Dynamic Siamese Expansion Framework for Improving Robustness in Online Continual Learning

Q1: I would like the authors to clarify their mathematical notations pointed out in the major weakness section.

A1: We sincerely acknowledge that some mathematical notations in the initial version lacked consistency or precise definition. Below is a point-by-point clarification and resolution for each issue:

(a) $C^s$ and $C^T$:

• $C^s$ (Line 137) refers to a subset of the overall class space $C$, used in constructing subtasks.
• $s$ here indicates “split” and is not related to the static backbone parameters later in the paper. We agree that using overlapping symbols was confusing. In the revision, we will **rename $C^s$ to $C_{split}$ ** and reserve $s$ exclusively for “static”.
• $C^T$ in Line 151 refers to *the set of classes for current task $T$, i.e., $C^T_i$ = classes seen at task $i$.

(b) "Adjacent classes" in Line 140: This was imprecisely worded. We intended to state that semantically related classes are grouped into tasks to simulate realistic continual learning (e.g., "dog, cat" vs. "car, truck"). We will clarify that we use Split CIFAR / CUB / TinyImageNet protocols where task granularity can be coarse- or fine-grained. The term “adjacent” will be removed or defined explicitly in terms of class similarity.

(c) Use of $C^s_i$ and $T_i$: Indeed, defining both $C^s_i$ and $T_i$ is redundant. We will simplify the notation by dropping $C^s_i$ and only using $T_i$ to represent both the task and its associated class set.

(d) Equation (1): $|C^S_c|$ capitalization: You are correct. The uppercase S is a typographic inconsistency. It should be $|C^s_c|$ to denote the number of classes in the current subtask. All such superscripts will be harmonized and clearly declared before Eq. (1).

(e) The index $j$ in Eq (1): We regret the confusion. The $j$ in the summation refers to the index over current mini-batch samples, not tasks. We will revise the notation to:

$$\underset{\theta}{\operatorname{min}} \sum_{(x_j, y_j) \in B_t} \mathcal{L}(f(x_j), y_j)$$

and define all variables explicitly before and after Eq. (1).

(f) $X^a$ (Line 173), $Z^d$ (Line 174):

• $X^a$: Refers to adversarial inputs generated from current task data via FGSM or PGD.
• $Z^d$: Represents features extracted from the dynamic backbone.
• These superscripts will be introduced systematically in Section 3.2:
  • $a$ → adversarial
  • $d$ → dynamic
  • $s$ → static
  • $f$ → fused We will add a notation table at the end of Section 2 for clarity.

(g) Concat notation in Eq (2): We used the ⊕ operator, which in some contexts implies convolution. To avoid ambiguity, we will replace it with $||$ (double-bar), which is more standard for feature concatenation in deep learning literature.

(h) $ε_j$ in Eq (3): $ε_j$ denotes the adversarial perturbation applied to input $x_j$. It is defined later (Line 213) but should be introduced earlier in Section 3.2, where adversarial examples are first computed:

$$x_j^{'} = x_j + {\epsilon}_j = x_j + \alpha \cdot \text{sign} (\nabla_x{\mathcal{L}})$$

(i) ${y'_1, ..., y'_M}$ vs. $y'$: You are correct. The definition introduces a batch of pseudo labels but the notation later shifts to a unified vector $y'$. We will unify the usage to always refer to either the full set or per-sample predictions, and define the vectorization convention.

(j) Eq (4) uses mixed notation: We will revise Equation (4) to use consistent mathematical function notation and drop index notation, replacing:

$$f_i[x_j] \to f_i (x_j)$$

(k) Eq (5) vs. (6) – why min appears in one but not the other:

• Equation (5) defines intermediate features or predictions, not an optimization step.
• Equation (6) defines the objective function, hence the min appears there. We will clarify this by labeling Eq (5) as "intermediate feature fusion" and Eq (6) as "training loss objective" with distinct notation to avoid confusion.

(l) k in Eq (11) and Line 236: This refers to the kernel where in Line 233 mentions positive definite kernel.

All above inconsistencies will be systematically corrected in the revised manuscript with added notation table and inline references.

---

Q2: Please justify the interpretation of Eq (8) terms as probability density functions.

