Papers
Topics
Authors
Recent
Search
2000 character limit reached

Defense2Attack: Adaptive Defense & Attack Modeling

Updated 12 July 2026
  • Defense2Attack is a framework where defensive strategies are explicitly conditioned on attacker behavior to enable dynamic adaptation.
  • It integrates methodologies like collision-aware assignment, adaptive machine-learning signal weighting, and ATT&CK-based resource allocation.
  • The approach highlights trade-offs between safety and performance, even leveraging defensive patterns to enhance adversarial attacks in some contexts.

Defense2Attack is a cross-domain research motif in which defensive structure is modeled explicitly with respect to attacker behavior, used to adapt defensive action to attack characteristics, or, in one adversarial reinterpretation, repurposed to strengthen attacks by exploiting defensive patterns. The term does not denote a single canonical algorithm. Instead, it spans multi-agent target defense, network intrusion detection, ATT&CK-grounded cyber policy evaluation, physical-layer wireless security, and multimodal model jailbreaking, with each literature instantiating the defense–attack coupling differently (Chipade et al., 2021, Olukola et al., 1 Mar 2026, Chen et al., 17 Apr 2025, Outkin et al., 2021, Chen-Hu et al., 2024, Zhao et al., 16 Sep 2025).

1. Defense2Attack as a cross-domain design pattern

Across the cited works, Defense2Attack consistently centers the attack model inside the defense logic rather than treating defense as attack-agnostic. In the multi-agent interception setting, IDCAIS is explicitly described as a Defense2Attack framework that couples time-optimal interception with collision-aware assignment and real-time safety augmentation against multiple attackers (Chipade et al., 2021). In machine-learning intrusion detection, AMDS defines Defense2Attack as defense explicitly conditioned on attack characteristics, learning how different attacks manifest across disagreement, uncertainty, and anomaly signals before adapting detection and classification decisions at inference time (Olukola et al., 1 Mar 2026). Dynamite operationalizes the same general principle as dynamic defense selection, learning a mapping from perturbed feature vectors to the defense that maximizes IDS performance (Chen et al., 17 Apr 2025).

In cyber campaign analysis, the ATT&CK-based Markov methodology uses defender resource allocation to quantify changes in an adversary’s multi-step progress, success probabilities, and timing, thereby turning defensive policy into an explicit model of attack progression (Outkin et al., 2021). In wireless communications, D-RIS constructs a non-reciprocal channel whose downlink and uplink CSIs act as pairwise secrets, so precoding and combining embed defensive structure directly into the adversary-facing channel (Chen-Hu et al., 2024). Differential-game formulations in conical environments and turret–defender target defense similarly encode attacker sensing, geometry, and equilibrium response into defender strategy computation (Pourghorban et al., 16 Sep 2025, Moll et al., 11 Sep 2025).

A notable exception is the vision-language jailbreaking paper titled “Defense-to-Attack,” where weak defense-styled cues are deliberately co-opted to increase attack effectiveness and efficiency. That paper reverses the usual meaning: defense patterns become steering signals for a jailbreak pipeline rather than safeguards against one (Zhao et al., 16 Sep 2025). This suggests that the phrase has both protective and adversarial uses in current literature.

Domain Defense2Attack instantiation Representative work
Multi-agent interception Collision-aware assignment plus ECBF safety IDCAIS (Chipade et al., 2021)
Network intrusion detection Attack-conditioned signal weighting AMDS (Olukola et al., 1 Mar 2026)
ML-IDS defense orchestration Per-sample defense selection DYNAMITE (Chen et al., 17 Apr 2025)
ATT&CK-based cyber operations Resource allocation mapped to attack progression (Outkin et al., 2021)
Physical-layer wireless security Non-reciprocal RIS link as secret defensive channel D-RIS (Chen-Hu et al., 2024)
Vision-LLM security Defense-styled cues used to strengthen jailbreaks (Zhao et al., 16 Sep 2025)

2. Multi-agent target defense and interception games

In IDCAIS, the environment is a 2D workspace WW containing a circular protected area PP with center rpr_p and radius ρp\rho_p, where

P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.

There are NaN_a attackers and NdN_d defenders with NdNaN_d \ge N_a, each modeled as discs, and each agent evolves under damped double-integrator dynamics with bounded acceleration and linear drag CD>0C_D>0. Defenders are assumed at least as fast as attackers, capture occurs when rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}, and inter-defender collision occurs if PP0 (Chipade et al., 2021).

