IndirectAD: Indirect Methods in Analysis

Updated 12 February 2026

IndirectAD is a diverse set of methodologies that employ indirect mechanisms to optimize data analysis, adversary detection, and model improvement across various domains.
It leverages innovations such as trigger-based data poisoning, adaptive instrument design for causal inference, and indirect gradient distillation to achieve significant efficiency gains.
The framework also extends to automated adjoint differentiation in engineering solvers, arbitrated treatment comparisons in clinical trials, and session-based Active Directory attack detection with marked performance improvements.

IndirectAD refers to a diverse set of technical methodologies across multiple research fields, each exploiting “indirect” principles for achieving data analysis, adversary detection, optimization, or model improvement. The umbrella term encompasses: (1) efficient adjoint differentiation for complex solvers, (2) poisoning attacks on recommenders using trigger-based indirect data associations, (3) adaptive experimental designs for indirect causal inference, (4) arbitrated indirect treatment comparisons in clinical trials, (5) indirect gradient distillation in adversarial training, and (6) stealthy detection of cross-host Active Directory attacks via session linking. Despite the heterogeneity, the defining feature is the use of indirect mechanisms—rather than direct interventions, manipulations, or measurements—to optimize, attack, defend, or infer within a statistical, adversarial, or algorithmic system.

1. IndirectAD in Data Poisoning of Recommender Systems

The term “IndirectAD” originally denotes a practical data poisoning attack on recommender systems for item promotion. The attack is distinct in leveraging a Trojan-inspired, trigger-based strategy that relies on co-occurrence of a target and an easy-to-promote “trigger” item within injected fake user profiles. Rather than attempting to push a target item $I_t$ (which does not match users’ historical interest) directly into prominent recommendation slots, the attacker selects a trigger item $I_{\text{trig}}$ with natural appeal to the target user set $U_t$ , first promotes $I_{\text{trig}}$ , and then forges co-occurrence data to indirectly uplift $I_t$ ’s embedding via collaborative filtering. This mechanism reduces attack budget requirements to as low as $0.05\%$ user base control for measurable promotion, a reduction by orders of magnitude compared with traditional direct poisoning (Wang et al., 8 Nov 2025). The attacker's pipeline involves (a) training a substitute model, (b) selecting the trigger item by maximum instant loss drop, (c) constructing poisoned profiles with enforced $I_t$ / $I_{\text{trig}}$ co-occurrence, and (d) iterative optimization of profile interactions to maximize composite adversarial loss. Results on Amazon, Steam, and MovieLens benchmarks show reliable, transferable HR@20 improvement across WRMF, ItemAE, and Mult-VAE models at minimal injection rates.

Method	Attack Mechanism	Required User Budget	Observed HR@20 Gain (Books, WRMF)
Direct Poison	Direct target promotion	$>1\%$	0.0000
IndirectAD	Trigger+Co-occurrence	$0.05\%$	0.3810

IndirectAD thus reveals a new and more subtle threat vector for large-scale recommender platforms, with ramifications for both defense and auditability.

2. IndirectAD in Adaptive Instrument Design for Causal Inference

In experimental design literature, “IndirectAD” refers to adaptive instrument design for indirect experiments, specifically where treatment assignment is infeasible and instrumental variables are used for identification (Chandak et al., 2023). In this setting, indirect experiments randomize over encouragements or recommendations (instruments $Z_i$ ), producing variable compliance and estimator efficiency. IndirectAD introduces an influence-function–based policy optimization method over the space of instrument assignment policies $\pi(X)$ , seeking to minimize the mean-squared error of nonlinear IV estimators. The key technical innovation is a practically unbiased, constant-variance gradient estimator for the expected estimator loss $\mathcal{L}(\pi)$ , constructed via first-order influence functions and stabilized through leave-one-out control variates and multi-rejection subsampling for off-policy evaluation. The resulting batched algorithm adaptively concentrates experimentation on high-compliance, high-information instruments, yielding up to $5\times$ – $10\times$ variance reduction or sample savings compared to uniform randomization in both synthetic and real-data simulations. The methodology is general across 2SLS, DeepIV, and GMM-based methods.

3. IndirectAD for Robustness and Model Compression in Adversarial Distillation

In adversarial machine learning, “IndirectAD” denotes the “Indirect Gradient Distillation Module” (IGDM), which is an auxiliary loss for transferring input gradient knowledge from a large, robust teacher to a smaller student network during adversarial distillation (Lee et al., 2023). Instead of incurring prohibitive cost by matching student and teacher input Jacobians directly, IGDM exploits the local linearity of adversarially trained models. It matches finite-difference output differences $f(x+\beta\delta) - f(x-\gamma\delta)$ on perturbed inputs, where $\delta$ is the adversarial perturbation, thus indirectly aligning input gradients. When incorporated as a loss term alongside standard adversarial distillation objectives, IGDM yields systematic gains of $2$–$4$ percentage points in AutoAttack accuracy on CIFAR-100 for ResNet-18 and MobileNetV2, without requiring extra input augmentations or backward passes for full Jacobian computation. Ablation reveals substantial improvement even when teacher guidance is omitted from the inner maximization. IGDM is plug-and-play, compatible with TRADES, ARD, and RSLAD frameworks, and substantially narrows the teacher–student robustness gap.