A2: In Equation (8), we compute the Maximum Mean Discrepancy (MMD) between historical and current feature distributions:

$$\text{MMD} (Z^i, \hat{Z}^i) = \| \mathbb{E} [\phi(Z^i)] - \mathbb{E}[\phi(\hat{Z}^i)] \|^2$$

This formulation does not explicitly require Z^i to be a probability density function (pdf). Instead, MMD is a kernel-based two-sample test that estimates divergence between two empirical distributions (e.g., mini-batch feature sets). The interpretation as pdfs stems from:

• The fact that the kernel embedding (in RKHS) acts as an implicit probability distribution representation, even if feature samples are not normalized.
• The choice of RBF kernel makes MMD sensitive to both mean and higher-order moment differences.

In practice:

• $Z^i$ = features from expert $E_i$ for clean inputs
• $\hat{Z}^i$ = same expert features for adversarial inputs

Hence, the MMD term captures how much adversarial inputs distort the expert’s representation space. This is critical in continual learning because such distortions often lead to forgetting or negative transfer.

We will revise the paper to clarify that:

• We do not assume $Z^i$ to be a pdf, but rather use MMD as a distributional proxy.
• The kernel embeddings act as surrogate density estimates without requiring explicit normalization or parametric density assumptions.

---

Q3: What do the authors mean by "robustness" in the title? Isn’t this only adversarial defense?

A3: We appreciate this question and fully understand the confusion stemming from title-language misalignment. In this work, robustness refers specifically to the model’s ability to retain accurate predictions under adversarial perturbations, throughout multiple sequential tasks in an online continual learning (OCL) setting.

However, we recognize two valid concerns:

1. The title uses “robustness” in a general sense, which may imply distributional shift, label noise, or hardware fault tolerance—none of which we target.
2. Our actual contribution is closer to adversarial robustness under continual learning.

To clarify:

• We will revise the title to: “Dynamic Siamese Expansion for Adversarially Robust Online Continual Learning”, which better reflects the precise focus.

• In Section 1 (Introduction), we define robustness as:

  “resistance to targeted adversarial perturbations during task acquisition and replay-free continual adaptation.”

We further distinguish three types of robustness:

• Instance-level: Single input perturbations (e.g., FGSM, PGD)
• Task-level: Learning new tasks without corrupting old task decision boundaries
• Model-level: Generalization against unforeseen shifts

Our work addresses the intersection of all three, which prior works have treated separately. For example, DER++ handles forgetting but is vulnerable to attacks; adversarial training methods defend a single task but forget old ones.

---

Q4: Please comment on the contribution of each component to final performance.

A4: To empirically isolate the impact of each component, we performed a comprehensive ablation study on Split CIFAR-10 and TinyImageNet, covering:

• DSEF core = Siamese Backbone + Expert Expansion
• RDRO = Robust Dynamic Representation Optimization (MMD + MSE)
• MBRFF = Mutual Information-guided expert fusion

Table D: Component-wise contribution analysis (CIFAR-10, AutoAttack Acc %)

Key findings:

• RDRO boosts robustness by aligning clean/adv features across tasks.
• MBRFF improves knowledge retention by soft-reusing relevant past experts.
• The Siamese structure enhances plasticity and representation richness.

Q1: What is the relation between continual learning and adversarial defense? Why does continual learning need adversarial robustness? How do attacks affect forgetting or other CL issues?

A1: This is a critical question that touches on the motivation of our work. Continual Learning (CL) and Adversarial Defense are traditionally viewed as separate subfields. However, we argue that in real-world deployments, particularly in safety-critical or dynamic environments (e.g., autonomous driving), CL models must be robust against adversarial threats while also preserving prior knowledge.

The connection arises from the fact that adversarial perturbations can mimic task shifts, thus amplifying the stability-plasticity dilemma. Specifically:

• Catastrophic forgetting worsens under adversarial attack. When a model is trained adversarially on a new task, gradients become sharp and task-specific, often overwriting generalizable representations. This leads to more severe forgetting compared to clean training. Our results confirm this in Table A below.
• Standard adversarial training focuses on single-task robustness, but in CL, robustness must be retained across all previously seen tasks, not just the current one. This leads to cross-task robustness conflict.
• Attacks expose vulnerabilities in memory mechanisms: replay-based methods suffer from overfitting to adversarial samples; regularization-based CL is unstable due to conflicting gradients.

