Currying ALU for Modular Adversarial Robustness

• Currying ALU is a method that applies the adversarial logit update principle in a curried, modular fashion to decompose deep neural network classification pipelines.
• It enables independent evaluation of model architectures, purification modules, and decision rules, streamlining experimentation in adversarial defenses.
• The approach retains robust performance under adversarial attacks, offering adaptable, plug-and-play solutions as demonstrated in recent empirical studies.

Currying ALU, in the context of adversarial robustness in deep neural networks, refers to the application of the Adversarial Logit Update (ALU) principle using a curried, higher-order functional-programming style. This approach decomposes the ALU-based classification pipeline into modular, composable units—allowing independent variation of model, purifier, and decision logic. The ALU principle itself provides a decision rule for inferring class labels of adversarial or purified samples, operating on the difference between logits before and after purification. Currying this principle yields increased modularity, facilitating rapid experimentation with different purification and classification strategies while retaining adversarial robustness guarantees (Xuan et al., 2023).

1. Theoretical Basis of Adversarial Logit Update

ALU targets adversarial robustness by observing that, when a clean sample $x$ is perturbed into an adversarial instance $x_\text{adv}=x+\delta$ and subsequently passed through a purification module $P$, the resulting logit vectors (pre- and post-purification) encode crucial information for label recovery.

Let $C(x)=\text{Softmax}(W^\top f_0(x))$ be a pre-trained classifier where $f_0(x)\in\mathbb{R}^d$ denotes penultimate-layer features and $W\in\mathbb{R}^{d\times M}$ the final layer weights. For $x_\text{adv}$ and $x_\text{pur}=P(x_\text{adv})$, define:

• Pre-purification logits $\Pi' = W^\top f_0(x_\text{adv})$
• Post-purification logits $\Pi = W^\top f_0(x_\text{pur})$
• Logit difference $x_\text{adv}=x+\delta$0, componentwise $x_\text{adv}=x+\delta$1

The ALU rule states that the index of the maximal $x_\text{adv}=x+\delta$2 often recovers the true class. Analytical support arises from decomposing $x_\text{adv}=x+\delta$3 into robust, non-robust, and irrelevant feature subspaces, with successful attacks causing large, positive $x_\text{adv}=x+\delta$4 for the target class after purification, typically exceeding $x_\text{adv}=x+\delta$5 for $x_\text{adv}=x+\delta$6 (Xuan et al., 2023).

2. Algorithmic Implementation and Classification Pseudocode

ALU-based sample classification proceeds as follows:

1. Input sample $x_\text{adv}=x+\delta$7
2. Compute purified surrogate $x_\text{adv}=x+\delta$8
3. Compute pre- and post-purification logits: $x_\text{adv}=x+\delta$9, $P$0
4. If adversarial detection module $P$1 indicates $P$2 is adversarial, apply ALU: $P$3.
5. Otherwise, employ standard classification: $P$4
6. Output predicted label $P$5

This workflow enables ALU to serve as either a primary classification mechanism for suspected adversarial samples or as a complement to standard argmax/softmax-based approaches.

3. Functional-Programming Formulation and Currying Principle

The ALU process can be encoded as a higher-order function that takes a model and a purifier as arguments, returning a classifier:

• Uncurried form:

$P$6

$P$7

• Curried form:

$P$8

Each $P$9 binds one argument, permitting partial application. Fixing the model yields a function from purifiers to classifiers. Subsequently fixing a purifier produces a classifier function $C(x)=\text{Softmax}(W^\top f_0(x))$0. This function can be further modularized to operate directly on logits rather than samples if desired (Xuan et al., 2023).

4. Modularity via Currying: Illustrative Examples

Currying the ALU classification process results in pronounced modularity:

• Swapping Purifiers: Let $C(x)=\text{Softmax}(W^\top f_0(x))$1, $C(x)=\text{Softmax}(W^\top f_0(x))$2 be purifiers,

$C(x)=\text{Softmax}(W^\top f_0(x))$3

The code for $C(x)=\text{Softmax}(W^\top f_0(x))$4, $C(x)=\text{Softmax}(W^\top f_0(x))$5 differs only in their choice of purifier; all other logic remains shared.

• Plug-and-play Decision Rules: Introducing a softmax-based decision rule,

$C(x)=\text{Softmax}(W^\top f_0(x))$6

The modular structure enables partial application of model, purifier, or decision logic, with alterations requiring changes only to the relevant $C(x)=\text{Softmax}(W^\top f_0(x))$7.

5. Practical Impact and Modularity Gains

Currying the ALU classifier decomposes the monolithic adversarial defense pipeline into three mutually independent axes: model architecture, purification mechanism, and decision rule. Consequently, any of these elements can be exchanged independently via partial function application, expediting configurability and experimentation. For instance, one may fix a classifier while systematically evaluating multiple purification approaches, or substitute alternative decision metrics such as thresholded or softmax rules for $C(x)=\text{Softmax}(W^\top f_0(x))$8, without recoding the rest of the system.

This modularity significantly accelerates adversarial robustness research and deployment. In particular, it enables easy adaptation of ALU-based defense strategies to varying architectural, purification, and detection frameworks. A plausible implication is that such functional decomposition may serve as a template for constructing similarly modular defense systems beyond the logit-based paradigm (Xuan et al., 2023).

6. Summary and Research Context

Currying ALU provides an elegant methodology for modularizing adversarial logit update classification, yielding clear separation of classifier, purification, and decision logic. This strongly supports systematic investigation of purification strategies and classifier architectures in adversarial defense. Currying the ALU function leads to improved software reusability and facilitates robust performance across different attack scenarios, as substantiated in the empirical findings on CIFAR-10, CIFAR-100, and tiny-ImageNet datasets (Xuan et al., 2023). The curricular, functional formulation and its modular ramifications represent a distinctive contribution to the adversarial robustness literature.