To address the vulnerability of deep neural networks (DNNs) to adversarial evasion attacks in safety-critical applications, this paper proposes a risk-profiling–based framework for enhancing static defenses. The method models sample-level adversarial fragility to construct patient- or data-specific risk profiles, identifies low-fragility “high-quality” samples, and employs risk-aware selective supervised training to optimize static anomaly detectors—e.g., One-Class SVM. Crucially, it integrates fragility assessment directly into the defense training strategy, bridging the longstanding trade-off between the poor adaptability of static defenses and the high computational overhead of dynamic ones. Evaluated on a real-world blood glucose management system, the approach improves adversarial sample detection recall by 27.5%, substantially reduces false negatives, and preserves classification accuracy—effectively mitigating life-threatening missed detections.

Safety-critical applications such as healthcare and autonomous vehicles use deep neural networks (DNN) to make predictions and infer decisions. DNNs are susceptible to evasion attacks, where an adversary crafts a malicious data instance to trick the DNN into making wrong decisions at inference time. Existing defenses that protect DNNs against evasion attacks are either static or dynamic. Static defenses are computationally efficient but do not adapt to the evolving threat landscape, while dynamic defenses are adaptable but suffer from an increased computational overhead. To combine the best of both worlds, in this paper, we propose a novel risk profiling framework that uses a risk-aware strategy to selectively train static defenses using victim instances that exhibit the most resilient features and are hence more resilient against an evasion attack. We hypothesize that training existing defenses on instances that are less vulnerable to the attack enhances the adversarial detection rate by reducing false negatives. We evaluate the efficacy of our risk-aware selective training strategy on a blood glucose management system that demonstrates how training static anomaly detectors indiscriminately may result in an increased false negative rate, which could be life-threatening in safety-critical applications. Our experiments show that selective training on the less vulnerable patients achieves a recall increase of up to 27.5% with minimal impact on precision compared to indiscriminate training.