To empirically demonstrate this connection, we compare three scenarios:

Table A: Adversarial attacks exacerbate forgetting in continual learning (Split CIFAR-10)

These results highlight that adversarial perturbations not only degrade accuracy but also destroy previously acquired knowledge, making robustness a first-class citizen in continual learning. Hence, our proposed OCAD (Online Continual Adversarial Defense) framework fills this urgent need.

We will extend Section 1 and Section 3.1 to explicitly emphasize these interactions, supported by Figure A.1 (to be added) showing how task-conditional robustness degrades without protection.

---

Q2: The pipeline of OCAD is unclear. How is it different from traditional adversarial training? What makes it continual?

A2: The OCAD pipeline is indeed distinct from both traditional adversarial training and classical continual learning. It unifies the constraints of single-pass data exposure (online) with task-agnostic distribution shift and adversarially crafted examples.

Here is the core difference:

In our OCAD framework:

• During each task, a new expert is dynamically created and adversarially trained using FGSM, PGD, or AutoAttack.
• Past experts are frozen, and their features are fused via mutual information weighting to guide the new expert.
• RDRO regularizes both clean and adversarial representations across experts, aligning them via MMD and MSE losses.
• No buffer is maintained, complying with the online constraint.

Figure 1 illustrates this pipeline; however, we acknowledge it needs clearer narration. In the revision, we will insert a step-by-step training pseudocode (Algorithm 1) directly in the main text and expand its role relative to traditional adversarial training in a new subsection “Differences from conventional adversarial training”.

---

Q3: The ablation study is insufficient. How do the two proposed modules (RDRO, MBRFF) influence robustness?

A3: In Appendix-D.3, we provided a brief ablation (Fig. 1c), but we now extend this into a comprehensive component-wise analysis, shown below:

Table B: Effect of RDRO and MBRFF under different attack settings (Split CIFAR-10)

Insights:

• RDRO directly controls cross-task prediction/feature drift under attack, leading to significant AutoAttack gain over baseline.
• MBRFF enables adaptive knowledge reuse by weighting stable experts—especially effective under stronger attacks.
• Removing both modules severely weakens generalization and forgetting resistance.

We also report robustness gains over baselines like DER++(Adv):

This shows that DSEF is not simply a fusion of components but achieves emergent robustness through RDRO–MBRFF synergy.

---

Q4: Lack of analysis on stability and plasticity. The paper claims to address them but focuses mainly on robustness.

A4: We agree that more explicit analysis of the stability-plasticity trade-off is necessary. While robustness is our central concern, DSEF is carefully designed to balance long-term memory retention (stability) with task-specific adaptation (plasticity).

We now present the following metrics and evidence:

1. Average Accuracy (AA): Measures overall plasticity
2. Forgetting (F): Measures retention of past tasks
3. Backward Transfer (BWT): Measures whether new learning harms previous tasks
4. Plasticity Index (PI): We define this as early-task learning gain over a static baseline

Table C: Stability vs. Plasticity Metrics (Split CIFAR-100)

Interpretation:

• RDRO improves stability via inter-expert alignment.
• MBRFF improves plasticity via weighted feature fusion.
• The full system achieves positive backward transfer, suggesting old experts benefit from new learning.

---

Q5: What are the key differences between adversarial robustness in traditional DL vs. in OCL? Why is defense harder in OCL?

A5: This is an important theoretical distinction. Traditional adversarial defense assumes static data and full distributional access. However, OCL imposes three key challenges that significantly alter the defense landscape:

1. Non-revisitable data: In OCL, data points are seen once. This rules out typical multi-epoch adversarial training or iterative PGD refinement. Our RDRO addresses this by combining first-order FGSM perturbations with static-dynamic alignment, making single-pass robustness feasible.
2. Task drift + adversarial shift: In traditional settings, models defend against static perturbations (e.g., fixed FGSM). In OCL, task distributions themselves shift, meaning that perturbations must be crafted per task expert (see Q2), and their cumulative effect creates gradient interference across tasks.
3. Forgetting under attack: Classical adversarial defense is agnostic to task history. In OCL, adversarial training for task $T_j$ often destroys robustness on $T_{j-1}$ due to catastrophic forgetting. Our RDRO (prediction + representation matching) explicitly preserves robustness history, as shown in ablation Table B.
4. Modular robustness is required: In traditional defense, a single robust model suffices. In OCL, we must maintain robust experts for each task, and combine them efficiently at inference time. Our MBRFF addresses this by measuring expert relevance and selectively fusing their features, instead of naïve ensembling or max-pooling.

