pith. sign in

arxiv: 2605.15249 · v1 · pith:G5J4KVHSnew · submitted 2026-05-14 · 💻 cs.CR · cs.LG

Enabling Adversarial Robustness in AI Models through Kubeflow MLOps

Stavros Bouras , Ioannis Korontanis , Antonios Makris , Konstantinos Tserpes This is my paper

Pith reviewed 2026-05-19 16:25 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords adversarial robustnessKubeflowMLOpsKubernetesadversarial attacksPGD defenseFGSM attack
0
0 comments X

The pith

Kubeflow MLOps integration allows Kubernetes to detect adversarial attacks on AI models and automatically deploy defenses that recover accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper describes a system that uses Kubeflow to monitor AI models running in Kubernetes for signs of adversarial attacks. When accuracy drops during inference, it triggers a PGD-based defense to protect the model. This approach aims to make deployed AI services more reliable without manual intervention. A sympathetic reader would care because AI models in production face increasing threats from attacks that can fool them into wrong outputs. The experiments show the defense brings accuracy back up after an FGSM attack is applied.

Core claim

The proposed architecture integrates Kubeflow-based MLOps to automatically detect adversarial attacks during the inference phase and trigger defense mechanisms. Specifically, a Fast Gradient Sign Method (FGSM) attack is applied at inference time, and a Projected Gradient Descent (PGD)-based adversarial training defense is automatically deployed when a degradation in accuracy is detected. The experimental results indicate that the deployed defense robustifies the model, significantly recovering accuracy relative to the degradation caused by the attack.

What carries the argument

The Kubeflow-based MLOps pipeline that monitors model accuracy during inference and deploys PGD adversarial training when degradation is detected.

If this is right

  • The model maintains higher accuracy under adversarial conditions after defense deployment.
  • AI services in cloud environments can respond automatically to attacks without human oversight.
  • Security for deployed models becomes part of the standard MLOps workflow.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar setups could extend to other attack types beyond FGSM.
  • This approach might reduce the need for constant manual security monitoring in AI deployments.

Load-bearing premise

That a drop in model accuracy during operation means an adversarial attack is happening and that the PGD defense can be applied automatically and effectively in the running system.

What would settle it

An observation where model accuracy degrades due to normal data changes or other non-attack reasons, yet the system deploys the defense unnecessarily, or where the defense fails to recover accuracy after a confirmed attack.

Figures

Figures reproduced from arXiv: 2605.15249 by Antonios Makris, Ioannis Korontanis, Konstantinos Tserpes, Stavros Bouras.

Figure 1
Figure 1. Figure 1: Initially, the user uploads a trusted dataset [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Kubeflow Adversarial Scenario D. Defense scenario - Adversarial Training The defense mechanism implemented in this system archi￾tecture relies on adversarial training, as presented in [23]. This work frames adversarial training as a saddle point (min-max) optimization problem during which an inner maximization problem identifies perturbations that maximize a loss for a given input and an outer minimization… view at source ↗
Figure 4
Figure 4. Figure 4: Accuracy evolution from clean inputs to adversarial attack and [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Accuracy evolution from clean inputs to adversarial attack and [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗
read the original abstract

AI models are increasingly deployed in cloud-native environments to support scalable and automated services. However, while platforms such as Kubernetes provide strong infrastructure orchestration, security mechanisms specifically designed to protect deployed AI models remain limited. This paper presents security measures for AI models deployed in Kubernetes clusters. The proposed architecture integrates Kubeflow-based MLOps to automatically detect adversarial attacks during the inference phase and trigger defense mechanisms that preserve the model's accuracy and reliability. Specifically, a Fast Gradient Sign Method (FGSM) attack is applied at inference time, and a Projected Gradient Descent (PGD)-based adversarial training defense is automatically deployed when a degradation in accuracy is detected. The experimental results indicate that the deployed defense robustifies the model, significantly recovering accuracy relative to the degradation caused by the attack.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes a Kubeflow-based MLOps architecture on Kubernetes to protect deployed AI models by automatically detecting adversarial attacks (FGSM) during inference through accuracy degradation and triggering a PGD-based adversarial training defense to recover performance. Experimental results are presented as demonstrating significant accuracy recovery after the automated defense deployment.