The framework combines three layers: one-vs-one time-optimal guidance, a mixed-integer quadratic program for collision-aware defender-to-attacker assignment, and ECBF-based quadratic programs that minimally perturb time-optimal controls to guarantee online defender safety. The time-optimal control under damped double-integrator dynamics is constant in direction, with

PP1

and the associated trajectory coefficients

PP2

The attacker’s worst-for-defender strategy is minimum-time motion to the protected area, while the defender solves a minimum-time interception problem in relative coordinates. The resulting interception time PP3 is treated as a robust metric because if the attacker starts in the defender’s winning region PP4, then time-optimal play leads to interception before reaching PP5, and time-sub-optimal attacker behavior does not help because PP6 is forward invariant (Chipade et al., 2021).

Assignment is then solved via the collision-aware defender-to-attacker assignment MIQP. Binary variables PP7 encode matching, the interception cost uses a winning-region filter with a large penalty PP8 for non-interceptable pairings, and predicted inter-defender collision risk is penalized by

PP9

The weight rpr_p0 trades interception time against collision risk, and the MIQP is solved using Gurobi. Since the problem is NP-hard in the number of binary variables rpr_p1, the paper introduces a trajectory-bounding heuristic using rpr_p2 and rpr_p3, reporting about rpr_p4 average speed-up, for example rpr_p5 vs rpr_p6 s for rpr_p7 and rpr_p8 vs rpr_p9 s for ρp\rho_p0 (Chipade et al., 2021).

Safety is enforced through Exponential Control Barrier Functions. For each defender pair, the safety function is

ρp\rho_p1

and forward invariance of the safe set is imposed by

ρp\rho_p2

At each time step, the control correction ρp\rho_p3 minimizes ρp\rho_p4 subject to ECBF constraints and input bounds, yielding a minimal safety augmentation of the time-optimal controls. The guarantees require ρp\rho_p5, ρp\rho_p6, and suitable ρp\rho_p7; a rare measure-zero set ρp\rho_p8 is identified as a “deadlock” boundary case (Chipade et al., 2021).

The simulation study illustrates both the strengths and limits of this formulation. MATLAB experiments use ρp\rho_p9, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.0 m/s, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.1 m/s, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.2 m, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.3 m, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.4 m, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.5, P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.6 m, and P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.7. CADAA avoids predicted collision under collision-unaware assignment in some 2D-vs-2A scenarios, delays inevitable collision in others, and, when paired with ECBF-QCQP, can preserve inter-defender safety while still capturing attackers. It can also sacrifice capture to maintain safety, as shown in scenarios where one attacker reaches P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.8 after ECBF-induced delay. Across 20 randomized 2D-vs-2A scenarios, the CADAA success rate P={rR2rrpρp}.P = \{ r \in \mathbb{R}^2 \mid \|r - r_p\| \le \rho_p \}.9 averages NaN_a0 (Chipade et al., 2021).

The sequential target-defense differential games extend the same defense–attack coupling into geometric environments. In the conical single-defender problem, attackers appear one at a time at the boundary of a target sensing region, move radially until they sense the defender, and then choose among breach, evasion, or a capture point that minimizes future defender effectiveness. The defender maximizes the expected capture fraction

NaN_a1

using an engagement policy constrained by guard and no-escape inequalities, Apollonius-circle geometry, and a Stackelberg max-min problem over feasible engagement configurations and capture points (Pourghorban et al., 16 Sep 2025). In the turret–mobile-defender game, the protected target is a unit disk centered at a stationary turn-constrained turret, the objective is the terminal safety margin NaN_a2, and the solution partitions team-winning play into solo capture by the defender, solo capture by the turret, and simultaneous capture at the intersection of the defender’s Apollonius circle and the turret’s alignment-time boundary (Moll et al., 11 Sep 2025).

3. Attack-conditioned machine-learning intrusion defense

AMDS defines Defense2Attack as a defense explicitly conditioned on attack characteristics. The system first profiles attack signatures across multiple detection signals and then adapts its detection and classification at inference time based on an inferred attack family. It considers two threat-model families relevant to network intrusion detection: gradient-based evasion and distribution-shift manipulations. The seven evaluated attacks are FGSM, PGD-NaN_a3, PGD-NaN_a4, CW-NaN_a5, SPSA, Injection, and Morphing (Olukola et al., 1 Mar 2026).