Q1: Could you clarify why the "online" distinction is important in your framework?

A1: The “online” setting plays a crucial role in both the problem formulation and method design. Specifically, we define Online Continual Adversarial Defense (OCAD) as a setting where each training sample is seen only once, and tasks arrive sequentially without task boundary annotations, consistent with modern realistic CL definitions such as in [12,13]. This is distinct from offline or task-incremental CL settings, where models can revisit data or assume full task labels.

Our DSEF framework is tailored for online settings in three key ways:

1. Expert modularity: Each expert is trained in isolation from raw task labels. The shared backbone extracts generic representations, while dynamic experts accumulate task-specialized knowledge. This decoupling is essential for non-revisitable data streams.
2. No rehearsal: Unlike rehearsal-based baselines (e.g., DER++), we do not rely on stored past samples, making our method suitable for privacy-sensitive or streaming scenarios where buffer storage is not feasible.
3. Robustness constraint: In online CL, adversarial examples may differ in each forward pass. Our RDRO formulation addresses this by explicitly aligning the prediction and representation distributions between clean and adversarial samples using statistical divergences (MSE, MMD), which is harder to achieve in online learning compared to offline replay-driven regularization.

Empirically, this distinction is critical. As shown in Table 2 and Appendix-D, DSEF maintains strong average performance on CIFAR-100 and TinyImageNet, without any access to past samples, even under 7 types of adversarial attacks. Replay-based offline methods degrade much faster in the same setting, as illustrated by the forgetting curves (Appendix-D.1, Fig. 1a).

---

Q2: How is the RDRO loss sensitive to the expert creating the attack?

A2: RDRO is carefully designed to mitigate expert-specific attack biases while preserving robustness during continual adaptation. This involves two key elements:

1. Expert-conditioned perturbation: During task $T_j$, we generate adversarial samples $x^{'}$ using the current expert $E_j$ (line 212 of Eq. 6). This ensures that the learned adversarial directions reflect the vulnerabilities of the most recent expert’s decision boundary, which aligns with how robustness should be preserved per task.

2. Cross-expert consistency: While perturbations are crafted from $E_j$, RDRO regularizes all **previous experts $E_i$ (i < j) ** by minimizing both:

   • Prediction drift $MSE(E_i^{old}(x),E_i^{new}(x))$
   • Feature drift via $MMD(Z_i,\hat{Z}_i)$

   These are calculated using both clean and adversarial inputs. In practice, this ensures that updating $E_j$ to defend against current attacks does not cause feature/prediction collapse in prior experts due to unexpected shifts in the backbone.

We validate this design via a new sensitivity analysis (added in Appendix-D.6). We compare RDRO trained with:

• Attack from current expert (Eₖ) — our method
• Attack from fixed global expert
• No adversarial training

Results (Split CIFAR-100, AutoAttack):

This supports that expert-conditioned attacks ensure robustness gain without destabilizing prior knowledge.

Q3: What do you mean for over-regularization? (L253–254)

A3: By "over-regularization", we refer to a phenomenon common in continual learning under strong regularizers, where a model becomes too constrained to adapt to new tasks, sacrificing plasticity. Specifically in DSEF:

• The static backbone $F_{\theta_s}$ is frozen during task $T_j$, acting as a reference for consistency in RDRO.
• The dynamic backbone $F_{\theta_d}$ is updated under dual constraints:
  1. Cross-expert prediction alignment (Eq. 6)
  2. Cross-expert representation alignment via MMD (Eq. 14)

Although this preserves stability, it may suppress the dynamic branch's flexibility to absorb new semantics, especially under distributional shift or adversarial perturbation. To alleviate this, we introduce a controlled knowledge transfer mechanism from ${\theta}_d \rightarrow {\theta}_s$ at each task boundary (line 255). This mechanism:

• Soft-updates selected layers of the static backbone using exponential moving average (EMA) from the trained dynamic counterpart:

$$\theta_s^{(t+1)} \leftarrow \lambda \cdot \theta_s^{(t)} + (1 - \lambda) \cdot \theta_{d}^{(t)}$$

where ${\theta}∈[0.9,0.99]$

• This acts as “semantic osmosis”, allowing slowly acquired robustness features from dynamic learning to permeate the static branch.