Significance. If the core detection and triggering mechanism can be shown to operate reliably without ground-truth labels, the work would offer a practical demonstration of automated adversarial defense in cloud-native ML deployments. The focus on MLOps integration for security is timely, though the absence of quantitative details and a viable inference-time proxy limits immediate impact. The approach could be extended to other defenses if the monitoring component is strengthened.

major comments (2)
  1. [Proposed Architecture / Inference Phase] Detection of accuracy degradation (§ on proposed architecture and inference phase): The system triggers PGD defense only upon detected accuracy degradation at inference time. In a live setting, incoming requests have no ground-truth labels, so accuracy cannot be computed directly. The manuscript describes no proxy metric, uncertainty estimate, monitoring hold-out set, or statistical test, and does not show how any such signal would distinguish FGSM attacks from distribution shift, label noise, or infrastructure issues. This assumption is load-bearing for the claimed automatic recovery.
  2. [Experimental Evaluation] Experimental results (abstract and § on evaluation): The claim that the deployed defense 'significantly recovering accuracy' is unsupported by any reported numbers, model/dataset details, attack parameters (e.g., FGSM epsilon), baseline comparisons, or statistical significance tests. Without these, it is impossible to assess whether the positive outcome holds or is reproducible.
minor comments (2)
  1. [Abstract and Methods] Clarify the exact conditions under which accuracy degradation is monitored and the threshold used; the current description is too high-level for replication.
  2. [Throughout] Ensure consistent terminology between FGSM attack and PGD defense across sections; minor notation inconsistencies appear in the abstract versus later descriptions.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments on our manuscript. We address each major comment point by point below, acknowledging where the observations are accurate and outlining the specific revisions we will make to improve the work.

read point-by-point responses

  1. Referee: [Proposed Architecture / Inference Phase] Detection of accuracy degradation (§ on proposed architecture and inference phase): The system triggers PGD defense only upon detected accuracy degradation at inference time. In a live setting, incoming requests have no ground-truth labels, so accuracy cannot be computed directly. The manuscript describes no proxy metric, uncertainty estimate, monitoring hold-out set, or statistical test, and does not show how any such signal would distinguish FGSM attacks from distribution shift, label noise, or infrastructure issues. This assumption is load-bearing for the claimed automatic recovery.

    Authors: We agree that the current description of the detection mechanism is insufficient for a live deployment scenario without ground-truth labels. The manuscript assumes degradation monitoring but does not specify the implementation. In the revised version we will add an explicit description of a monitoring component that uses a small labeled hold-out set for periodic accuracy evaluation together with output-distribution statistics and prediction-entropy thresholds. We will also include a brief discussion of the difficulty of separating adversarial effects from other distribution shifts and note this as a limitation to be addressed in future work. revision: yes

  2. Referee: [Experimental Evaluation] Experimental results (abstract and § on evaluation): The claim that the deployed defense 'significantly recovering accuracy' is unsupported by any reported numbers, model/dataset details, attack parameters (e.g., FGSM epsilon), baseline comparisons, or statistical significance tests. Without these, it is impossible to assess whether the positive outcome holds or is reproducible.

    Authors: The referee is correct that the present manuscript provides only a qualitative statement of accuracy recovery without supporting quantitative data. We will expand the experimental evaluation section to report concrete figures: model architectures and datasets employed, FGSM epsilon values, accuracy before attack, after attack, and after automated PGD defense, baseline comparisons, and basic statistical significance indicators. These additions will be included in the revised manuscript to enable reproducibility and proper assessment of the results. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical MLOps demonstration without derivation chain

full rationale

The paper describes a Kubeflow-based system that applies FGSM attacks and triggers PGD defense upon detected accuracy degradation. No mathematical derivation, fitted parameters renamed as predictions, or self-citation load-bearing steps are present. The work is an empirical architecture and experiment report; its claims rest on reported test outcomes rather than any reduction of outputs to inputs by construction. The detection assumption may be practically limited (no labels at inference), but that is a correctness or feasibility issue, not circularity.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

With only the abstract available, the ledger is based on inferred elements from the described approach. No new entities are introduced. The work relies on standard domain assumptions in ML security.

free parameters (1)
  • accuracy degradation threshold
    Likely a parameter to decide when to trigger defense, though not specified in abstract.
axioms (1)
  • domain assumption Adversarial attacks cause measurable degradation in model accuracy
    Assumed in the detection mechanism described in the abstract.

