DIBA: Divergence-in-Behavior Attack

Updated 25 November 2025

DIBA is a family of adversarial attacks that creates minimal input perturbations to induce significant behavioral divergence between paired neural networks.
It employs both whitebox gradient-based methods like PGD and blackbox differential-search techniques to optimize output discrepancies under strict perturbation limits.
Experimental results demonstrate that DIBA outperforms traditional attacks in evading edge models and enabling high-precision membership inference in RLVR-tuned LLMs.

Divergence-in-Behavior Attack (DIBA) denotes a family of adversarial approaches that target discrepancies in model outputs between two neural networks, rather than a single model. The general strategy is to construct inputs where two models—typically a full-precision reference and its deployed, adapted counterpart—exhibit maximally divergent behavior within a small perturbation budget. This paradigm directly exploits non-robust alignment between model pairs, undermining security assumptions in deployment settings ranging from edge-adapted classification to privacy analytics in RLVR-tuned LLMs (Hao et al., 2022, Juúnior et al., 2020, Liu et al., 18 Nov 2025).

1. Formal Definitions of Divergence-in-Behavior Attacks

DIBA is defined in multi-model settings, where an adversarial input is synthesized to induce differing behavioral responses between two neural networks $f$ and $g$ , both mapping $\mathbb{R}^d \to [0,1]^k$ over the same label set:

Let $x \in \mathbb{R}^d$ be the clean input with ground truth $y$ .
A DIBA adversarial example $x' = x + \delta$ $x^{'} = x + δ$ satisfies:
1. $\lVert \delta \rVert_p \leq \epsilon$ (imperceptibility constraint)
2. Outputs $f(x')$ and $g(x')$ diverge by top-1 prediction or output probability.

In the most widely studied variant for edge models, the DIVA attack maximizes the loss

$L_{\text{DIVA}}(x+\delta; \theta_{\text{orig}}, \theta_{\rm edge}, y ) = f(x+\delta)_y - c \cdot g(x+\delta)_y,$

where $c$ is a loss trade-off parameter, $f$ is the original model, and $g$ is the edge-adapted model (Hao et al., 2022). DIBA has also been generalized to black-box settings by explicitly optimizing for $L_1$ divergence over softmax outputs (Juúnior et al., 2020), and for membership inference in reinforcement learning via behavioral and logit-space axes (Liu et al., 18 Nov 2025).

2. Algorithmic Approaches and Optimization

Two principal DIBA instantiations exist: whitebox/joint-gradient and blackbox/differential-search.

Gradient-based DIVA (Whitebox): Implements Projected Gradient Descent (PGD) on $L_{\text{DIVA}}$ with sign-step updates and clip projection:

$\delta^{(t+1)} = \operatorname{Proj}_{\lVert \cdot \rVert_\infty \leq \epsilon}\left( \delta^{(t)} + \alpha\,\mathrm{sign}(\nabla_\delta L_{\text{DIVA}}(x+\delta^{(t)})) \right).$

Standard parameters are $\epsilon=8/255$ , $\alpha=1/255$ , $T=20$ steps (Hao et al., 2022).

DAEGEN (Blackbox, Hill-Climbing): Iteratively perturbs an input $x$ using random-pixel mutations, scoring candidates by

$\Omega(x, z) = \Vert f_1(z) - f_2(z) \Vert_1 - c\Vert z - x \Vert_2,$

and accepts improvements until a DIAE (difference-inducing adversarial example) is found: $\arg\max_t f_1(z)_t \neq \arg\max_t f_2(z)_t$ (Juúnior et al., 2020).

Behavioral DIBA for Membership Inference: Scores prompts by behavioral shifts—reward improvement (advantage) and per-token KL divergence—between a pre-fine-tuned base policy $\pi_{\rm ref}$ and a post-fine-tuned RLVR policy $\pi_\theta$ , detecting training set membership via a learned classifier over feature vectors (Liu et al., 18 Nov 2025).

The table summarizes core technical settings:

Variant	Optimization	Model Access
DIVA (Edge Models)	Joint PGD, $L_{\rm DIVA}$	Whitebox
DAEGEN (Blackbox)	Local Search, $\Omega$	API/query
RLVR-DIBA (Membership)	Statistical drift features	Greybox/proxy

3. Experimental Methodology and Results

DIBA methods have demonstrated strong performance across several experimental regimes.

