Papers
Topics
Authors
Recent
Search
2000 character limit reached

Don't Fool Me Twice: Resilience & Adaptation

Updated 4 July 2026
  • Don't Fool Me Twice is a research objective focused on building systems that recognize and adapt to recurring deceptions across claim verification, robotics, and security protocols.
  • It employs diverse methodologies—from semantic ranking in fact-checking to event-driven continual learning in robotics—to ensure resilience against repeated adversarial inputs.
  • Evaluations report significant performance gains, such as improved MRR in misinformation detection and enhanced survival rates in embodied systems, demonstrating practical robustness.

“Don’t Fool Me Twice” names a recurring research objective: a system should not merely perform well once, but should also avoid being misled again by the same claim, explanation, perturbation, protocol failure, or environmental hazard. In contemporary work, the phrase appears explicitly in a continual-learning robotics framework that learns online from disturbances and attributes anomalous behaviours to causes through semantics (Ravie et al., 29 May 2026). Closely related work studies adversarially collected entailment data (Eisenschlos et al., 2021), retrieval of previously fact-checked claims (Shaar et al., 2020), over-reliance on persuasive explanations in clinical decision support (Kayser et al., 2024), and defenses against adversarial or out-of-distribution inputs (Hoang et al., 2023).

1. Problem formulations and recurring structure

A central formulation appears in claim verification. One task is defined as follows: given a check-worthy input claim and a set of verified claims, the goal is to rank the verified claims so that those that can help verify the input claim — or a sub-claim within it — are ranked above claims that are not helpful. The same work emphasizes that this is not duplicate detection, not paraphrase detection, not NLI/RTE, and not semantic textual similarity; the matching verified claim may be identical, a paraphrase, a normalized version of a claim, or a fact-check that covers a sub-claim embedded in a more complex input claim (Shaar et al., 2020).

A complementary formulation appears in robotics, where adversity is defined operationally rather than propositionally. The monitoring signal is

ν(t)={xobs(t)xref(t),(Trajectory Tracking Error) Tr(Σpose(t)),(State Estimation Uncertainty)\nu(t) = \begin{cases} \lVert \mathbf{x}_{\text{obs}(t)} - \mathbf{x}_{\text{ref}(t)} \rVert, & \text{(Trajectory Tracking Error)} \ \mathrm{Tr}\left(\mathbf{\Sigma}_{\text{pose}(t)}\right), & \text{(State Estimation Uncertainty)} \end{cases}

and the adverse-event flag is

a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).

Here the question is not whether two texts match, but whether a disturbance has caused measurable deviation from nominal behavior and whether the robot can later recognize and adapt to the same adversity mode (Ravie et al., 29 May 2026).

Taken together, these formulations suggest a shared structure. A first encounter produces evidence of failure or deception; a second encounter tests whether the system has acquired a representation that is semantically, operationally, or strategically rich enough to prevent repetition.

2. Shortcut-resistant benchmarks and evaluation integrity

In textual entailment, "Fool Me Twice: Entailment from Wikipedia Gamification" constructs the FoolMeTwice (FM2) dataset through a fun multi-player game. Players are first asked to write a plausible claim based on evidence from a Wikipedia page; another player then sees two plausible claims, one of which is false, and must identify it before the time runs out. Players “pay” to see clues retrieved from the evidence pool, and game-play between motivated players induces strategies such as temporal inference and diverting to unrelated evidence. The resulting dataset supports both entailment classification and evidence retrieval / selection, while reducing the number of examples that can be solved using “shortcuts” compared to other popular entailment datasets (Eisenschlos et al., 2021).

Evaluation itself can also be gamed. "Ten ways to fool the masses with machine learning" identifies recurrent failure modes in ML experimentation: use an uninformative or irrelevant accuracy metric, use an inappropriate model selection strategy, ignore that examples may not be independent, do not compare with a simple baseline classifier, compare against unoptimized or unfairly treated competitors, present the paper in a way that does not allow reproducibility, do not analyze sensitivity to data, hyperparameters, or randomness, use statistical tests even when assumptions are violated, do not analyze what the model is actually learning, and use buzzwords and pretty plots to whip readers into submission. The paper’s cross-validation example is especially pointed: initializing one model once and then training it across all folds can contaminate later test folds if the model retains state (Minhas et al., 2019).

