Himanshu Singh

B611, R and D Block

IIIT Delhi

Okhla Phase 3, Delhi 110020

I am a Ph.D. candidate in Machine Learning at IIIT Delhi where I am part of the Visual Conception Group under the supervision of Dr. AV Subramanyam. My research focuses on robustness, security, and alignment of modern machine learning systems. I study the vulnerabilities of deep neural networks to adversarial attacks and design principled defenses grounded in representation learning, geometry, and optimization.

My work spans adversarial training, projection-based feature regularization, diffusion-based purification methods, and systematic robustness evaluation under white-box and gray-box threat models. I am particularly interested in understanding how representation geometry influences adversarial vulnerability and generalization.

I recently completed a Visiting Scholar position at the NUS Artificial Intelligence Institute, where I worked on foundational model alignment and LLM/VLM security, including neuron-level interventions, value steering, and probing alignment under adversarial prompts.

Prior to academia, I worked as a Research Scientist at Animaker, contributing to the development of the text-to-video system Steve AI. This experience strengthened my interest in building AI systems that bridge theoretical insight with real-world deployment.

I am broadly interested in trustworthy and controllable AI. I welcome collaborations and discussions at the intersection of robustness, alignment, and security.

selected publications

Nearest Neighbor Projection Removal Adversarial Training

Himanshu Singh, A V Subramanyam, Shivank Rajput, and Mohan Kankanhalli

IEEE Transactions on Artificial Intelligence, Apr 2026

Abs IEEE arXiv Code

Deep neural networks have exhibited impressive performance in image classification tasks but remain vulnerable to adversarial examples. Standard adversarial training enhances robustness but typically fails to explicitly address inter-class feature overlap, a significant contributor to adversarial susceptibility. In this work, we introduce a novel adversarial training framework that actively mitigates inter-class proximity by projecting out inter-class dependencies from adversarial and clean samples in the feature space. Specifically, our approach first identifies the nearest inter-class neighbors for each adversarial sample and subsequently removes projections onto these neighbors to enforce stronger feature separability. Theoretically, we demonstrate that our proposed logits correction reduces the Lipschitz constant of neural networks, thereby lowering the Rademacher complexity, which directly contributes to improved generalization and robustness. Extensive experiments across standard benchmarks including CIFAR-10, CIFAR-100, and SVHN show that our method demonstrates strong performance that is competitive with leading adversarial training techniques, highlighting significant achievements in both robust and clean accuracy. Our findings reveal the importance of addressing inter-class feature proximity explicitly to bolster adversarial robustness in DNNs.
Language Guided Adversarial Purification

Himanshu Singh, and A V Subramanyam

In ICASSP 2024 - 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Apr 2024

Abs IEEE arXiv Code

Adversarial purification using generative models demonstrates strong adversarial defense performance. These methods are classifier and attack-agnostic, making them versatile but often computationally intensive. Recent strides in diffusion and score networks have improved image generation and, by extension, adversarial purification. Another highly efficient class of adversarial defense methods known as adversarial training requires specific knowledge of attack vectors, forcing them to be trained extensively on adversarial examples. To overcome these limitations, we introduce a new framework, namely Language Guided Adversarial Purification (LGAP), utilizing pre-trained diffusion models and caption generators to defend against adversarial attacks. Given an input image, our method first generates a caption, which is then used to guide the adversarial purification process through a diffusion network. Our approach has been evaluated against strong adversarial attacks, proving its effectiveness in enhancing adversarial robustness. Our results indicate that LGAP outperforms most existing adversarial defense techniques without requiring specialized network training. This underscores the generalizability of models trained on large datasets, highlighting a promising direction for further research.