pith-pipeline@v0.9.0 · 5668 in / 1312 out tokens · 78598 ms · 2026-05-19T16:25:18.428881+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages · 5 internal anchors

  1. [1]

    Security aspects of container orchestration in kubernetes environments,

    S. Staniši ´c, M. V eskovi, O. Risti, and B. orevi, “Security aspects of container orchestration in kubernetes environments,” in 2025 24th International Symposium INFOTEH-JAHORINA (INFOTEH) , 2025, pp. 1–5

    work page 2025

  2. [2]

    Navigating the landscape of kubernetes security threats and challenges,

    S. Kampa, “Navigating the landscape of kubernetes security threats and challenges,” Journal of Knowledge Learning and Science Technology ISSN: 2959-6386 (online) , vol. 3, no. 4, p. 274281, Oct. 2024. [Online]. Available: https://jklst.org/index.php/home/article/view/266

    work page 2024

  3. [3]

    Coevolution: A comprehensive trustworthy framework for connected machine learning and secure interconnected ai solutions,

    A. Makris, A. Fournaris, A. Aghaie, I. Arakas, A. M. Anaxagorou, I. Arapakis, D. Bacciu, B. Biggio, G. Bouloukakis, S. Bouras et al. , “Coevolution: A comprehensive trustworthy framework for connected machine learning and secure interconnected ai solutions,” in 2025 IEEE International Conference on Cyber Security and Resilience (CSR) . IEEE, 2025, pp. 838–845

    work page 2025

  4. [4]

    Gajbhiye and P

    B. Gajbhiye and P . K. G. Pandian. (2024) Managing vulnerabilities in containerized and kubernetes environments. SSRN. [Online]. Available: https://ssrn.com/abstract=4982847

    work page 2024

  5. [5]

    Continuous trust and resilience in kubernetes: Ai-driven certificate governance combined with cis-aligned node security

    E. Rodriguez, K. Tanaka, and M. A. Sterling, “Continuous trust and resilience in kubernetes: Ai-driven certificate governance combined with cis-aligned node security.”

    work page

  6. [6]

    Towards self-securing kubernetes infrastructure: Integrating cis compliance, ai-driven secrets management, and ml-based recovery

    A. Thorne, L. Chen, and M. V ance, “Towards self-securing kubernetes infrastructure: Integrating cis compliance, ai-driven secrets management, and ml-based recovery.”

    work page

  7. [7]

    A unified ai-driven security and resilience framework for kubernetes: Cis compliance, certificate governance, and autonomous healing

    A. V ance1, M. Thorne, and L. Petrov, “A unified ai-driven security and resilience framework for kubernetes: Cis compliance, certificate governance, and autonomous healing.”

    work page

  8. [8]

    Elastic cross- layer orchestration of network policies in the kubernetes stack,

    G. Budigiri, C. Baumann, E. Truyen, and W. Joosen, “Elastic cross- layer orchestration of network policies in the kubernetes stack,” IEEE Transactions on Network and Service Management , vol. 22, no. 2, pp. 2031–2058, 2025

    work page 2031

  9. [9]

    Real-time multi-class threat detection and adaptive deception in kubernetes environments,

    A. Aly, A. M. Hamad, M. Al-Qutt, and M. Fayez, “Real-time multi-class threat detection and adaptive deception in kubernetes environments,” Scientific Reports , vol. 15, no. 1, p. 8924, 2025

    work page 2025

  10. [10]

    Kubedeceive: Unveil- ing deceptive approaches to protect kubernetes clusters,

    A. Ahmed, A. Hamad, M. Fayez, and M. Al-Qutt, “Kubedeceive: Unveil- ing deceptive approaches to protect kubernetes clusters,” International Journal of Computers and Their Applications , vol. 31, pp. 233–243, 12 2024

    work page 2024

  11. [11]

    Kubehound: Detecting microservices security smells in kubernetes deployments,

    G. DellImmagine, J. Soldani, and A. Brogi, “Kubehound: Detecting microservices security smells in kubernetes deployments,” Future Internet , vol. 15, no. 7, 2023. [Online]. Available: https://www.mdpi.com/1999-5903/15/7/228

    work page 2023

  12. [12]

