Defense2Attack: Adaptive Defense & Attack Modeling
- Defense2Attack is a framework where defensive strategies are explicitly conditioned on attacker behavior to enable dynamic adaptation.
- It integrates methodologies like collision-aware assignment, adaptive machine-learning signal weighting, and ATT&CK-based resource allocation.
- The approach highlights trade-offs between safety and performance, even leveraging defensive patterns to enhance adversarial attacks in some contexts.
Defense2Attack is a cross-domain research motif in which defensive structure is modeled explicitly with respect to attacker behavior, used to adapt defensive action to attack characteristics, or, in one adversarial reinterpretation, repurposed to strengthen attacks by exploiting defensive patterns. The term does not denote a single canonical algorithm. Instead, it spans multi-agent target defense, network intrusion detection, ATT&CK-grounded cyber policy evaluation, physical-layer wireless security, and multimodal model jailbreaking, with each literature instantiating the defense–attack coupling differently (Chipade et al., 2021, Olukola et al., 1 Mar 2026, Chen et al., 17 Apr 2025, Outkin et al., 2021, Chen-Hu et al., 2024, Zhao et al., 16 Sep 2025).
1. Defense2Attack as a cross-domain design pattern
Across the cited works, Defense2Attack consistently centers the attack model inside the defense logic rather than treating defense as attack-agnostic. In the multi-agent interception setting, IDCAIS is explicitly described as a Defense2Attack framework that couples time-optimal interception with collision-aware assignment and real-time safety augmentation against multiple attackers (Chipade et al., 2021). In machine-learning intrusion detection, AMDS defines Defense2Attack as defense explicitly conditioned on attack characteristics, learning how different attacks manifest across disagreement, uncertainty, and anomaly signals before adapting detection and classification decisions at inference time (Olukola et al., 1 Mar 2026). Dynamite operationalizes the same general principle as dynamic defense selection, learning a mapping from perturbed feature vectors to the defense that maximizes IDS performance (Chen et al., 17 Apr 2025).
In cyber campaign analysis, the ATT&CK-based Markov methodology uses defender resource allocation to quantify changes in an adversary’s multi-step progress, success probabilities, and timing, thereby turning defensive policy into an explicit model of attack progression (Outkin et al., 2021). In wireless communications, D-RIS constructs a non-reciprocal channel whose downlink and uplink CSIs act as pairwise secrets, so precoding and combining embed defensive structure directly into the adversary-facing channel (Chen-Hu et al., 2024). Differential-game formulations in conical environments and turret–defender target defense similarly encode attacker sensing, geometry, and equilibrium response into defender strategy computation (Pourghorban et al., 16 Sep 2025, Moll et al., 11 Sep 2025).
A notable exception is the vision-language jailbreaking paper titled “Defense-to-Attack,” where weak defense-styled cues are deliberately co-opted to increase attack effectiveness and efficiency. That paper reverses the usual meaning: defense patterns become steering signals for a jailbreak pipeline rather than safeguards against one (Zhao et al., 16 Sep 2025). This suggests that the phrase has both protective and adversarial uses in current literature.
| Domain | Defense2Attack instantiation | Representative work |
|---|---|---|
| Multi-agent interception | Collision-aware assignment plus ECBF safety | IDCAIS (Chipade et al., 2021) |
| Network intrusion detection | Attack-conditioned signal weighting | AMDS (Olukola et al., 1 Mar 2026) |
| ML-IDS defense orchestration | Per-sample defense selection | DYNAMITE (Chen et al., 17 Apr 2025) |
| ATT&CK-based cyber operations | Resource allocation mapped to attack progression | (Outkin et al., 2021) |
| Physical-layer wireless security | Non-reciprocal RIS link as secret defensive channel | D-RIS (Chen-Hu et al., 2024) |
| Vision-LLM security | Defense-styled cues used to strengthen jailbreaks | (Zhao et al., 16 Sep 2025) |
2. Multi-agent target defense and interception games
In IDCAIS, the environment is a 2D workspace containing a circular protected area with center and radius , where
There are attackers and defenders with , each modeled as discs, and each agent evolves under damped double-integrator dynamics with bounded acceleration and linear drag . Defenders are assumed at least as fast as attackers, capture occurs when , and inter-defender collision occurs if 0 (Chipade et al., 2021).