The three integrated signals are ensemble disagreement, predictive uncertainty, and distributional anomaly. With NaN_a6 ensemble members and NaN_a7 classes, disagreement is

NaN_a8

predictive uncertainty is the Shannon entropy of the ensemble average

NaN_a9

and anomaly is the Mahalanobis distance

NdN_d0

computed in the standardized feature space. The normalized signals are combined by an attack-conditioned weighted sum

NdN_d1

with NdN_d2 and NdN_d3 (Olukola et al., 1 Mar 2026).

The weight-learning mechanism is a constrained black-box optimization over the simplex maximizing ROC-AUC,

NdN_d4

implemented with SciPy SLSQP on validation splits. Stage 1 learns generic, attack-specific, and category-level weights. Stage 2 performs runtime adaptation: the system computes the three signals, evaluates a generic detector, infers the category by the fixed anomaly threshold NdN_d5, refines the detector with the category-level weights, and declares an attack if the refined score exceeds NdN_d6, tuned to NdN_d7 false positive rate on validation (Olukola et al., 1 Mar 2026).

AMDS also includes attack-adaptive ensemble weighting after detection. For category NdN_d8, member NdN_d9 receives weight

NdNaN_d \ge N_a0

and the final class prediction is

NdNaN_d \ge N_a1

The classifier pool is deliberately diverse: Decision Tree, Random Forest, XGBoost, LightGBM, Logistic Regression, and an MLP. Features are NdNaN_d \ge N_a2 standardized flow-level attributes from CSE-CIC-IDS2018, and a cascade router avoids computing Mahalanobis for most benign samples by gating on confidence and disagreement (Olukola et al., 1 Mar 2026).

Empirically, attack signatures are heterogeneous. Gradient attacks are disagreement-dominant, with average NdNaN_d \ge N_a3 across FGSM, PGD-NdNaN_d \ge N_a4, CW-NdNaN_d \ge N_a5, and SPSA, and AUCs NdNaN_d \ge N_a6–NdNaN_d \ge N_a7 for attack-specific detectors. Morphing is anomaly-dominant with NdNaN_d \ge N_a8 and AUC NdNaN_d \ge N_a9, while Injection is entropy-dominant with CD>0C_D>00 and AUC CD>0C_D>01 (Olukola et al., 1 Mar 2026). On CSE-CIC-IDS2018, two-stage detection achieves CD>0C_D>02 average ROC-AUC across the seven attacks, improving CD>0C_D>03 AUC points over generic-only and CD>0C_D>04 points over attack-specific-only. End-to-end, the method reports overall accuracy CD>0C_D>05 versus CD>0C_D>06 for adversarially trained ensembles, and F1 CD>0C_D>07 versus CD>0C_D>08. Under the evaluated adaptive white-box attacks, it appears to maintain CD>0C_D>09 accuracy with a rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}0 attack success rate, but the paper explicitly notes that this evaluation is limited to two adaptive variants and does not constitute a formal robustness guarantee (Olukola et al., 1 Mar 2026).

Dynamite addresses a related problem from a different angle: rather than learning weights over detection signals, it learns a selector over a defense pool. The setting is ML-based IDS for IoT and Industrial IoT networks, with six evasion attacks—FGSM, BIM, PGD, DeepFool, AutoPGD, and ZOO—at rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}1 (Chen et al., 17 Apr 2025). Nine defenses are instantiated as models or preprocessing pipelines: PGD Adversarial Training, Interpolated Adversarial Training, TRADES, Free Adversarial Training, Gaussian Augmenter, Defensive Distillation, RSLAD, Feature Squeezing, and Gaussian Noise (Chen et al., 17 Apr 2025).

Selector training uses adversarial datasets at rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}2 to build oracle labels from Macro F1. The defense objective is formalized as

rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}3

and the selector policy rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}4 is trained by supervised classification,

rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}5

At inference time, XGBoost predicts a defense ID rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}6, and the corresponding defended model rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}7 produces the IDS decision (Chen et al., 17 Apr 2025).

