Two-Stage Defense Framework (TSDF)
- TSDF is a defense framework that decomposes protection into two sequential stages to expose and then mitigate adversarial structures.
- The first stage uses techniques like symbolic quantization, spectral clustering, and saliency mapping to identify and disrupt malicious inputs.
- The second stage applies robust recovery methods such as FFT aggregation, GAN-based reconstruction, or frequency filtering to neutralize residual threats.
Searching arXiv for papers on two-stage defense frameworks and related uses of the acronym TSDF. Two-Stage Defense Framework (TSDF) denotes a staged defensive design in which protection is decomposed into two sequential operations rather than handled by a single mechanism. In the security-oriented literature, the first stage typically performs separation, screening, or disruption, and the second stage performs mitigation, aggregation, reconstruction, or refinement on whatever remains after the initial filter. An explicit use of the name appears in a deepfake-defense method that combines interruption and poisoning to preserve defense effectiveness under attacker retraining (Zheng et al., 11 Aug 2025). Closely related two-stage constructions recur in federated learning, adversarial patch defense, backdoor purification, jailbreak defense, graph membership inference, and efficient LVLM defense, where the shared premise is that one stage alone is insufficient under strong or adaptive adversaries (Campos et al., 26 Aug 2025, Chen et al., 2021, Miah et al., 6 Feb 2026, Lin et al., 11 May 2026, Niu et al., 2024, Kadvil et al., 23 Feb 2026).
1. Terminology and scope
The acronym TSDF is overloaded across arXiv literature. In several robotics and scene-representation papers it denotes the Truncated Signed Distance Function, a geometric representation used for mapping and planning rather than a defense framework (Schieber et al., 29 May 2026, Ding et al., 2024, Grinvald et al., 2021). In security and robustness papers, however, the same acronym or an equivalent description is used for a two-stage defense framework: a pipeline in which an upstream stage reduces attack salience or isolates suspicious inputs, and a downstream stage limits the effect of residual failures.
This dual usage is a frequent source of confusion. In the deepfake paper that explicitly names its method TSDF, the term refers to a persistent active defense with two roles—interruption and poisoning—and not to signed-distance geometry (Zheng et al., 11 Aug 2025). In neighboring work, the same structural idea appears under other names: FLAegis in federated learning, Jujutsu for adversarial patches, Lite-BD for black-box backdoor defense, DR-Smoothing for jailbreak defense, GTD for graph membership inference, and VALD for LVLM defense (Campos et al., 26 Aug 2025, Chen et al., 2021, Miah et al., 6 Feb 2026, Lin et al., 11 May 2026, Niu et al., 2024, Kadvil et al., 23 Feb 2026).
A plausible implication is that “TSDF” is best treated as a family resemblance term rather than a single fixed algorithm. What remains stable across the cited works is not one universal objective function, but the staged decomposition of defense.
2. Architectural pattern
Across these papers, the recurring architectural rationale is that a single defense mechanism usually fails in one of two ways: it is too weak against sophisticated attacks, or it preserves robustness only by imposing excessive utility loss. The two-stage design addresses this by assigning different responsibilities to each stage. FLAegis states this logic explicitly: clustering-based detection alone is not perfect, while robust aggregation alone becomes much weaker when the fraction of Byzantine clients is large (Campos et al., 26 Aug 2025). Lite-BD makes a parallel claim for backdoor purification: down-upscaling is the most effective single transformation in its preliminary study, but some triggers remain effective after spatial purification, especially those with frequency-oriented or globally distributed signatures (Miah et al., 6 Feb 2026). DR-Smoothing adopts the same structure for jailbreak defense, arguing that disruption-only smoothing can push prompts out of distribution, while a rectification stage can restore more natural text before aggregation (Lin et al., 11 May 2026).