The framework combines three layers: one-vs-one time-optimal guidance, a mixed-integer quadratic program for collision-aware defender-to-attacker assignment, and ECBF-based quadratic programs that minimally perturb time-optimal controls to guarantee online defender safety. The time-optimal control under damped double-integrator dynamics is constant in direction, with
1
and the associated trajectory coefficients
2
The attacker’s worst-for-defender strategy is minimum-time motion to the protected area, while the defender solves a minimum-time interception problem in relative coordinates. The resulting interception time 3 is treated as a robust metric because if the attacker starts in the defender’s winning region 4, then time-optimal play leads to interception before reaching 5, and time-sub-optimal attacker behavior does not help because 6 is forward invariant (Chipade et al., 2021).
Assignment is then solved via the collision-aware defender-to-attacker assignment MIQP. Binary variables 7 encode matching, the interception cost uses a winning-region filter with a large penalty 8 for non-interceptable pairings, and predicted inter-defender collision risk is penalized by
9
The weight 0 trades interception time against collision risk, and the MIQP is solved using Gurobi. Since the problem is NP-hard in the number of binary variables 1, the paper introduces a trajectory-bounding heuristic using 2 and 3, reporting about 4 average speed-up, for example 5 vs 6 s for 7 and 8 vs 9 s for 0 (Chipade et al., 2021).
Safety is enforced through Exponential Control Barrier Functions. For each defender pair, the safety function is
1
and forward invariance of the safe set is imposed by
2
At each time step, the control correction 3 minimizes 4 subject to ECBF constraints and input bounds, yielding a minimal safety augmentation of the time-optimal controls. The guarantees require 5, 6, and suitable 7; a rare measure-zero set 8 is identified as a “deadlock” boundary case (Chipade et al., 2021).
The simulation study illustrates both the strengths and limits of this formulation. MATLAB experiments use 9, 0 m/s, 1 m/s, 2 m, 3 m, 4 m, 5, 6 m, and 7. CADAA avoids predicted collision under collision-unaware assignment in some 2D-vs-2A scenarios, delays inevitable collision in others, and, when paired with ECBF-QCQP, can preserve inter-defender safety while still capturing attackers. It can also sacrifice capture to maintain safety, as shown in scenarios where one attacker reaches 8 after ECBF-induced delay. Across 20 randomized 2D-vs-2A scenarios, the CADAA success rate 9 averages 0 (Chipade et al., 2021).
The sequential target-defense differential games extend the same defense–attack coupling into geometric environments. In the conical single-defender problem, attackers appear one at a time at the boundary of a target sensing region, move radially until they sense the defender, and then choose among breach, evasion, or a capture point that minimizes future defender effectiveness. The defender maximizes the expected capture fraction
1
using an engagement policy constrained by guard and no-escape inequalities, Apollonius-circle geometry, and a Stackelberg max-min problem over feasible engagement configurations and capture points (Pourghorban et al., 16 Sep 2025). In the turret–mobile-defender game, the protected target is a unit disk centered at a stationary turn-constrained turret, the objective is the terminal safety margin 2, and the solution partitions team-winning play into solo capture by the defender, solo capture by the turret, and simultaneous capture at the intersection of the defender’s Apollonius circle and the turret’s alignment-time boundary (Moll et al., 11 Sep 2025).
3. Attack-conditioned machine-learning intrusion defense
AMDS defines Defense2Attack as a defense explicitly conditioned on attack characteristics. The system first profiles attack signatures across multiple detection signals and then adapts its detection and classification at inference time based on an inferred attack family. It considers two threat-model families relevant to network intrusion detection: gradient-based evasion and distribution-shift manipulations. The seven evaluated attacks are FGSM, PGD-3, PGD-4, CW-5, SPSA, Injection, and Morphing (Olukola et al., 1 Mar 2026).
