Defensive distillation is a training procedure where a second neural network is trained on the softmax probability vectors of a first network, using a high-temperature setting to extract class probability knowledge. This process smooths the model's decision surface, reducing the amplitude of adversarial gradients and making it harder for attackers to craft perturbed inputs that force misclassification.
Glossary
Defensive Distillation

What is Defensive Distillation?
A training procedure where a second model is trained on the softmax probability vectors of a first model to reduce the amplitude of adversarial gradients.
The technique was introduced by Papernot et al. as a countermeasure to gradient-based attacks like FGSM and JSMA. By training the distilled model on probability vectors rather than hard labels, the network learns relative class similarities. However, it was later shown to be vulnerable to Carlini-Wagner attacks, as the defense primarily causes gradient masking rather than true robustness.
Key Characteristics of Defensive Distillation
Defensive distillation is a security technique that transfers knowledge from a complex 'teacher' model to a simpler 'student' model using soft probability labels, effectively smoothing the decision landscape and reducing adversarial vulnerability.
Soft Label Transfer
The core mechanism involves training a second model on the softmax output vectors (class probabilities) of an initial model, rather than hard ground-truth labels. By using a high temperature parameter (T) during softmax, the teacher model reveals subtle class similarities. This extra knowledge encodes the relative structure of the data, teaching the student model not just the correct answer, but also which classes are similar, resulting in a smoother decision surface.
Gradient Magnitude Reduction
The primary defensive effect is the reduction of adversarial gradient amplitudes. In a standard model, small input perturbations cause sharp changes in the loss gradient, which attackers exploit. Distillation smooths the model's sensitivity to input variations, making the loss landscape flatter around training points. This effectively neutralizes sensitivity-based attacks like Fast Gradient Sign Method (FGSM) and Jacobian-based Saliency Map Attacks (JSMA) by denying the attacker useful gradient information.
Training Procedure
The process follows a strict two-phase pipeline:
- Phase 1: Train an initial deep neural network (the teacher) on hard labels with a high softmax temperature (e.g., T=20).
- Phase 2: Use the teacher's soft predictions as labels to train a second model (the student) of identical architecture, also at high temperature.
- Inference: The student model is deployed with the temperature reset to T=1, restoring crisp probability outputs while retaining the learned robustness.
Limitations and Bypasses
Defensive distillation is not a universal shield. It is vulnerable to black-box attacks that do not rely on internal gradients, such as the Boundary Attack or transfer attacks from an independently trained surrogate model. Furthermore, Carlini-Wagner (C&W) attacks can bypass distillation by using an optimization-based objective function that is not impeded by gradient masking. It should be viewed as a component of a defense-in-depth strategy, not a standalone solution.
Relationship to Gradient Masking
Defensive distillation is often categorized as a form of gradient masking or obfuscation. While it successfully hides gradients from first-order attacks, it does not fundamentally increase the model's true robustness in the same way adversarial training does. Security researchers caution that relying solely on distillation can create a false sense of security, as the model remains brittle against attacks that circumvent the flattened gradient surface through randomization or hard-label decision boundaries.
Computational Overhead
The computational cost is concentrated entirely in the training phase, requiring two sequential training cycles. However, the deployed student model has zero inference-time overhead compared to a standard model of the same architecture. This makes it highly attractive for resource-constrained deployments where runtime defenses like input randomization would be too expensive. The student model is identical in size and speed to a non-distilled counterpart.
Frequently Asked Questions
Clear, technical answers to the most common questions about defensive distillation, its mechanisms, and its role in adversarial robustness.
Defensive distillation is a training procedure that transfers knowledge from a complex 'teacher' model to a simpler 'student' model using soft probability vectors instead of hard labels, specifically to reduce a network's sensitivity to adversarial perturbations. The process involves training an initial model at a high temperature setting to produce smooth class probability distributions, then using these softmax outputs—rather than the ground-truth one-hot labels—as the target for training a second model of identical architecture. This technique was introduced by Papernot et al. in 2016 as a defense against adversarial examples, primarily targeting the gradient masking effect that makes it harder for attackers to craft effective perturbations. The core insight is that the probability vectors encode relative class similarities, providing richer supervisory signals that smooth the model's decision landscape and reduce the amplitude of adversarial gradients.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Defensive Distillation vs. Other Adversarial Defenses
A comparative analysis of defensive distillation against other primary adversarial robustness techniques across key operational and security dimensions.
| Feature | Defensive Distillation | Adversarial Training | Randomized Smoothing |
|---|---|---|---|
Core Mechanism | Trains a second model on soft labels to smooth decision boundaries | Augments training data with adversarial examples | Adds Gaussian noise to inputs and returns majority prediction |
Gradient Masking Risk | |||
Certified Robustness | |||
Computational Overhead (Training) | 2x baseline (two training cycles) | 3-10x baseline (attack generation) | 1x baseline (standard training) |
Computational Overhead (Inference) | 1x baseline | 1x baseline | 100-1000x baseline (Monte Carlo sampling) |
Defense Against Black-Box Attacks | Moderate | High | High |
Defense Against White-Box Attacks | Low (broken by C&W) | High | Provable |
Impact on Clean Accuracy | Minimal (< 1% drop) | Moderate (2-5% drop) | Minimal to Moderate (1-3% drop) |
Related Terms
Defensive Distillation is a specific knowledge-transfer defense. Explore the broader landscape of adversarial robustness, related attack vectors it mitigates, and alternative hardening strategies.
Adversarial Training
The foundational brute-force defense that augments the training dataset with adversarial examples. Unlike Defensive Distillation, which smooths the model's output surface via temperature scaling, Adversarial Training directly injects perturbed inputs to force the decision boundary away from data points. It remains the empirical gold standard for robustness but incurs significant computational overhead.
Gradient Masking
A critical failure mode that Defensive Distillation must avoid. This occurs when a defense produces obfuscated or shattered gradients, preventing white-box attacks like FGSM from functioning but leaving the model vulnerable to black-box or transfer attacks. Early distillation implementations were criticized for merely masking gradients rather than providing true robustness.
Carlini-Wagner Attack (C&W)
An optimization-based attack specifically designed to break Defensive Distillation. By using a different loss function and directly optimizing for minimal perturbation, C&W circumvents the gradient masking effect that distillation relies on. It demonstrated that high-temperature softmax smoothing alone is insufficient against a determined, adaptive adversary.
TRADES
A robustness algorithm that explicitly optimizes a trade-off between natural accuracy and adversarial robustness. It decomposes prediction error into natural and boundary errors. This is a direct evolution beyond distillation, providing a tunable parameter to balance clean-data performance against worst-case perturbation resistance.
Randomized Smoothing
A probabilistic defense that provides certified robustness guarantees. By adding Gaussian noise to inputs and returning the majority vote, it creates a provably smooth classifier. Unlike Defensive Distillation, which offers no mathematical guarantees, Randomized Smoothing certifies that predictions will not change within a specific L2-radius.
Knowledge Distillation
The parent technique from which Defensive Distillation is derived. In standard Knowledge Distillation, a smaller student model is trained to match the softmax outputs of a larger teacher model to compress model size. Defensive Distillation repurposes this identical architecture-transfer logic but applies it to an identical architecture to improve generalization and smooth decision surfaces.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us