Inferensys

Glossary

Local Intrinsic Dimensionality (LID)

Local Intrinsic Dimensionality (LID) is a metric that characterizes the dimensional properties of a data subspace around a sample, used to detect adversarial examples that lie in anomalous manifold regions.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL ROBUSTNESS METRIC

What is Local Intrinsic Dimensionality (LID)?

Local Intrinsic Dimensionality characterizes the dimensional properties of a data subspace around a reference sample, providing a metric to detect adversarial examples that lie in anomalous, high-dimensional manifold regions.

Local Intrinsic Dimensionality (LID) is a metric that quantifies the rate of growth in the number of data points encountered as the distance from a reference sample expands, effectively measuring the local dimensional structure of the data manifold. It leverages the statistical properties of nearest neighbor distances to estimate the intrinsic dimensionality of the subspace surrounding a specific input point.

In adversarial device spoofing detection, LID is used to identify evasion attacks by revealing that adversarial perturbations force input samples into higher-dimensional, off-manifold regions of the feature space. A significantly elevated LID score relative to legitimate training samples indicates that a signal is anomalous, enabling the classifier to reject sophisticated deepfake RF impersonations that would otherwise bypass the model.

DIMENSIONALITY METRICS

Key Characteristics of LID

Local Intrinsic Dimensionality (LID) provides a mathematically rigorous framework for characterizing the local manifold structure around a data point, enabling the detection of adversarial samples that reside in anomalously high-dimensional subspaces.

01

Definition and Core Mechanism

Local Intrinsic Dimensionality (LID) measures the rate of growth in the number of data points encountered as the distance from a reference sample expands. In adversarial detection, LID assesses the dimensional properties of the local subspace surrounding a feature vector. Legitimate samples tend to lie in low-dimensional, tightly clustered manifolds. Adversarial examples, generated by perturbation, are often pushed into higher-dimensional, off-manifold regions. The LID score quantifies this dimensional discrepancy, providing a powerful statistical test to discriminate between clean and spoofed inputs.

Off-Manifold
Adversarial Region
02

Mathematical Foundation

LID is formally defined using the theory of extreme value distributions. For a sample point, the distribution of distances to its nearest neighbors is modeled as a Generalized Pareto Distribution. The LID estimate is derived from the scaling exponent of this distribution. A high LID value indicates that the probability mass around the point is concentrated in many directions, characteristic of a high-dimensional subspace. The Maximum Likelihood Estimator (MLE) is the standard algorithm for computing LID, using only the distances to the k-nearest neighbors, making it computationally tractable for real-time detection pipelines.

MLE
Estimation Method
03

Adversarial Detection Application

In a spoofing detection system, LID acts as a post-hoc detector attached to a pre-trained classifier. The workflow is:

  • Extract feature vectors from the penultimate layer of the neural network.
  • Compute the LID score for each input's feature vector relative to a clean baseline set.
  • Flag inputs with anomalously high LID scores as potential adversarial spoofing attempts. This method is attack-agnostic, meaning it does not require prior knowledge of the specific algorithm used to generate the spoofed signal, making it effective against zero-day evasion attacks.
Attack-Agnostic
Detection Type
04

LID vs. Mahalanobis Distance

While both are used for out-of-distribution detection, they measure fundamentally different properties:

  • Mahalanobis Distance: Measures the distance from a class centroid, normalized by the covariance. It assumes a Gaussian distribution and detects samples far from the mean.
  • Local Intrinsic Dimensionality: Measures the local subspace expansion rate. It detects samples in anomalously high-dimensional regions, even if they are close to the centroid. LID is often more robust for detecting feature space poisoning and subtle perturbations that do not shift a sample far in Euclidean distance but push it off the data manifold.
Subspace vs. Distance
Core Distinction
05

Limitations and Operational Considerations

LID-based detectors face specific challenges in RF fingerprinting contexts:

