CABDR: Confidence-Adaptive Bit-Depth Reduction

• CABDR is a dynamic quantization mechanism that adjusts bit-depth based on per-sample prediction uncertainty, mitigating adversarial gradient alignment.
• It uses Monte Carlo dropout to estimate uncertainty and applies confidence thresholds to switch between 8, 6, and 4 bit precisions, preserving clean accuracy.
• The technique enhances malware detection by significantly reducing attack success rates while maintaining high throughput and low latency in production.

Confidence-Adaptive Bit-Depth Reduction (CABDR) is a defense mechanism designed to optimize the trade-off between adversarial robustness and computational efficiency in supervised machine learning, with primary application to large-scale malware detection. CABDR introduces a dynamic, per-sample feature quantization scheme conditioned on the model's predictive uncertainty, efficiently disrupting adversarial gradients while minimizing overhead and preserving clean accuracy (Chaudhary et al., 16 Nov 2025).

1. Mathematical Framework

CABDR operates on a real-valued, engineered feature vector $x \in \mathbb{R}^d$ for each input. The classifier $f_\theta$ predicts class probabilities, and its per-sample predictive uncertainty $U(x)$ is estimated via Monte-Carlo (MC) dropout:

$$U(x) = \frac{1}{T} \sum_{t=1}^T \operatorname{Var}\left[ f_\theta^{(t)}(x) \right]$$

where $f_\theta^{(t)}$ denotes the $t$-th MC dropout sample over $T$ runs ($T=10$ in reported experiments).

CABDR applies a bit-depth $b$ to each sample based on two confidence thresholds, $\tau_{\text{low}}$ and $\tau_{\text{high}}$ (set to 0.1 and 0.3, respectively):

$$b(U) = \begin{cases} 8 & \text{if } U < \tau_{\text{low}} \ 6 & \text{if } \tau_{\text{low}} \leq U < \tau_{\text{high}} \ 4 & \text{if } U \geq \tau_{\text{high}} \end{cases}$$

Each feature $x_i$ is quantized via: $$Q_b(x_i) = \operatorname{round}\left( \frac{x_i}{2^{8-b}} \right) \cdot 2^{8-b}$$

This confidence-adaptive quantization ensures reduced bit precision for “uncertain” samples, impeding precise adversarial gradient construction.

2. Algorithmic Procedure

CABDR is executed per batch $X \in \mathbb{R}^{n \times d}$ as follows:

1. For each $x \in X$, compute uncertainty:

$$U(x) \leftarrow \frac{1}{T}\sum_{t=1}^T \operatorname{Var}[f_\theta^{(t)}(x)]$$

1. Choose bit-depth $b$ based on $U(x)$:
   • $b \leftarrow 8$ if $U(x) < \tau_{\text{low}}$
   • $b \leftarrow 6$ if $U(x) < \tau_{\text{high}}$
   • $b \leftarrow 4$ otherwise
2. Quantize each feature:

$\hat{x}_i \leftarrow Q_b(x_i)$

1. Compute final prediction:

$P(x) \leftarrow f_\theta(\hat{x})$

Batch processing can be vectorized, and a straight-through estimator is used to propagate gradients through $Q_b$ during adaptive attack evaluation (Chaudhary et al., 16 Nov 2025).

3. Computational Complexity and Overhead

The computational cost per batch (size $n$) is:

• MC Dropout Uncertainty: $\mathcal{O}(nT)$
• Quantization: $\mathcal{O}(nd)$ (arithmetic + rounding)
• Classification: $\mathcal{O}(n)$ (assuming single forward pass per example)

Measured inference time overheads (relative to a vanilla classifier):

Method	Overhead
Fixed 8-bit (“squeezing”)	1.3×
CABDR-only	1.3×
TRO + CABDR	1.76×
Chunk Smoothing (SOTA prior)	≈4.0×

Corresponding throughput values:

Pipeline	Throughput (samples/sec)
Baseline	20,475
TRO + CABDR	11,638
Chunk Smoothing	5,120

CABDR-infused models (when used for inference only) scale to a peak throughput of $1.26 \times 10^6$ samples/sec (batch size 256). P99 latency under 100 ms (76 ms) addresses interactive production requirements.