The principal empirical claim is that no single static defense dominates across attacks and intensities. On UNSW-NB15, averaged Macro F1 values are rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}8 for No Defense, rdj(t)rai(t)ρdint\|r_{dj}(t)-r_{ai}(t)\| \le \rho_d^{int}9 for Random, PP00 for Best-Static, PP01 for Dynamite, and PP02 for Oracle. On WUSTL-IIoT they are PP03, PP04, PP05, PP06, and PP07, respectively. Processing time per sample is PP08 ms for Oracle and PP09 ms for Dynamite on UNSW-NB15, and PP10 ms versus PP11 ms on WUSTL-IIoT, corresponding to computational reductions of PP12 and PP13 (Chen et al., 17 Apr 2025). This suggests a second major Defense2Attack pattern in ML security: attack adaptation can occur either at the signal level, as in AMDS, or at the defense-portfolio level, as in Dynamite.

4. ATT&CK-grounded defender policy evaluation and resource allocation

In the ATT&CK-based defender-policy framework, Defense2Attack means quantifying how defender resource allocation and policies translate into changes in an adversary’s multi-step attack progress, success probabilities, and timing using empirical parameters derived from MITRE ATT&CK Evaluations data (Outkin et al., 2021). The modeled attack is an indefinite stream of campaigns, each comprising multiple attack steps with uncertain durations. Defender resources are continuously allocated to sensing, detection, assessment, and “take moves,” and these allocations affect step-specific detection probabilities PP14 and, in the general case, time-to-success distributions PP15 (Outkin et al., 2021).

The paper maps a simplified APT3 campaign into GPLADD success conditions PP16, from Start to Ready, where Ready denotes at least one RTU found. Detection capabilities are derived from ATT&CK Evaluations categories Blue 0, Blue 1, and Blue 2, corresponding to IOC detections only, IOC plus Specific Alert, and IOC plus Specific plus General Alert. Step detection probabilities are computed from vendor fractions in the Evaluations, taking ceilings across sub-steps and applicable categories (Outkin et al., 2021).

The attacker–defender interaction is approximated as a discrete-time Markov chain. In Method 1, with time step PP17,

PP18

PP19

In the Evaluations-consistent Method 2, there is no “stay” probability: PP20 At Ready,

PP21

The stationary distribution PP22 satisfies PP23, and the key long-run metric is the Ready residence time PP24, interpreted as the fraction of time the attacker spends in Ready over an indefinite horizon (Outkin et al., 2021).

The same Markov representation supports first-passage analysis. By making PP25 absorbing, the paper uses the standard absorbing-chain matrix

PP26

with absorption probabilities PP27 and expected time to absorption PP28. For a linear chain without “stay,” the probability of undetected success in exactly nine steps is

PP29

reported as “small (PP30)” in the literature/SME-parameterized example (Outkin et al., 2021).

Defender optimization is formulated over allocations PP31 subject to a budget, with example monotone-concave detection model

PP32

Two natural objectives are minimizing Ready residence time PP33 and maximizing expected time to Ready or minimizing success probability over a horizon. The paper emphasizes policy evaluation and sensitivity-guided improvement rather than a fully developed MDP solution, but it explicitly notes that PP34 and PP35 are differentiable with respect to PP36 under standard regularity (Outkin et al., 2021).

The case study shows that distributed investment across the chain is superior to concentrating only on the final step. For B0 (Evaluation B20), PP37; for B1 (B21), PP38; for B2 (B22), PP39. First-passage distributions show approximately PP40 rapid success in B20, reduced to approximately PP41 in B21 and approximately PP42 in B22. A cross-scenario comparison between B12 and B22 further shows that stronger detection at Ready alone is not sufficient: despite PP43 in B12 versus PP44 in B22, rapid success remains approximately PP45 in B12 and approximately PP46 in B22 because B22 allocates disruption more effectively across earlier steps (Outkin et al., 2021).

This work clarifies an important misconception. Defense2Attack in this setting is not attack generation or attack-specific model selection; it is the quantitative propagation of defensive choices through a stochastic attack graph. A plausible implication is that the term can denote a policy-analysis methodology as much as an operational controller.

5. Physical-layer and embodied security formulations

The D-RIS work studies a RIS-In-The-Middle attack, where an adversary uses a reconfigurable intelligent surface to create a higher-quality alternative path between a legitimate BS and UE, enabling both eavesdropping and false data injection (Chen-Hu et al., 2024). The defensive response is a passive UPA controlled by the BS that creates a non-reciprocal cascaded channel through a common dynamic phase applied to all RIS elements. The D-RIS channel is

PP47

with phase scheduling

PP48

so that

PP49

This non-reciprocity makes the DL and UL CSIs secret, pairwise keys that are embedded by precoding and verified by receive combining (Chen-Hu et al., 2024).