    Adversarial machine learning,

    L. Huang, A. D. Joseph, B. Nelson, B. I. Rubinstein, and J. D. Tygar, “Adversarial machine learning,” in Proceedings of the 4th ACM workshop on Security and artificial intelligence , 2011, pp. 43–58

    work page 2011

  13. [13]

    Adversarial attacks and defenses in deep learning: From a perspective of cyberse- curity,

    S. Zhou, C. Liu, D. Y e, T. Zhu, W. Zhou, and P . S. Y u, “Adversarial attacks and defenses in deep learning: From a perspective of cyberse- curity,” ACM Computing Surveys , vol. 55, no. 8, pp. 1–39, 2022

    work page 2022

  14. [14]

    Poisoning Attacks against Support Vector Machines

    B. Biggio, B. Nelson, and P . Laskov, “Poisoning attacks against support vector machines,” arXiv preprint arXiv:1206.6389 , 2012

    work page internal anchor Pith review Pith/arXiv arXiv 2012

  15. [15]

    Harsh Chaudhari, Giorgio Severi, John Abascal, Matthew Jagielski, Christopher A

    M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li, “Manipulating machine learning: Poisoning attacks and countermeasures for regression learning,” arXiv preprint arXiv:1804.00308 , 2018

    work page arXiv 2018

  16. [16]

    Intriguing properties of neural networks

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199, 2013

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  17. [17]

    Explaining and Harnessing Adversarial Examples

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572 , 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  18. [18]

    Privacy in pharmacogenetics: An {End-to-End} case study of person- alized warfarin dosing,

    M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, “Privacy in pharmacogenetics: An {End-to-End} case study of person- alized warfarin dosing,” in 23rd USENIX security symposium (USENIX Security 14) , 2014, pp. 17–32

    work page 2014

  19. [19]

    Stealing machine learning models via prediction {APIs},

    F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing machine learning models via prediction {APIs},” in 25th USENIX security symposium (USENIX Security 16) , 2016, pp. 601–618

    work page 2016

  20. [20]

    Stealing hyperparameters in machine learning,

    B. Wang and N. Z. Gong, “Stealing hyperparameters in machine learning,” in 2018 IEEE symposium on security and privacy (SP) . IEEE, 2018, pp. 36–52

    work page 2018

  21. [21]

    Membership inference attacks against machine learning models,

    R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in 2017 IEEE symposium on security and privacy (SP) . IEEE, 2017, pp. 3–18

    work page 2017

  22. [22]

    Adversarial attacks of vision tasks in the past 10 years: A survey,

    C. Zhang, L. Zhou, X. Xu, J. Wu, and Z. Liu, “Adversarial attacks of vision tasks in the past 10 years: A survey,” ACM Computing Surveys , vol. 58, no. 2, pp. 1–42, 2025

    work page 2025

  23. [23]

    Towards Deep Learning Models Resistant to Adversarial Attacks

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” arXiv preprint arXiv:1706.06083, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  24. [24]

    Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models

    P . Samangouei, M. Kabkab, and R. Chellappa, “Defense-gan: Protecting classifiers against adversarial attacks using generative models,” arXiv preprint arXiv:1805.06605 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  25. [25]

    Diffusion models for adversarial purifi- cation.arXiv preprint arXiv:2205.07460,

    W. Nie, B. Guo, Y . Huang, C. Xiao, A. V ahdat, and A. Anandku- mar, “Diffusion models for adversarial purification,” arXiv preprint arXiv:2205.07460, 2022

    work page arXiv 2022

  26. [26]

    Streamlining ml training in kubernetes: An mlops architecture with kubeflow,

    I. Korontanis, A. Zacharia, A. Makris, M. Pateraki, and K. Tserpes, “Streamlining ml training in kubernetes: An mlops architecture with kubeflow,” in Proceedings of the 15th International Conference on the Internet of Things , ser. IOT ’25. New Y ork, NY , USA: Association for Computing Machinery, 2025, p. 267270. [Online]. Available: https://doi.org/10.11...

    work page doi:10.1145/3770501.3771304 2025

  27. [27]

    A survey of convo- lutional neural networks: analysis, applications, and prospects,

    Z. Li, F. Liu, W. Y ang, S. Peng, and J. Zhou, “A survey of convo- lutional neural networks: analysis, applications, and prospects,” IEEE transactions on neural networks and learning systems , vol. 33, no. 12, pp. 6999–7019, 2021

    work page 2021