Structural Responsiveness Score (SRS)
- Structural Responsiveness Score (SRS) is a quantitative measure that defines how a model’s layered architecture amplifies or attenuates input perturbations.
- It is computed by aggregating weighted per-layer Jacobian norms and approximated via gradient norm differences on probe sets in federated settings.
- SRS informs structural client evaluation and attack tuning in frameworks like TFI, with strong correlations observed between SRS-derived metrics and backdoor success rates.
Structural Responsiveness Score (SRS) denotes, in the federated-learning literature, a quantitative measure of how strongly a given model architecture responds to a specific input perturbation as that perturbation propagates through the network (Jian et al., 4 Mar 2026). It was introduced to make backdoor analysis “structure-aware,” replacing the assumption that identical perturbations behave similarly across architectures. In this formulation, SRS captures whether an architecture tends to amplify or suppress a trigger, how readily perturbation-induced signals are encoded into gradients and parameters, and how likely those signals are to survive federated aggregation. The metric is central to the structure-aware fractal perturbation injection framework (TFI), where it is paired with the Structural Compatibility Coefficient (SCC) to model client selection, perturbation scaling, and perturbation survivability (Jian et al., 4 Mar 2026).
1. Definition and mathematical form
The formal definition begins with a per-layer perturbation response,
where is a clean input sample, is an input perturbation, denotes the output of the -th layer of the model , and the Jacobian is evaluated at . This quantity is a gradient-based sensitivity measure: it expresses how much the -th layer’s representation changes when the perturbation is infinitesimally varied.
The Structural Responsiveness Score of the whole model is then defined as
where is the number of hierarchical modules or layers, 0 is a layer-wise weight coefficient, and 1 is the per-layer perturbation response. The weighting encodes architectural importance: deeper layers, or layers with residual or dense connections, are assigned higher weights because they exert greater influence on the final prediction.
In interpretive terms, a large SRS indicates that perturbations are strongly “felt” and propagated through the network, whereas a small SRS indicates that perturbations are attenuated or filtered out. The paper characterizes SRS as a measure of the model’s global structural sensitivity to an input perturbation: it quantifies how readily the architecture converts a small perturbation at the input into significant internal changes that can be encoded in gradients and parameters.
The derivation is conceptual rather than theorem-driven. It rests on three assumptions. First, perturbation propagation is locally linearized through a first-order Taylor approximation,
2
Second, layer importance can be represented by fixed coefficients 3. Third, the global structural response can be aggregated additively across layers. No explicit closed-form bound for SRS is given, but the metric is later inserted into formulas that abstract the impact of malicious updates in federated aggregation (Jian et al., 4 Mar 2026).
2. Practical estimation in TFI
The paper distinguishes between the conceptual SRS defined through per-layer Jacobians and a practical estimator used in experiments. Literal computation of the definition would require, for each layer, computing the Jacobian of 4 with respect to 5, taking its 6 norm, weighting by 7, and summing across layers. The paper does not report full Jacobian computations in experiments, noting instead an efficient gradient-based approximation suitable for federated settings.
In the client-evaluation stage of TFI, the server sends a small probe set 8 to each client and asks the client to compute gradient norms under clean and perturbed inputs. The estimated score for client 9 is
0
where 1 is the local model, 2 its parameters, 3 the training loss, 4 the probe set, and 5 the fractal perturbation used in TFI.
This estimator replaces explicit per-layer Jacobians with the change in parameter-gradient norm induced by adding the perturbation. If the fractal perturbation substantially increases the magnitude of parameter gradients on the probe set, the model is treated as structurally responsive; if the change is small, the model is treated as structurally insensitive. No explicit per-layer weighting appears in this estimator; instead, the norm over all parameters functions as a global sensitivity proxy. The paper presents this as computationally cheap and well aligned with federated learning, since clients already compute gradients during training (Jian et al., 4 Mar 2026).
3. Architectural dependence and relation to SCC
A central claim of the structure-aware formulation is that SRS is architecture-dependent. The paper repeatedly associates high structural responsiveness with architectures that exhibit multi-path feature fusion. Residual networks such as ResNet-18 and ResNet-50 are described as providing low-attenuation paths from early layers to deep layers through skip connections, allowing small perturbations to propagate and accumulate. DenseNet-121 is described as enhancing feature reuse and multi-scale propagation through dense connectivity, which magnifies the multi-scale nature of fractal perturbations. By contrast, VGG-16 is described as a strictly sequential convolutional stack that tends to dampen structured perturbations with depth, and ViT-Base is described as exhibiting notably lower backdoor attack success under TFI at the same poisoning ratio, consistent with lower effective SRS and/or SCC.
SRS is paired with the Structural Compatibility Coefficient, defined as
6
SCC therefore measures a model’s relative structural preference for fractal perturbations over a conventional static trigger. If 7, the model responds more strongly to fractal perturbations than to static triggers; if 8, fractal perturbations are less effective than the static baseline in that architecture.
The roles of the two quantities are distinct. SRS is an absolute sensitivity measure for a specified perturbation. SCC is a relative compatibility measure comparing two perturbation families within the same model structure. Because SCC is the ratio of two SRS values, the two metrics are tightly coupled. This suggests that SRS diagnoses whether an architecture is perturbation-sensitive at all, whereas SCC diagnoses whether a particular perturbation family is structurally favored by that architecture (Jian et al., 4 Mar 2026).