The three integrated signals are ensemble disagreement, predictive uncertainty, and distributional anomaly. With 6 ensemble members and 7 classes, disagreement is
8
predictive uncertainty is the Shannon entropy of the ensemble average
9
and anomaly is the Mahalanobis distance
0
computed in the standardized feature space. The normalized signals are combined by an attack-conditioned weighted sum
1
with 2 and 3 (Olukola et al., 1 Mar 2026).
The weight-learning mechanism is a constrained black-box optimization over the simplex maximizing ROC-AUC,
4
implemented with SciPy SLSQP on validation splits. Stage 1 learns generic, attack-specific, and category-level weights. Stage 2 performs runtime adaptation: the system computes the three signals, evaluates a generic detector, infers the category by the fixed anomaly threshold 5, refines the detector with the category-level weights, and declares an attack if the refined score exceeds 6, tuned to 7 false positive rate on validation (Olukola et al., 1 Mar 2026).
AMDS also includes attack-adaptive ensemble weighting after detection. For category 8, member 9 receives weight
0
and the final class prediction is
1
The classifier pool is deliberately diverse: Decision Tree, Random Forest, XGBoost, LightGBM, Logistic Regression, and an MLP. Features are 2 standardized flow-level attributes from CSE-CIC-IDS2018, and a cascade router avoids computing Mahalanobis for most benign samples by gating on confidence and disagreement (Olukola et al., 1 Mar 2026).
Empirically, attack signatures are heterogeneous. Gradient attacks are disagreement-dominant, with average 3 across FGSM, PGD-4, CW-5, and SPSA, and AUCs 6–7 for attack-specific detectors. Morphing is anomaly-dominant with 8 and AUC 9, while Injection is entropy-dominant with 0 and AUC 1 (Olukola et al., 1 Mar 2026). On CSE-CIC-IDS2018, two-stage detection achieves 2 average ROC-AUC across the seven attacks, improving 3 AUC points over generic-only and 4 points over attack-specific-only. End-to-end, the method reports overall accuracy 5 versus 6 for adversarially trained ensembles, and F1 7 versus 8. Under the evaluated adaptive white-box attacks, it appears to maintain 9 accuracy with a 0 attack success rate, but the paper explicitly notes that this evaluation is limited to two adaptive variants and does not constitute a formal robustness guarantee (Olukola et al., 1 Mar 2026).
Dynamite addresses a related problem from a different angle: rather than learning weights over detection signals, it learns a selector over a defense pool. The setting is ML-based IDS for IoT and Industrial IoT networks, with six evasion attacks—FGSM, BIM, PGD, DeepFool, AutoPGD, and ZOO—at 1 (Chen et al., 17 Apr 2025). Nine defenses are instantiated as models or preprocessing pipelines: PGD Adversarial Training, Interpolated Adversarial Training, TRADES, Free Adversarial Training, Gaussian Augmenter, Defensive Distillation, RSLAD, Feature Squeezing, and Gaussian Noise (Chen et al., 17 Apr 2025).
Selector training uses adversarial datasets at 2 to build oracle labels from Macro F1. The defense objective is formalized as
3
and the selector policy 4 is trained by supervised classification,
5
At inference time, XGBoost predicts a defense ID 6, and the corresponding defended model 7 produces the IDS decision (Chen et al., 17 Apr 2025).
The principal empirical claim is that no single static defense dominates across attacks and intensities. On UNSW-NB15, averaged Macro F1 values are 8 for No Defense, 9 for Random, 00 for Best-Static, 01 for Dynamite, and 02 for Oracle. On WUSTL-IIoT they are 03, 04, 05, 06, and 07, respectively. Processing time per sample is 08 ms for Oracle and 09 ms for Dynamite on UNSW-NB15, and 10 ms versus 11 ms on WUSTL-IIoT, corresponding to computational reductions of 12 and 13 (Chen et al., 17 Apr 2025). This suggests a second major Defense2Attack pattern in ML security: attack adaptation can occur either at the signal level, as in AMDS, or at the defense-portfolio level, as in Dynamite.
