, the temperature is reset to T=1. This training process smooths the model's decision surface, making it significantly harder for an adversary to craft adversarial examples because the gradients of the loss function with respect to the input become less informative and more difficult to exploit.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Defensive distillation is one component of a broader security posture. These related concepts form the complete toolkit for hardening models against adversarial manipulation.
Adversarial Robustness
The quantified resilience of a model against intentionally crafted inputs designed to cause misclassification. Defensive distillation directly improves robustness by smoothing the model's decision surface, making it harder for attackers to find adversarial directions.
- Key metric: Robust accuracy under perturbation budget ε
- Relationship: Distillation is a robustness training technique
- Trade-off: Often reduces clean-data accuracy by 1-3%
Evasion Attack
An inference-time attack where an adversary modifies an input sample with imperceptible perturbations to force misclassification. Defensive distillation was specifically designed to counter evasion attacks by reducing the amplitude of adversarial gradients.
- FGSM: Fast Gradient Sign Method, a common evasion technique
- PGD: Projected Gradient Descent, a stronger iterative variant
- Defense mechanism: Distillation flattens loss landscape near training points
Gradient Masking
A phenomenon where a defense inadvertently hides gradient information rather than truly improving robustness. Early defensive distillation implementations were criticized for causing gradient masking, which gave a false sense of security against white-box attacks.
- Detection: Test with black-box transfer attacks
- Fix: Combine distillation with adversarial training
- Lesson: Obfuscated gradients ≠genuine robustness
Certified Robustness
A formal, mathematical guarantee that a model's prediction remains constant for any input perturbation within a defined Lp-norm bound. Unlike empirical defenses like distillation, certified methods provide provable guarantees.
- Randomized smoothing: A leading certification technique
- Comparison: Distillation offers empirical, not certified, defense
- Hybrid approach: Use distillation as a base, then apply smoothing
Model Extraction Attack
An attack where an adversary systematically queries a target model to reconstruct its functionality or steal learned parameters. The soft labels used in defensive distillation can inadvertently leak more information per query than hard labels.
- Risk: Softmax probabilities reveal decision boundary details
- Mitigation: Apply differential privacy to output probabilities
- Trade-off: Higher temperature distillation increases extraction vulnerability
Federated Adversarial Training
A decentralized training process that incorporates adversarial examples into local client training to improve global model robustness. When combined with defensive distillation across federated nodes, it creates a defense-in-depth architecture.
- Local step: Each client generates adversarial examples on-device
- Global benefit: Aggregated model inherits multi-source robustness
- Privacy: Adversarial samples never leave the local node

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us