4. Function within TFI and federated aggregation
Within TFI, SRS is used operationally rather than merely descriptively. The first use is client structural evaluation: the attacker estimates 9 for each client. The second is client selection: the attacker computes an estimated compatibility coefficient and then defines a client value
0
selecting, under a budget 1, the subset of clients with the highest 2. Because 3 depends on 4, this favors clients whose architectures are structurally advantageous for fractal perturbations.
The third use is perturbation-strength control. TFI adjusts a baseline perturbation strength according to
5
where 6 is a reference sensitivity. Highly sensitive clients are therefore prevented from receiving excessively strong perturbations, while less sensitive clients may receive stronger perturbations to compensate. The fourth use is frequency-domain embedding. For
7
the embedding weight is
8
so SCC modulates the perturbation intensity placed into the poisoned input.
The paper also inserts SRS into an abstract model of federated aggregation. At round 9, the FedAvg update is written as
0
The effective impact of a perturbation from client 1 is abstracted as
2
and the adversarial contribution over 3 rounds is written as
4
The condition for attack success is abstracted by
5
where 6 models noise, robust aggregation, or differential privacy effects. In this abstraction, higher SRS and SCC make it easier for the adversarial signal to dominate benign updates and noise, thereby enabling persistent backdoor accumulation (Jian et al., 4 Mar 2026).
5. Empirical behavior and attack outcomes
The empirical results are reported mainly through architectural comparisons and through the behavior of SCC, which is defined directly from SRS. The paper states that model architecture significantly influences the propagation and aggregation of perturbations. Networks with multi-path feature fusion can amplify and retain fractal perturbations even under low poisoning ratios, whereas models with low structural compatibility constrain their effectiveness.
The strongest reported quantitative relationship is between SCC and attack success rate (ASR). On CIFAR-10, across architectures, the Pearson correlation coefficient between SCC and ASR is reported as 7, which the paper describes as a strong positive correlation. This is presented as evidence that SCC can predict perturbation survivability and, indirectly, that the underlying SRS values are capturing a relevant architectural property.
A second set of results concerns poisoning efficiency under a fixed target ASR of 8. On CIFAR-10, ResNet-18 and DenseNet-121 require only about 9 poisoning to reach the target, while ViT-Base requires around 0. The paper reports a similar pattern on ImageNet-100: residual and dense models require significantly lower poisoning ratios than sequential convolutional or vision transformer models. This suggests that higher structural responsiveness makes a perturbation more efficient, thereby lowering the poisoning budget needed for a successful backdoor.
A third result comes from an ablation on CIFAR-10 with ResNet-18 at 1 poisoning. Full TFI achieves ASR 2, update similarity 3, and detection rate 4. Removing SCC-aware client selection reduces ASR to 5, reduces update similarity to 6, and increases detection rate to 7. The ablation is framed in terms of SCC-aware selection, but because SCC is built from SRS, a plausible implication is that exploiting structural responsiveness is particularly important under low poisoning budgets (Jian et al., 4 Mar 2026).
6. Uses, limitations, and terminological ambiguity
The paper presents SRS as useful for both offensive and defensive analysis. For attack design, it allows pre-screening of clients or architectures to identify those whose models are structurally responsive to a chosen trigger. For vulnerability analysis, it allows system designers to examine how sensitive candidate architectures are to structured perturbations such as fractal or spectral patterns. For defense design, it suggests model-level strategies that reduce perturbation-friendly connectivity, and system-level strategies that use SRS or its gradient-based proxies to scrutinize updates that respond disproportionately to structured perturbations. It also supports trigger-model matching: defenders can test perturbation families and measure SRS or SCC to determine which trigger forms are naturally amplified by a deployed model.
The paper also states several limitations. SRS depends on local linearization and therefore reflects local sensitivity around particular inputs rather than full nonlinear training dynamics. The experimental estimator is not the formal per-layer Jacobian-based definition, but a practical surrogate based on parameter-gradient norms; its fidelity may therefore depend on the loss, the representativeness of the probe set, and the training state. The strongest empirical results are specific to fractal perturbations relative to a static baseline. Architectural effects are conditional rather than universal: ViT-Base is given as a case where TFI performs substantially worse. Finally, the paper provides no closed-form robustness guarantee or explicit threshold of the form “if SRS is below a given value, then a backdoor cannot succeed.”
A recurrent source of confusion is the acronym itself. In shock testing, SRS ordinarily denotes Shock Response Spectrum, a supremum-based characterization of the response of a family of linear SDOF oscillators to a shock input; that literature treats SRS as a conventional severity metric and contrasts it with constructs such as the Shock Severity Infimum and dual spectra (Yan et al., 2020). In a distinct line of work on recourse, “responsiveness scores” quantify the probability that changing a feature within a structurally constrained action set will flip a model prediction to a desirable outcome, and that formulation is explicitly model-agnostic and individual-specific (Cheon et al., 2024). These usages are conceptually separate. In the federated-learning setting, Structural Responsiveness Score refers specifically to architecture-dependent perturbation sensitivity and its role in backdoor propagation, retention, and survivability under aggregation (Jian et al., 4 Mar 2026).