4. Evaluation Protocol and Experimental Setup

CABDR was evaluated under a white-box threat model using the EMBER v2 dataset, which consists of 800,000 pre-extracted static PE features (2,381 real-valued dimensions per sample), temporally split (600K train, 200K test). The following attacks were used:

• FGSM ($\epsilon \in \{0.1, 0.3, 0.5\}$)
• PGD-20 ($\epsilon=0.1$)
• C&W ($\kappa=0$)
• AutoPGD (adaptive step)
• EMBER-PGD (format-constrained)

Performance was assessed using clean accuracy, attack success rate (ASR), AUC, malware true positive rate (TPR), throughput, and latency percentiles (P50/P95/P99). Experiments were implemented in PyTorch 2.0.1, leveraging mixed-precision FP16/FP32 on NVIDIA H100, with batch sizes 64–256. Each configuration was evaluated with 5 independent seeds (42, 123, 456, 789, 1024), reporting 95% confidence intervals and paired $t$-tests with Bonferroni correction.

5. Quantitative Outcomes

CABDR, when composed with Trust-Based Raw Override (TRO), provides a robust accuracy-efficiency profile:

Method	Clean Acc (%)	Avg ASR (%)	Throughput	Overhead	$p$-value
Baseline	91.4 $\pm$ 0.2	72.3 $\pm$ 2.4	20,475	1.0×	—
TRO + CABDR	91.0 $\pm$ 0.3	34.4 $\pm$ 1.6	11,638	1.76×	$<$0.001

Attack-wise ASR reductions (CABDR-only or full system):

Attack	Baseline ASR (%) [CI]	CABDR ASR (%) [CI]	Reduction
FGSM ($\epsilon=0.3$)	68.4 [66.2,70.6]	31.2 [29.4,33.0]	54.4%
PGD-20 ($\epsilon=0.1$)	71.6 [69.3,73.9]	35.2 [33.2,37.2]	50.8%
C&W ($\kappa=0$)	72.6 [70.1,75.1]	37.2 [35.1,39.3]	48.8%
AutoPGD	69.3 [67.0,71.6]	31.2 [29.3,33.1]	55.0%
EMBER-PGD	74.8 [72.4,77.2]	35.0 [33.0,37.0]	53.2%

CABDR maintains 91% clean accuracy and consistently reduces ASR to the 31–37% range, with statistical significance ($p < 0.001$, 95% CIs) (Chaudhary et al., 16 Nov 2025).

6. Balancing Robustness and Efficiency in Production

CABDR’s core contribution is dynamic, uncertainty-driven quantization: “easy” (high-confidence) samples are minimally quantized (8 bits), while “hard” (low-confidence) samples are more aggressively quantized (4–6 bits). This mechanism preserves baseline accuracy for benign samples while imposing quantization barriers that degrade adversarial gradient alignment, effecting a substantial ASR drop (from ~72% to 31–37%).

CABDR introduces only $\mathcal{O}(d)$ arithmetic overhead per sample, resulting in a 1.3× (quantization-only) or 1.76× (full pipeline with TRO) increase over baseline inference time—compared to 4–22× in prior smoothing approaches. Throughput exceeds 1 million samples/sec for inference-only, and 11,638 samples/sec for the full pipeline; P99 latencies remain within the low tens of milliseconds, precluding interactive bottlenecks.

Statistical testing (95% confidence intervals, $p < 0.01$ with Bonferroni correction) affirms that improvements in robustness are not attributable to gradient masking. Evaluations with adaptive BPDA+EOT and black-box attack variants corroborate this finding.

CABDR's efficacy suggests that practical, production-grade adversarial robustness for malware detection—and potentially other domains—requires adaptive, confidence-based defense that judiciously allocates computation to maximize security per unit cost, without unsustainable infrastructure commitments (Chaudhary et al., 16 Nov 2025).