4. ATT&CK-grounded defender policy evaluation and resource allocation
In the ATT&CK-based defender-policy framework, Defense2Attack means quantifying how defender resource allocation and policies translate into changes in an adversary’s multi-step attack progress, success probabilities, and timing using empirical parameters derived from MITRE ATT&CK Evaluations data (Outkin et al., 2021). The modeled attack is an indefinite stream of campaigns, each comprising multiple attack steps with uncertain durations. Defender resources are continuously allocated to sensing, detection, assessment, and “take moves,” and these allocations affect step-specific detection probabilities 14 and, in the general case, time-to-success distributions 15 (Outkin et al., 2021).
The paper maps a simplified APT3 campaign into GPLADD success conditions 16, from Start to Ready, where Ready denotes at least one RTU found. Detection capabilities are derived from ATT&CK Evaluations categories Blue 0, Blue 1, and Blue 2, corresponding to IOC detections only, IOC plus Specific Alert, and IOC plus Specific plus General Alert. Step detection probabilities are computed from vendor fractions in the Evaluations, taking ceilings across sub-steps and applicable categories (Outkin et al., 2021).
The attacker–defender interaction is approximated as a discrete-time Markov chain. In Method 1, with time step 17,
18
19
In the Evaluations-consistent Method 2, there is no “stay” probability: 20 At Ready,
21
The stationary distribution 22 satisfies 23, and the key long-run metric is the Ready residence time 24, interpreted as the fraction of time the attacker spends in Ready over an indefinite horizon (Outkin et al., 2021).
The same Markov representation supports first-passage analysis. By making 25 absorbing, the paper uses the standard absorbing-chain matrix
26
with absorption probabilities 27 and expected time to absorption 28. For a linear chain without “stay,” the probability of undetected success in exactly nine steps is
29
reported as “small (30)” in the literature/SME-parameterized example (Outkin et al., 2021).
Defender optimization is formulated over allocations 31 subject to a budget, with example monotone-concave detection model
32
Two natural objectives are minimizing Ready residence time 33 and maximizing expected time to Ready or minimizing success probability over a horizon. The paper emphasizes policy evaluation and sensitivity-guided improvement rather than a fully developed MDP solution, but it explicitly notes that 34 and 35 are differentiable with respect to 36 under standard regularity (Outkin et al., 2021).
The case study shows that distributed investment across the chain is superior to concentrating only on the final step. For B0 (Evaluation B20), 37; for B1 (B21), 38; for B2 (B22), 39. First-passage distributions show approximately 40 rapid success in B20, reduced to approximately 41 in B21 and approximately 42 in B22. A cross-scenario comparison between B12 and B22 further shows that stronger detection at Ready alone is not sufficient: despite 43 in B12 versus 44 in B22, rapid success remains approximately 45 in B12 and approximately 46 in B22 because B22 allocates disruption more effectively across earlier steps (Outkin et al., 2021).
This work clarifies an important misconception. Defense2Attack in this setting is not attack generation or attack-specific model selection; it is the quantitative propagation of defensive choices through a stochastic attack graph. A plausible implication is that the term can denote a policy-analysis methodology as much as an operational controller.
5. Physical-layer and embodied security formulations
The D-RIS work studies a RIS-In-The-Middle attack, where an adversary uses a reconfigurable intelligent surface to create a higher-quality alternative path between a legitimate BS and UE, enabling both eavesdropping and false data injection (Chen-Hu et al., 2024). The defensive response is a passive UPA controlled by the BS that creates a non-reciprocal cascaded channel through a common dynamic phase applied to all RIS elements. The D-RIS channel is
47
with phase scheduling
48
so that
49
This non-reciprocity makes the DL and UL CSIs secret, pairwise keys that are embedded by precoding and verified by receive combining (Chen-Hu et al., 2024).
