To address the degradation of robustness and catastrophic forgetting of historical knowledge in vision classifiers under dynamically evolving adversarial attacks, this paper proposes the Continual Adversarial Defense (CAD) framework. CAD is the first to unify continual learning, few-shot learning, and ensemble learning, enabling lightweight online model updates and an elastic architecture for rapid, few-sample adaptation to novel attacks. It strictly adheres to four design principles: continual adaptability without catastrophic forgetting, low sample dependency, memory efficiency, and high accuracy on both clean and adversarial examples. Evaluated on a multi-stage benchmark of modern adversarial attacks, CAD significantly outperforms all baselines under extremely low computational budgets and failure costs. Crucially, it preserves strong robustness against previously encountered attacks while achieving state-of-the-art generalized robustness against unseen ones.

In response to the rapidly evolving nature of adversarial attacks against visual classifiers on a monthly basis, numerous defenses have been proposed to generalize against as many known attacks as possible. However, designing a defense method that generalizes to all types of attacks is not realistic because the environment in which defense systems operate is dynamic and comprises various unique attacks that emerge as time goes on. A well-matched approach to the dynamic environment lies in a defense system that continuously collects adversarial data online to quickly improve itself. Therefore, we put forward a practical defense deployment against a challenging threat model and propose, for the first time, the Continual Adversarial Defense (CAD) framework that adapts to attack sequences under four principles: (1)~continual adaptation to new attacks without catastrophic forgetting, (2)~few-shot adaptation, (3)~memory-efficient adaptation, and (4)~high accuracy on both clean and adversarial data. We explore and integrate cutting-edge continual learning, few-shot learning, and ensemble learning techniques to qualify the principles. Extensive experiments validate the effectiveness of our approach against multiple stages of modern adversarial attacks and demonstrate significant improvements over numerous baseline methods. In particular, CAD is capable of quickly adapting with minimal budget and a low cost of defense failure while maintaining good performance against previous attacks. Our research sheds light on a brand-new paradigm for continual defense adaptation against dynamic and evolving attacks.