Edge-Model Evasion (Hao et al., 2022): On ImageNet, DIVA achieves 92–97% joint evasive attack success (misclassification by $g$ , correctness by $f$ ) compared to 30–51% for PGD (whitebox). In semi-blackbox settings, DIVA yields 71–97% (via surrogate-based attacks), and remains superior to PGD in all access scenarios. PubFig face recognition shows 98% success (DIVA) vs. 43% (PGD).
Blackbox Differential Attacks (Juúnior et al., 2020): DAEGEN attains nearly perfect Differential Success Rate ( $\text{DSR}\sim 1.0$ ) across MNIST, Driving, and ImageNet, with query budgets $<1000$ and average $L_2$ perturbations competitive with whitebox methods. It is both faster and more broadly effective compared to DeepXplore, DLFuzz, SimBA, and TREMBA.
Membership Inference in RLVR (Liu et al., 18 Nov 2025): On mathematical reasoning benchmarks (MATH), DIBA achieves area under ROC curve (AUC) $0.71$-$0.83$ and true positive rate at $0.1\%$ FPR of $0.07$-$0.15$, outperforming all entropy/loss/likelihood baselines by an order of magnitude in the low false-positive regime. The combined behavioral (advantage) and logit-KL axes are critical for high-precision detection.

4. Theoretical Underpinnings and Vulnerability Analysis

The critical insight underlying DIBA is that edge adaptation (quantization, pruning) or RLVR-style policy fine-tuning induces subtle, non-uniform shifts in model boundaries or output distributions. Standard attacks (e.g., vanilla PGD) push inputs across both models’ boundaries, often failing to find regions of maximal disagreement. DIBA exploits the structural misalignment:

In edge adaptation, the decision boundaries of $f$ and $g$ deviate following quantization or pruning. DIVA maximizes the output divergence where $f$ remains confident, but $g$ ’s classification is altered.
In policy fine-tuned LLMs, RLVR shifts token selection probabilities and increases expected correctness only on trained prompts. DIBA extracts these behavioral fingerprints even in the absence of memorization or ground-truth reference.

Differential testing and model-pair optimization focuses the adversarial search onto the intersection of disagreement regions, which is substantially sparser than the union of both models’ vulnerabilities.

5. Comparison to Other Attack Classes and Historical Context

Traditionally, adversarial attacks have targeted single-model robustness. DIBA generalizes this to model pairs, being directly inspired by real-world deployment practices: full-precision models for server-side validation and low-resource adaptations for edge inference. Notably:

DIBA is distinct from classical whitebox and blackbox adversarial attacks in both objective (inter-model divergence vs. single-model misclassification) and practical impact (evasion of server-side checks).
DAEGEN is the first blackbox method to formalize and systematize behavioral divergence for adversarial input generation (Juúnior et al., 2020).
In the RLVR context, DIBA is the first attack framework to exploit behavioral signals (advantage, KL drift) for membership inference rather than output memorization (Liu et al., 18 Nov 2025).

Early whitebox differential methods (DeepXplore, DLFuzz) were less efficient and had lower success on high-dimensional vision tasks. Blackbox approaches (SimBA, TREMBA) adapted to multi-model settings underperform both in rate and efficiency versus DIBA-derived algorithms.

6. Limitations, Defenses, and Future Directions

Despite high success, DIBA exposes several new challenges and defensive requirements:

Robust joint training: Simultaneous adversarial training of $f$ and $g$ shrinks—but does not eliminate—the divergence region exploitable by DIBA (Hao et al., 2022).
Differential-behavior detection: Flagging or rejecting inputs with large $|f(x)_y - g(x)_y|$ may be effective but is not standard practice.
Randomized smoothing and certification: Certifying maximal divergence over $\ell_\infty$ -balls remains markedly more difficult in the multi-model scenario.
DP-based and adversarial defenses: Membership signals persist even under moderate KL regularization, local differential privacy to feature vectors, and output paraphrasing (Liu et al., 18 Nov 2025). Only complete learning suppression (no train-test reward gap) blocks inference, destroying model utility.
Algorithmic bottlenecks: Blackbox DIBA is still susceptible to local maxima in the input space. Scalability to multi-model or targeted divergence, and extension to other norms or perceptual metrics, remain open research topics (Juúnior et al., 2020).

7. Applications and Broader Impact

DIBA poses concrete security and privacy risks:

Edge AI deployment: Allows adversaries to abuse edge-specific vulnerabilities, subverting server-side validation by presenting inputs that only the adapted model will misclassify.
Privacy attacks in RL-finetuned LLMs: Enables reliable membership inference even without output memorization, by measuring improvement and distributional drift on the training set.
Vision-language and domain adaptation: Demonstrates transferability to multi-modal tasks, with detectable divergence in both visual and language outputs (Liu et al., 18 Nov 2025).

A plausible implication is that secure and privacy-preserving deployment of adapted models will require novel, provable mechanisms specifically mitigating divergence-in-behavior attacks at the pairwise or distributional level, rather than classical per-model adversarial defenses.

References:

"A Tale of Two Models: Constructing Evasive Attacks on Edge Models" (Hao et al., 2022)
"Generating Adversarial Inputs Using A Black-box Differential Technique" (Juúnior et al., 2020)
"GRPO Privacy Is at Risk: A Membership Inference Attack Against Reinforcement Learning With Verifiable Rewards" (Liu et al., 18 Nov 2025)