A more direct attack on evaluation is the use of hypocritical examples: inputs that are originally misclassified yet perturbed to force correct predictions. The paper defines hypocritical risk as

Rhyp(fθ,D)=E(x,y)D[maxxxϵ1(fθ(x)=y)].\mathcal R_{\text{hyp}}(f_\theta,\mathcal D) = \mathbb E_{(x,y)\sim \mathcal D} \left[ \max_{\|x'-x\|\le \epsilon}\mathbf 1(f_\theta(x')= y) \right].

Its experiments show that many types of substandard models are vulnerable across multiple datasets; on CIFAR-10 with ResNet-18, Mislabeling, Poisoning, and Quality models can all be made to appear perfect on hypocritical examples, and even a randomly initialized MLP can achieve 99.56% accuracy on hypocritical examples while only getting 8.56% on clean data (Tao et al., 2020).

3. Previously fact-checked claims and repeated misinformation

The most literal operationalization of “don’t fool me twice” is the detection of whether a newly encountered claim has already been fact-checked. "That is a Known Lie: Detecting Previously Fact-Checked Claims" argues that viral claims often come back after a while in social media, and politicians like to repeat their favorite statements, true or false, over and over again. It introduces two datasets built from naturally occurring claims. The PolitiFact dataset uses claims from 2012–2019 political debates and speeches, with a verified claims pool of 16,636 claims and 768 annotated input–verified claim pairs, split into 614 for training and 154 for testing. The Snopes dataset contains 1,000 tweets, a verified claims pool of 10,396 claims, and a split of 800 for training and 200 for testing (Shaar et al., 2020).

The task is treated as ranking rather than binary classification, and the difficulty analysis is explicit. In a sample of 100 PolitiFact pairs, 48% were Type-2, meaning harder matches requiring semantic understanding. For PolitiFact, only 27% of pairs had TF-IDF cosine similarity above 0.25; for Snopes, 50% exceeded 0.25. The methods range from BM25 retrieval over Title, VerClaim, and Body fields, through sentence-BERT similarity, to a full-article neural matcher with architecture 20-relu-10-relu, and finally a pairwise RankSVM with an RBF kernel that combines BM25 scores, sentence-BERT similarity scores, and reciprocal ranks.

The strongest model is the reranker. On PolitiFact it reaches MRR = 0.608, improving over the best simple retrieval baseline; on Snopes it reaches MRR = 0.788. A practical implication is that repeated misinformation need not be re-verified from scratch if a ranking layer can surface a short list of likely prior fact-checks for rapid human review (Shaar et al., 2020).

4. Misleading explanations, adversarial perturbations, and authenticity cues

In clinical decision support, the risk is not only that an AI system may be wrong, but that an attached explanation may make the wrong advice look convincing. A large-scale user study with 85 clinical participants in human-AI collaborative chest X-ray analysis compared four interface conditions: no explanation, saliency map only, natural language explanation only, and combined saliency map + natural language explanation. Each participant went through 80 cases total, with 20 cases per condition, while the simulated AI operated at about 70% accuracy. The paper defines four explanation-quality regimes relative to AI correctness — Revealing, Confusing, Misleading, and Convincing — and finds that text-based explanations lead to significant over-reliance. Participants agreed with the AI 67.3% of the time when it was accompanied by an NLE, compared with 63.8% on average for the other explanation types. When explanation correctness aligns with AI correctness, the combined modality significantly outperforms no explanation by 6.3%, NLEs alone by 7.1%, and saliency maps alone by 4.5% (Kayser et al., 2024).