In the interference-free case, the MRT-variant precoders are
50
and the receivers apply phase-only combining,
51
An adversary observing only a reciprocal path cannot match both forward and backward keys, so it cannot reliably decode or inject valid symbols (Chen-Hu et al., 2024).
The channel-estimation procedure uses phase flipping at the D-RIS and three pilot stages 52, 53, and 54, allowing both BS and UE to estimate the DL and UL CSIs without CSI feedback. The work then evaluates secrecy via achievable rates
55
and defines reciprocal and non-reciprocal secrecy rates
56
with 57. False-data detectability is analyzed through
58
and
59
The evaluation uses 3GPP TR 38.901 factory NLOS channels, 60 OFDM symbols, 61 subcarriers, 62, 63, and transmit power 64 dBm. The paper reports that the non-reciprocal design yields higher secrecy than reciprocal baselines and can reduce false-data detection probability by up to an order of magnitude, especially when 65 is large (Chen-Hu et al., 2024).
The conical and turret-based target-defense papers belong to the same broader category of embodied Defense2Attack formulations, though they operate in pursuit–evasion geometry rather than wireless channels. In the conical environment, the defender faces a sequence of attackers with limited-range sensing radius 66, and the core construct is the Apollonius circle at first mutual detection,
67
with
68
Breaches, evasions, and captures are classified by the intersection of this circle with the target region or the target sensing region. Monte Carlo experiments with 69, 70, 71, 72, and 73 show empirical capture percentage converging near 74 at 75, bracketed by a lower bound 76 and upper bound 77 (Pourghorban et al., 16 Sep 2025).
In the turret–defender problem, the target is a unit disk centered at a stationary turn-constrained turret, the defender has speed 78, the attacker has speed 79, and 80 and 81, where 82 is the turret’s maximum turn rate. The attacker–defender dominance region is an Apollonius circle with
83
while the attacker–turret dominance region is
84
The terminal outcome is determined by whether the closest defender capture point 85 lies in 86, whether the turret capture point 87 lies in 88, or whether simultaneous capture occurs at the closest point of 89. The game value is the maximin safety margin 90 (Moll et al., 11 Sep 2025).
6. Defense patterns repurposed as attack mechanisms
The vision-LLM jailbreak paper introduces the most literal use of “Defense-to-Attack”: bypassing weak defenses enables stronger jailbreaks in VLMs (Zhao et al., 16 Sep 2025). Its central observation is that incorporating weak defense into the attack pipeline can significantly enhance both effectiveness and efficiency. The method constructs a bimodal single-shot jailbreak from three components: a visual optimizer that embeds universal adversarial perturbations with affirmative and encouraging semantics, a textual optimizer that rewrites prompts in a defense-styled form, and a red-team suffix generator trained by reinforcement fine-tuning (Zhao et al., 16 Sep 2025).
The overall white-box objective is
91
The visual optimization maximizes the likelihood of a corpus 92 of positive and encouraging sentences under an 93 constraint,
94
and is solved with PGD for 95 steps using 96. The textual optimizer uses GPT-4o and a defense-styled template containing phrases such as “help models more effectively identify and reject inputs that contain hidden harmful, unethical, or security-sensitive intentions,” thereby creating what the paper describes as a deceptive safety context (Zhao et al., 16 Sep 2025).
The suffix generator is a GPT-2 policy trained by PPO with a fixed suffix length of 97 tokens. With binary reward 98 from a GPT-4o judge, the objective is
99
Training uses batch size 00 and typically continues for approximately 01 epochs until expected score exceeds 02 (Zhao et al., 16 Sep 2025).
Evaluation covers LLaVA-v1.5-7B, MiniGPT-4, InstructionBLIP, and transfer to Gemini-1.5-flash, on AdvBench, MM-SafetyBench, RedTeam-2K, and Harmful-Instructions. On MM-SafetyBench, single-shot attack success rates are 03, 04, and 05 on LLaVA, MiniGPT-4, and InstructionBLIP, compared with BAP values 06, 07, and 08. On AdvBench the corresponding results are 09, 10, and 11, and on Harmful-Instructions 12, 13, and 14. Transfer to Gemini reaches 15–16 on MM-SafetyBench, 17–18 on Harmful-Instructions, and 19–20 on AdvBench, while Vanilla is reported near 21–22 depending on the benchmark (Zhao et al., 16 Sep 2025).