  • Channel Variability: Multipath and fading can artificially inflate the local dimensionality of a legitimate signal, causing false positives. Domain adversarial training is required to learn channel-invariant features before LID computation.
  • Curse of Dimensionality: In very high-dimensional feature spaces, the MLE estimator can become unstable. Dimensionality reduction via t-SNE or UMAP is often applied as a preprocessing step.
  • Computational Overhead: Nearest-neighbor searches must be optimized using approximate nearest neighbor (ANN) libraries like FAISS for real-time, low-latency authentication.
FAISS
Optimization Tool
06

Integration with Open Set Recognition

LID is a foundational component of modern open set recognition systems for emitter identification. In a closed-set classifier, any input is forced into a known class. By adding a LID-based rejection layer, the system can:

  • Classify known emitters with high confidence.
  • Reject unknown or spoofed devices whose feature vectors exhibit high LID scores. This creates a robust open-world authentication framework that simultaneously handles known device identification and unknown threat detection, aligning with zero-trust security architectures.
Open-World
Operational Paradigm
LOCAL INTRINSIC DIMENSIONALITY

Frequently Asked Questions

Explore the core concepts behind Local Intrinsic Dimensionality (LID) and its critical role in detecting adversarial device spoofing attempts against radio frequency fingerprinting systems.

Local Intrinsic Dimensionality (LID) is a metric that characterizes the dimensional properties of the data subspace immediately surrounding a specific sample point. It works by analyzing the statistical distribution of distances between a reference sample and its nearest neighbors in a high-dimensional feature space. In the context of adversarial device spoofing detection, LID measures how many latent dimensions are required to effectively represent the local manifold of a legitimate RF fingerprint. Adversarial examples, crafted to fool a classifier, typically lie in anomalous, low-probability regions of this manifold. Consequently, they exhibit a higher LID score than normal, in-distribution samples because the adversarial perturbation pushes them into a region where the data distribution is less concentrated and more 'spread out' dimensionally. This makes LID a powerful, model-agnostic statistic for out-of-distribution detection.

DETECTION METHOD COMPARISON

LID vs. Other Adversarial Detection Methods

Comparative analysis of Local Intrinsic Dimensionality against alternative techniques for identifying adversarial device spoofing samples in RF fingerprinting systems.

FeatureLocal Intrinsic Dimensionality (LID)Feature SqueezingDefensive Distillation

Core Mechanism

Characterizes dimensional properties of data subspaces around a sample to detect anomalous manifold regions

Reduces input feature space complexity to limit adversary's degrees of freedom for constructing evasion attacks

Trains a second model on softened probability outputs of the first to smooth decision boundaries against perturbations

Requires Model Retraining

Operates at Inference Time

Adversary Knowledge Assumption

Black-box and white-box effective; does not rely on knowing attack method

Gray-box; assumes attacker exploits high-dimensional feature space

White-box; assumes attacker has full knowledge of model architecture and training procedure

Computational Overhead

Moderate; requires nearest neighbor computation per sample

Low; applies simple input transformations like bit-depth reduction or spatial smoothing

High; requires full retraining of a second model with temperature-scaled soft labels

Detection Granularity

Per-sample dimensional anomaly scoring with tunable threshold

Binary pass/fail based on prediction consistency between squeezed and unsqueezed inputs

Implicit; relies on smoothed decision surface to naturally reject small perturbations

Vulnerability to Adaptive Attacks

Resistant; attacker must craft samples matching local dimensional properties of authentic manifold

Moderately vulnerable; attacker can incorporate squeezing operations into loss function during attack generation

Vulnerable; demonstrated susceptibility to transferability attacks and re-optimized adversarial examples

Suitability for RF Fingerprinting

High; effectively detects synthetic deepfake RF signatures that lie off the authentic transmitter manifold

Moderate; squeezing operations may distort subtle hardware impairment features critical for emitter identification

Low; distillation smooths fine-grained impairment distinctions, potentially reducing legitimate classification accuracy

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.