A concise way to view the pattern is as a division of labor.
| Framework | First stage | Second stage |
|---|---|---|
| FLAegis | SAX + cosine similarity + spectral clustering | FFT-based robust aggregation |
| Jujutsu | Saliency-based localization and transplantation-based detection | GAN-based localized recovery |
| Lite-BD | Stochastic downscaling + neural super-resolution | Band-by-band frequency filtering |
| GTD | Train-node optimization with flattening | Pseudolabeled test-node training |
| DR-Smoothing | Disruption | Rectification with majority-vote smoothing |
| TSDF (deepfake) | Interruption perturbation generation | Poisoning perturbation generation and fusion |
This suggests that two-stage frameworks are not defined by any particular domain, but by a sequential defense logic: first reduce or expose adversarial structure, then neutralize the residual pathway through a different mechanism.
3. Stage-one functions: separation, screening, and disruption
In many TSDF-like systems, the first stage is an identification or disruption module designed to create separability that is absent in raw inputs. FLAegis exemplifies this in federated learning by treating each client’s flattened weight tensor as a time series, transforming it with Symbolic Aggregate approXimation (SAX), computing pairwise cosine similarity, and applying spectral clustering to the resulting similarity matrix (Campos et al., 26 Aug 2025). The implementation discretizes values into 45 equidistant bands, and when more than one cluster is found, the smaller cluster is labeled Byzantine under the assumption . The paper’s claim is that symbolic quantization amplifies structural differences between benign and malicious updates that cosine similarity alone may fail to expose.
Jujutsu uses a different stage-one logic centered on localization and verification. It computes a SmoothGrad saliency map,
then average-filters the map, extracts a suspicious fixed-size box around the maximum, and transplants that region into the least-salient region of a hold-out image (Chen et al., 2021). If the transplanted region induces the same predicted label as the original attacked input, the region is treated as adversarial. This stage is therefore not only a detector but a test of input-agnostic dominance, which the paper identifies as characteristic of universal adversarial patches.
In Lite-BD, stage one is a black-box purification step based on stochastic downscaling + neural super-resolution. The resized image is restored by a pretrained super-resolution model, and the defended model is queried immediately afterward; if the prediction changes relative to the original poisoned prediction, the defense returns the purified image without invoking stage two (Miah et al., 6 Feb 2026). The method interprets down-upscaling as a way to disrupt the precise pixel placement and local spatial structure on which many backdoor triggers depend.
VALD shows a more elaborate but still recognizably staged screening cascade. Its early detector compares image embeddings of the original image and transformed variants under large crops and random pixel masking: with in the main experiments and calibrated so that 95% of clean images pass as clean (Kadvil et al., 23 Feb 2026). Although VALD ultimately has a resolver stage beyond the initial detector, its defense logic is still organized around staged triage.
4. Stage-two functions: mitigation, aggregation, and reconstruction
If stage one is the exposure mechanism, stage two is usually the robustness backstop. In FLAegis, suspected attackers are filtered out first, after which the server applies an FFT-based robust aggregation over the remaining clients’ updates: The paper describes this as a coordinate-wise aggregation rule in the frequency domain that preserves common benign structure and suppresses anomalous contributions without normalization-based rescaling (Campos et al., 26 Aug 2025). The conceptual point is explicit: residual malicious updates may evade clustering, so aggregation must still be robust.
Jujutsu’s second stage is GAN-based localized reconstruction. After an adversarial region is identified, the defense masks part or all of that region and uses PICNet to synthesize the missing semantic content, modeling for the corrupted area conditioned on the masked image (Chen et al., 2021). This stage exists because masking alone can remove both the patch and crucial object content; reconstruction is intended to recover the semantics necessary for correct classification. The paper further uses prediction consistency between the original and recovered image to reduce false positives.
Lite-BD’s second stage is not reconstruction but query-based band-by-band frequency filtering. If spatial purification fails, the method computes a 2D DFT, partitions the normalized spectrum into concentric bands, removes each band with a band-stop mask, and queries the model on each candidate (Miah et al., 6 Feb 2026). If multiple bands alter the prediction away from the malicious target, the framework prefers the higher-frequency candidate and then applies edge enhancement. This stage is explicitly presented as a fallback for attacks with frequency-domain or globally distributed signatures.