4. IndirectAD in Causal Meta-Analysis: Arbitrated Indirect Treatment Comparisons

In health technology assessment, “IndirectAD” encompasses arbitrated indirect treatment comparison (Arb-MAIC), which addresses inconsistencies (“MAIC paradox”) in indirect comparison of clinical trial results via matching-adjusted indirect comparison (MAIC) (Fang et al., 20 Oct 2025). Standard MAIC weights participants in one trial to match aggregate covariate statistics of another, enabling indirect A vs. B treatment effect estimation; however, results depend on the reference population and may yield contradictory sponsor claims. Arb-MAIC remedies this by weighting both trials to a common target population—the overlap (ATO) population—using fitted propensity scores $\varepsilon(x) = P(\text{Trial} = 1 \mid X = x)$ and computing overlap weights $\omega_1(x) = 1-\varepsilon(x)$ and $\omega_0(x) = \varepsilon(x)$ for the AC and BC trials, respectively. Weighted outcome analyses are then reconciled to yield a unique, arbitrated indirect effect estimate. This prevents divergent conclusions and reduces variance and weight instability by design.

5. IndirectAD in Automated Adjoint Differentiation for Engineering Solvers

In computational science and engineering, “IndirectAD” is a unifying framework that automates adjoint computations by combining algorithmic differentiation (AD) with implicit differentiation techniques (Ning et al., 2023). When solvers are defined by nonlinear implicit equations $F(x, u(x)) = 0$ , direct AD is computationally impractical due to long solver trajectories and memory costs. IndirectAD applies the chain rule via the implicit function theorem, requiring only the solver’s final Jacobians $\partial F/\partial x$ and $\partial F/\partial u$ to yield adjoint sensitivities. For both steady-state and time-dependent problems (including block ODE systems), this allows for adjoint computation with only a small number of additional linear solves and Jacobian-vector products, bypassing the need to differentiate through the solver iterations. Explicit time-stepping methods are accelerated by recasting as local-residuals, with per-step VJP evaluation rather than taping the entire trajectory. Empirical benchmarks show speedups of $30$x–$1000$x over direct/reverse AD or finite-differencing, even for large-scale stiff problems.

6. IndirectAD in Active Directory Attack Detection

HADES introduces the concept of indirect Active Directory (AD) attack detection by leveraging whole-network provenance analytics rooted in logon session–based execution partitioning (Liu et al., 2024). Traditional provenance-based intrusion detection systems are limited to intra-host analyses, failing to capture stealthy, multi-host lateral movements typical of advanced persistent threats. IndirectAD here refers to algorithms that, on detection of authentication sequence anomalies (e.g., AS-REP Roasting, Golden Ticket), trace cross-host session transfer chains and reconstruct the minimal causal attack provenance. By partitioning system logs by logon session IDs and linking only provably causally related sessions (e.g., via Kerberos/NTLM authentication edges), HADES constructs precise cross-host provenance graphs. Each attack path is scored using domain-specific heuristics based on observed credential access and lateral movement TTP variety. The method achieves $0$ false negatives and up to $99\%$ reduction in false positives over standard SIEM rule-sets in MITRE ATT&CK–based evaluations.

System	Multi-Host Tracing	FPs (post triage)	Missed APT29 Attacks
HADES	Yes	0–2	0
Elastic/Sigma	No	$\sim$ 100–800	Up to 100%
Leading CAD	Limited	0	2

This session-based indirect strategy reveals indirect attacks impervious to single-host and signature-based detection.

7. Limitations and Cross-Field Implications

Across contexts, IndirectAD methods share limitations:

In recommender attacks, success depends on partial data access and target system architecture (Wang et al., 8 Nov 2025).
Adaptive design for indirect experiments assumes instrument relevance and stable compliance, and relies on sufficient batch size for policy updates (Chandak et al., 2023).
Arb-MAIC for clinical trials requires rich covariate data, honest sponsor cooperation, and overlap positivity (Fang et al., 20 Oct 2025).
IGDM’s effectiveness can be limited by model capacity and hyperparameter schedule tuning (Lee et al., 2023).
Provenance-based detection is contingent on homogeneous OS environments and may require integration with fine-grained data-flow tracking in more complex threat models (Liu et al., 2024).

A plausible implication is that cross-pollination of indirect strategies (e.g., session-based partitioning in system security applied to federated experimental design) may yield future methodological advances. The indirect paradigm enables both subtle attacks and robust defenses by exploiting the structure of interactions, dependencies, and design policies rather than direct manipulation or brute-force intervention.