This usage creates an important controversy in the semantics of Defense2Attack. In the cyber defense, control, and wireless papers, the phrase denotes defenses that adapt to or model attacks. In the VLM paper, it denotes attack construction from defense cues. The distinction is substantive rather than terminological. The paper’s own limitations underscore this: UAP generation requires white-box access to open-source VLM weights, binary reward depends on a GPT-4o judge, and the optimization cost of 23-step PGD plus approximately 24 PPO epochs is nontrivial (Zhao et al., 16 Sep 2025).
7. Common principles, limitations, and interpretive cautions
Despite domain heterogeneity, several common principles recur. First, attack structure is made explicit. IDCAIS predicts attacker time-optimal motion and collision risk before assignment (Chipade et al., 2021). AMDS profiles attack families in terms of disagreement, entropy, and anomaly (Olukola et al., 1 Mar 2026). Dynamite learns from empirical performance matrices over attacks and 25-levels (Chen et al., 17 Apr 2025). The ATT&CK framework decomposes campaigns into mapped steps with empirical detection probabilities (Outkin et al., 2021). D-RIS models the adversary as a reciprocal-channel estimator and false-data injector (Chen-Hu et al., 2024). The conical and turret games encode attacker sensing, speed ratio, and geometric reachability directly in equilibrium construction (Pourghorban et al., 16 Sep 2025, Moll et al., 11 Sep 2025).
Second, most formulations involve explicit trade-offs rather than unconditional guarantees. In IDCAIS, ECBF safety can delay capture enough for an attacker to reach the protected area (Chipade et al., 2021). In AMDS, adaptive white-box evaluation is limited to two variants and does not provide formal robustness guarantees, while cross-dataset results on UNSW-NB15 show that high dimensionality and weak base competence can collapse margins (Olukola et al., 1 Mar 2026). In Dynamite, selector errors create a measurable gap to Oracle, reported as 26 on UNSW and 27 on WUSTL (Chen et al., 17 Apr 2025). In the ATT&CK Markov model, independence assumptions, stationarity, and Markov approximation may fail in nonstationary campaigns (Outkin et al., 2021). In D-RIS, long coherence time, fixed positions, protected control signaling, and adequate phase resolution are critical assumptions (Chen-Hu et al., 2024). The VLM jailbreak paper explicitly frames its adaptive success as empirical rather than universal and notes the absence of a public code repository link (Zhao et al., 16 Sep 2025).
Third, several works distinguish between generic defense and attack-conditioned defense. AMDS reports that two-stage adaptive detection at 28 average ROC-AUC outperforms both generic-only and attack-specific-only detectors (Olukola et al., 1 Mar 2026). Dynamite shows that per-sample defense routing can approach Oracle performance while remaining far cheaper computationally (Chen et al., 17 Apr 2025). The ATT&CK framework shows that focusing only on Ready detection can be dominated by distributed resource allocation across earlier attack steps (Outkin et al., 2021). This suggests that one of the central research meanings of Defense2Attack is not merely “defend against attacks,” but “structure the defense using explicit attack heterogeneity.”
A final caution concerns terminology. The collected literature does not support a single universal definition of Defense2Attack. In some papers it is a framework name or descriptive label for attack-aware defense, in others a methodological viewpoint, and in one case an attack strategy that leverages defensive patterns. The most stable interpretation is therefore a family resemblance: defense and attack are modeled jointly, and the defense logic is driven by attack structure, whether for protection, evaluation, or, in the jailbreaking setting, exploitation (Chipade et al., 2021, Olukola et al., 1 Mar 2026, Zhao et al., 16 Sep 2025).