DR-Smoothing similarly uses stage two to compensate for the liabilities of stage one. After randomly disrupting a prompt times with perturbation percentage , it applies a rectification module to each disrupted prompt, producing , queries the LLM, and decides via majority vote: 0 The paper’s claim is that rectification restores more in-distribution text and thereby improves the harmlessness/helpfulness balance relative to disrupt-only approaches such as SmoothLLM (Lin et al., 11 May 2026).
5. TSDF as a named framework in deepfake defense
The most direct instantiation of the term Two-Stage Defense Framework (TSDF) appears in the deepfake paper “Boosting Active Defense Persistence: A Two-Stage Defense Framework Combining Interruption and Poisoning Against Deepfake” (Zheng et al., 11 Aug 2025). Its motivation is not merely immediate disruption of forged outputs, but persistence under attacker retraining. The paper argues that static interruption methods can be bypassed if attackers collect protected samples and retrain on them, turning the perturbation into part of the training distribution. TSDF therefore combines interruption and poisoning within one perturbation.
In Stage 1, an interruption perturbation 1 is optimized against multiple deepfake feature extractors: 2 The paper supplements this with a feature enhancement loss and updates 3 by PGD-style gradient ascent: 4
In Stage 2, the framework attacks the attacker’s retraining pipeline by poisoning face detectors used for face detection, localization, cropping, and alignment. The key technical device is the intensity separation mechanism, which reserves low-intensity regions of the interruption perturbation for poisoning. The poisoning mask is defined as
5
so poisoning is concentrated where the interruption perturbation is weak. The final perturbation is then fused as
6
The paper presents this design as a way to avoid objective conflict: interruption is preserved in high-intensity regions, while poisoning occupies low-intensity regions. In the threshold study, 7 is reported as the best compromise between interruption and poisoning (Zheng et al., 11 Aug 2025).
The central empirical claim concerns retraining persistence. Traditional interruption baselines degrade sharply after adversarial retraining: for CMUA, average SSIM changes from 0.64 to 0.79 and FID from 209.46 to 127.42; for FOUND, average SSIM changes from 0.60 to 0.74 and FID from 250.84 to 230.50 (Zheng et al., 11 Aug 2025). By contrast, TSDF becomes more disruptive after retraining, with SSIM changing from 0.46 to 0.31 and FID from 283.01 to 348.65. The paper interprets this as evidence that poisoning prevents the attacker from adapting successfully to the defense.
6. Assumptions, limitations, and recurring misconceptions
A common misconception is that a two-stage defense automatically dominates a single-stage defense. The cited papers do not support such a blanket conclusion. Rather, they repeatedly tie performance to explicit assumptions and failure modes. FLAegis assumes fewer than half the clients are malicious and a trusted, uncompromised server; the paper also notes a weakness against the mimic attack, where malicious updates copied from a high-variance benign client can slip past clustering (Campos et al., 26 Aug 2025). Jujutsu assumes a single localized patch in the main threat model, and its performance depends on the quality of the inpainting model (Chen et al., 2021). Lite-BD requires black-box query access, careful selection of the Stage-1 scale, and acknowledges possible image degradation from frequency filtering (Miah et al., 6 Feb 2026).
The same caution applies to more recent staged defenses. DR-Smoothing requires 8 times more queries than an undefended model and evaluates only black-box adaptive attacks because the defense is not differentiable (Lin et al., 11 May 2026). VALD notes a failure case in which the same hallucination appears consistently across transformed views, causing consolidation to reinforce the wrong answer (Kadvil et al., 23 Feb 2026). GTD relies on pseudolabels for test nodes in its second stage and uses a fixed flattening parameter 9, both of which are stated limitations (Niu et al., 2024). AMDS reports strong empirical results, including 94.2% AUC for two-stage detection, but explicitly states that its adaptive white-box evaluation “does not constitute a formal robustness guarantee” and that its learned weights depend on attack examples seen during training (Olukola et al., 1 Mar 2026).
This suggests that the main value of a TSDF is not universality but complementarity. The first stage narrows the adversarial channel; the second stage handles whatever the first stage leaves unresolved. Where the stages are well matched, the defense can improve robustness without relying on a single brittle mechanism. Where the assumptions fail, the staged structure remains vulnerable, even if the implementation is sophisticated.