In the interference-free case, the MRT-variant precoders are

PP50

and the receivers apply phase-only combining,

PP51

An adversary observing only a reciprocal path cannot match both forward and backward keys, so it cannot reliably decode or inject valid symbols (Chen-Hu et al., 2024).

The channel-estimation procedure uses phase flipping at the D-RIS and three pilot stages PP52, PP53, and PP54, allowing both BS and UE to estimate the DL and UL CSIs without CSI feedback. The work then evaluates secrecy via achievable rates

PP55

and defines reciprocal and non-reciprocal secrecy rates

PP56

with PP57. False-data detectability is analyzed through

PP58

and

PP59

The evaluation uses 3GPP TR 38.901 factory NLOS channels, PP60 OFDM symbols, PP61 subcarriers, PP62, PP63, and transmit power PP64 dBm. The paper reports that the non-reciprocal design yields higher secrecy than reciprocal baselines and can reduce false-data detection probability by up to an order of magnitude, especially when PP65 is large (Chen-Hu et al., 2024).

The conical and turret-based target-defense papers belong to the same broader category of embodied Defense2Attack formulations, though they operate in pursuit–evasion geometry rather than wireless channels. In the conical environment, the defender faces a sequence of attackers with limited-range sensing radius PP66, and the core construct is the Apollonius circle at first mutual detection,

PP67

with

PP68

Breaches, evasions, and captures are classified by the intersection of this circle with the target region or the target sensing region. Monte Carlo experiments with PP69, PP70, PP71, PP72, and PP73 show empirical capture percentage converging near PP74 at PP75, bracketed by a lower bound PP76 and upper bound PP77 (Pourghorban et al., 16 Sep 2025).

In the turret–defender problem, the target is a unit disk centered at a stationary turn-constrained turret, the defender has speed PP78, the attacker has speed PP79, and PP80 and PP81, where PP82 is the turret’s maximum turn rate. The attacker–defender dominance region is an Apollonius circle with

PP83

while the attacker–turret dominance region is

PP84

The terminal outcome is determined by whether the closest defender capture point PP85 lies in PP86, whether the turret capture point PP87 lies in PP88, or whether simultaneous capture occurs at the closest point of PP89. The game value is the maximin safety margin PP90 (Moll et al., 11 Sep 2025).

6. Defense patterns repurposed as attack mechanisms

The vision-LLM jailbreak paper introduces the most literal use of “Defense-to-Attack”: bypassing weak defenses enables stronger jailbreaks in VLMs (Zhao et al., 16 Sep 2025). Its central observation is that incorporating weak defense into the attack pipeline can significantly enhance both effectiveness and efficiency. The method constructs a bimodal single-shot jailbreak from three components: a visual optimizer that embeds universal adversarial perturbations with affirmative and encouraging semantics, a textual optimizer that rewrites prompts in a defense-styled form, and a red-team suffix generator trained by reinforcement fine-tuning (Zhao et al., 16 Sep 2025).

The overall white-box objective is

PP91

The visual optimization maximizes the likelihood of a corpus PP92 of positive and encouraging sentences under an PP93 constraint,

PP94

and is solved with PGD for PP95 steps using PP96. The textual optimizer uses GPT-4o and a defense-styled template containing phrases such as “help models more effectively identify and reject inputs that contain hidden harmful, unethical, or security-sensitive intentions,” thereby creating what the paper describes as a deceptive safety context (Zhao et al., 16 Sep 2025).

The suffix generator is a GPT-2 policy trained by PPO with a fixed suffix length of PP97 tokens. With binary reward PP98 from a GPT-4o judge, the objective is

PP99

Training uses batch size rpr_p00 and typically continues for approximately rpr_p01 epochs until expected score exceeds rpr_p02 (Zhao et al., 16 Sep 2025).