For NLP classifiers under query-based black-box attacks, "AdvFooler" adopts a different strategy: confuse the attacker rather than explicitly classify perturbed inputs. The defense randomizes latent representations at inference time,

z0=Emb(x),ϵN(0,νI),zi+1=hl(zi+ϵ),z_0 = Emb(x), \qquad \epsilon \sim \mathcal{N}(0,\nu I), \qquad z_{i+1} = h_l(z_i + \epsilon),

so that importance scores used by attacks such as TextBugger, TextFooler, and BERT-Attack become unstable. On AGNEWS and IMDB with BERT-base and RoBERTa-base, the method achieves strong robustness with small clean-accuracy loss and low inference overhead; on IMDB/BERT, runtime increases from 75 s to 77 s, i.e., +2.6% (Hoang et al., 2023).

Open-set perception poses a related problem: conventional segmentation networks often remain highly confident while wrong on unknown regions. "Fool Me Once: Robust Selective Segmentation via Out-of-Distribution Detection with Contrastive Learning" trains a shared encoder with a segmentation decoder and an OoD decoder, using ImageNet as an uncurated OoD source, a contrastive objective, and the DomainMix augmentation scheme. On the synthetic OoD detection task, OoDCon + DomainMix reaches 0.51 IoU, compared with 0.16 IoU for the baseline softmax uncertainty method. On WildDash, selective segmentation based on OoD prediction improves segmentation accuracy by about 0.2 IoU with respect to alternative techniques (Williams et al., 2021).

Audio deepfake detection adds an authenticity-detection variant of the same theme. MFAAN processes MFCC, LFCC, and Chroma-STFT in parallel CNN branches and fuses their outputs before a binary decision. On 'In-the-Wild' Audio Deepfake Data and The Fake-or-Real Dataset, the reported accuracies are 98.93% and 94.47% respectively, while the paper notes limitations including increased complexity, data dependence, and risk of overfitting (Krishnan et al., 2023).

5. Security protocols and strategic deception design

In authentication, the question becomes how to avoid being deceived by a component that is itself supposed to provide security. True2F is a backdoor-resistant authentication system that retains phishing resistance and isolation from compromised browsers while adding protection against token faults and backdoors. It introduces lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, plus privacy defenses against cross-origin token-fingerprinting attacks. The design is backwards-compatible with today’s U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes 57ms to complete on the token, compared with 23ms for unprotected U2F (Dauterman et al., 2018).

Strategic deception design appears in game-theoretic form in duplicity games. The framework formalizes deception mechanisms consisting of a generator, an incentive modulator, and a trust manipulator, referred to as the GMM mechanism. It proves a separation principle that decouples the design of the modulator from the GMM mechanism and an equivalence principle that turns the joint design of the generator and the manipulator into the single design of the manipulator. In a case study of dynamic honeypot configurations for insider threat mitigation, the numerical experiments show that the optimal GMM mechanism can elicit desirable actions from both selfish and adversarial insiders. The paper reports that the optimal generator alone increases defender payoff by 35.6% on average, and that the optimal generator plus fake honeypot percentage increases payoff by 59.3% on average; it also states that the defender always benefits from faking the percentage of honeypots when the optimal generator is presented (Huang et al., 2020).

A plausible implication is that “don’t fool me twice” is not only a matter of detection. In protocol design and cyber defense, it also requires auditing channels, constraining incentives, and shaping beliefs so that a one-time deception does not become a stable exploit.

6. Continual adaptation to adversity in embodied systems

The robotics framework explicitly titled "Don't Fool Me Twice" addresses unseen unstructured environments in which dangers and adversity modes are embodiment-specific and relative to each agent. Its pipeline is event-driven. A fast loop monitors disturbances online; once the operational signal crosses threshold, the system records the anomaly window and buffers multimodal evidence. A slow loop then constructs a textual disturbance description, augments it with visual context, queries a VLM for possible causes, grounds the returned description into a semantic embedding, localizes the cause in 3D using semantic voxel-centric modeling, and learns a spatial disturbance model from a few samples (Ravie et al., 29 May 2026).

