This work addresses the vulnerability of neural operators to adversarial perturbations in physics-informed simulations, which poses a critical threat to the reliability of safety-critical digital twin systems. To mitigate this issue, the authors propose a synergistic optimization framework that integrates differential evolution-based attacks to generate targeted training samples for architecture-aware active learning, alongside a learnable input denoising bottleneck designed to filter adversarial noise while preserving essential physical features. The approach transcends conventional uniform sampling by introducing an adaptive smoothing ratio safeguard mechanism. Evaluated on the viscous Burgers’ equation benchmark, the method achieves a composite error of 2.04%, representing an 87% reduction compared to standard training and substantially outperforming individual strategies.

Neural operators have emerged as fast surrogate models for physics simulations, yet they remain acutely vulnerable to adversarial perturbations, a critical liability for safety-critical digital twin deployments. We present a synergistic defense that combines active learning-based data generation with an input denoising architecture. The active learning component adaptively probes model weaknesses using differential evolution attacks, then generates targeted training data at discovered vulnerability locations while an adaptive smooth-ratio safeguard preserves baseline accuracy. The input denoising component augments the operator architecture with a learnable bottleneck that filters adversarial noise while retaining physics-relevant features. On the viscous Burgers' equation benchmark, the combined approach achieves a 2.04% combined error (1.21% baseline + 0.83% robustness), representing an 87% reduction relative to standard training (15.42% combined) and outperforming both active learning alone (3.42%) and input denoising alone (5.22%). More broadly, our results, combined with cross-architecture vulnerability analysis from prior work, suggest that optimal training data for neural operators is architecture-dependent: because different architectures concentrate sensitivity in distinct input subspaces, uniform sampling cannot adequately cover the vulnerability landscape of all models. These findings have potential implications for the deployment of neural operators in safety-critical energy systems including nuclear reactor monitoring.