Evaluation covers LLaVA-v1.5-7B, MiniGPT-4, InstructionBLIP, and transfer to Gemini-1.5-flash, on AdvBench, MM-SafetyBench, RedTeam-2K, and Harmful-Instructions. On MM-SafetyBench, single-shot attack success rates are rpr_p03, rpr_p04, and rpr_p05 on LLaVA, MiniGPT-4, and InstructionBLIP, compared with BAP values rpr_p06, rpr_p07, and rpr_p08. On AdvBench the corresponding results are rpr_p09, rpr_p10, and rpr_p11, and on Harmful-Instructions rpr_p12, rpr_p13, and rpr_p14. Transfer to Gemini reaches rpr_p15–rpr_p16 on MM-SafetyBench, rpr_p17–rpr_p18 on Harmful-Instructions, and rpr_p19–rpr_p20 on AdvBench, while Vanilla is reported near rpr_p21–rpr_p22 depending on the benchmark (Zhao et al., 16 Sep 2025).

This usage creates an important controversy in the semantics of Defense2Attack. In the cyber defense, control, and wireless papers, the phrase denotes defenses that adapt to or model attacks. In the VLM paper, it denotes attack construction from defense cues. The distinction is substantive rather than terminological. The paper’s own limitations underscore this: UAP generation requires white-box access to open-source VLM weights, binary reward depends on a GPT-4o judge, and the optimization cost of rpr_p23-step PGD plus approximately rpr_p24 PPO epochs is nontrivial (Zhao et al., 16 Sep 2025).

7. Common principles, limitations, and interpretive cautions

Despite domain heterogeneity, several common principles recur. First, attack structure is made explicit. IDCAIS predicts attacker time-optimal motion and collision risk before assignment (Chipade et al., 2021). AMDS profiles attack families in terms of disagreement, entropy, and anomaly (Olukola et al., 1 Mar 2026). Dynamite learns from empirical performance matrices over attacks and rpr_p25-levels (Chen et al., 17 Apr 2025). The ATT&CK framework decomposes campaigns into mapped steps with empirical detection probabilities (Outkin et al., 2021). D-RIS models the adversary as a reciprocal-channel estimator and false-data injector (Chen-Hu et al., 2024). The conical and turret games encode attacker sensing, speed ratio, and geometric reachability directly in equilibrium construction (Pourghorban et al., 16 Sep 2025, Moll et al., 11 Sep 2025).

Second, most formulations involve explicit trade-offs rather than unconditional guarantees. In IDCAIS, ECBF safety can delay capture enough for an attacker to reach the protected area (Chipade et al., 2021). In AMDS, adaptive white-box evaluation is limited to two variants and does not provide formal robustness guarantees, while cross-dataset results on UNSW-NB15 show that high dimensionality and weak base competence can collapse margins (Olukola et al., 1 Mar 2026). In Dynamite, selector errors create a measurable gap to Oracle, reported as rpr_p26 on UNSW and rpr_p27 on WUSTL (Chen et al., 17 Apr 2025). In the ATT&CK Markov model, independence assumptions, stationarity, and Markov approximation may fail in nonstationary campaigns (Outkin et al., 2021). In D-RIS, long coherence time, fixed positions, protected control signaling, and adequate phase resolution are critical assumptions (Chen-Hu et al., 2024). The VLM jailbreak paper explicitly frames its adaptive success as empirical rather than universal and notes the absence of a public code repository link (Zhao et al., 16 Sep 2025).

Third, several works distinguish between generic defense and attack-conditioned defense. AMDS reports that two-stage adaptive detection at rpr_p28 average ROC-AUC outperforms both generic-only and attack-specific-only detectors (Olukola et al., 1 Mar 2026). Dynamite shows that per-sample defense routing can approach Oracle performance while remaining far cheaper computationally (Chen et al., 17 Apr 2025). The ATT&CK framework shows that focusing only on Ready detection can be dominated by distributed resource allocation across earlier attack steps (Outkin et al., 2021). This suggests that one of the central research meanings of Defense2Attack is not merely “defend against attacks,” but “structure the defense using explicit attack heterogeneity.”

A final caution concerns terminology. The collected literature does not support a single universal definition of Defense2Attack. In some papers it is a framework name or descriptive label for attack-aware defense, in others a methodological viewpoint, and in one case an attack strategy that leverages defensive patterns. The most stable interpretation is therefore a family resemblance: defense and attack are modeled jointly, and the defense logic is driven by attack structure, whether for protection, evaluation, or, in the jailbreaking setting, exploitation (Chipade et al., 2021, Olukola et al., 1 Mar 2026, Zhao et al., 16 Sep 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Defense2Attack.