The disturbance model is voxel-centric kernel regression,

f(x)=AjVexp ⁣(12Q(xcj))+b,f(x) = A \sum_{j \in \mathcal{V}} \exp\!\left(-\tfrac{1}{2} Q_\ell(x - c_j)\right) + b,

with

Q(xcj)=(xcj)x2+(xcj)y2xy2+(xcj)z2z2,Q_\ell(x - c_j) = \frac{(x - c_j)_x^2 + (x - c_j)_y^2}{\ell_{xy}^2} + \frac{(x - c_j)_z^2}{\ell_z^2},

fit by minimizing

minJ=minxy,z1Ni=1N(d(xi)f(xi))2.\min J = \min_{\ell_{xy}, \ell_z} \frac{1}{N} \sum_{i=1}^N \big(d(x_i) - f(x_i)\big)^2.

Epistemic uncertainty is then estimated through a Bayesian Linear Regression view of the disturbance field, so planning can be conservative near poorly observed hazards without becoming uniformly over-conservative.

The paper evaluates four hypotheses: that an experience-driven disturbance library captures edge-case disturbances that may otherwise be missed; that event-driven VLM querying mitigates over-conservativeness of preemptive libraries; that characterizing the disturbance’s spatial impact is better than treating semantics as binary obstacles; and that the framework generalizes across distinct failure modes and embodiments. In simulation on a quadrotor in NVIDIA Isaac Sim, DFM2 achieves Arrival Time 31.04±3.6831.04 \pm 3.68 s, Path Length 29.3±6.529.3 \pm 6.5 m, Survival Rate 81.8%, Cumulative Disturbance 2.9±4.82.9 \pm 4.8 m, and Normalized Cumulative Disturbance a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).0 cm on successful trials; the geometric baseline DROAN-GL reaches only 40.9% survival. On hardware with a wheeled robot, DFM2 improves Inlier ratio from a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).1 to a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).2, reduces Covariance trace from a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).3 to a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).4, and shortens Degradation time from a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).5 s to a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).6 s (Ravie et al., 29 May 2026).

7. Formal and epistemic limits

Some “don’t fool me twice” failures arise not from weak models but from weak semantic foundations. In logic, the liar paradox is presented as a genuine obstacle to any satisfactory theory of truth. The argument turns on self-reference, term substitution, and diagonalization: if two terms denote the same string, ordinary substitution principles allow paradoxical reconstruction even when one tries to dismiss the liar sentence as meaningless. The paper distinguishes local truth from global truth, argues that the T-scheme

a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).7

cannot serve as a foundation without presupposing a broader notion of truth, and proposes assertibility rather than classical truth as the global concept (Weaver, 2017).

An analogous issue appears in conditional probability. "Martin Gardner’s Mistake" argues that the Two-Children and Tuesday-Child problems are ambiguous unless the procedure by which the information is obtained is specified. For the Tuesday-child variant, the familiar

a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).8

answer is correct only under a boy-centered, Tuesday-centered selection rule. Under other explicit procedures the answer can be

a(t)=I(ν(t)>θ).a(t) = \mathbb{I}\left(\nu(t) > \theta\right).9

or

Rhyp(fθ,D)=E(x,y)D[maxxxϵ1(fθ(x)=y)].\mathcal R_{\text{hyp}}(f_\theta,\mathcal D) = \mathbb E_{(x,y)\sim \mathcal D} \left[ \max_{\|x'-x\|\le \epsilon}\mathbf 1(f_\theta(x')= y) \right].0

The general lesson is that conditioning on a sentence is not the same as conditioning on a well-defined random process (Khovanova, 2011).

These formal results place a limit on the broader program. A system cannot reliably avoid being fooled twice if truth predicates, conditioning events, or evidence-generation procedures are themselves underspecified. In that sense, the literature treats repeated deception not only as an engineering problem, but also as a problem of semantics, inference, and experimental design.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Don't Fool Me Twice.