We conduct an ablation study showing performance vs. ${\lambda}$:

This confirms that carefully tuning $λ$ alleviates over-regularization and enables continual adaptation.

---

Q4: Why do you say that one of the backbones is static when they perform knowledge transfer? How do you perform this transfer and when?

A4: This is a subtle but important design point. In DSEF, the static backbone is functionally “frozen” during task learning, i.e., it is not updated via gradient descent when learning a new task $T_j$​. Its role is to:

• Provide a global semantic anchor for consistency (used in Eq. 5 and 14).
• Prevent feature drift from early tasks.

However, to prevent it from becoming obsolete, we allow gradual weight transfer at task boundaries, i.e., after training $T_j$ completes, we apply:

• EMA update from dynamic to static backbone:

$$\theta_s^{j+1} = \lambda \cdot \theta_s^j + (1 - \lambda) \cdot \theta_d^j$$

where ${\theta}_d^j$ is the dynamic backbone after learning task $j$.

This post-task transfer enables the static backbone to accumulate robust semantic priors across tasks, without interfering with online gradient optimization. It’s analogous to momentum-based weight accumulation in online self-supervised learning (e.g., MoCo, BYOL).

We emphasize:

• During training: ${\theta}_s$ is frozen.
• Between tasks: ${\theta}_s$ absorbs long-term features from $\theta_d$ via EMA.

We clarify this design and its motivation in Section 3.3, line 254–256 and provide code-level pseudocode in Appendix-B.

---

Q5: Since the static backbone is tuned by the dynamic one (L254–255), is it subject to catastrophic forgetting?

A5: This is an important concern. While the static backbone does receive updates via EMA, it is not subject to traditional catastrophic forgetting, for several reasons:

1. No gradient flow: The static backbone is not directly trained on new task data via SGD. It is updated indirectly through a weighted average (EMA) of the dynamic backbone after each task. This is a passive update, not an active optimization that could overwrite prior task-specific filters.
2. Slow momentum: The EMA coefficient $\lambda$ is set very high (e.g., 0.99), meaning that new task information only marginally alters the static backbone. For example, if the static backbone encoded semantic knowledge of birds from task $T_3$, and task $T_7$ is on traffic signs, the update impact would be very minor.
3. Role in RDRO: During training of $T_{j+1}$, the static backbone serves as a reference to align dynamic updates. Since it is frozen, it anchors past semantics via prediction and feature constraints (Eq. 5, 14).

We validate that catastrophic forgetting in the static backbone is negligible. We train a classifier on features from the static backbone only, after 10 tasks. Its performance is 2–3% below the dynamic-expert ensemble. Moreover, its accuracy on early tasks ($T_1–T_3$) remains within ±1.5% deviation.

Dear Reviewer ysVy

We would like to sincerely thank you for your thoughtful review. Your constructive comments have been incredibly valuable to us.

If possible, we would be very grateful if you could let us know if there are any remaining concerns or questions. We truly appreciate your insights and would be more than happy to address any further points.

Once again, thank you so much for your time, consideration, and valuable suggestions！

Q1: Dense descriptions for RDRO and MBRFF (MMD + adversarial objectives, Eq. 17); lack of inline pseudocode and intuitive summaries.

A1: We fully acknowledge that the current exposition of RDRO and MBRFF can be challenging to digest, particularly due to the integration of multiple loss components (MSE, MMD, CE) and mutual information estimation. In the revised version, we will restructure Section 3.3 and 3.4 to include:

• Inline pseudocode summarizing the core steps of RDRO and MBRFF (currently in Appendix-B), directly in the methodology section for improved readability.
• Visual schematic diagrams showing how clean/adversarial samples and expert predictions flow through the loss terms.
• A concrete numerical example of Eq. (17): Suppose MI scores across 3 experts are [1.5, 0.8, 0.2]; the normalized weights α are computed as α = softmax([1.5, 0.8, 0.2]) ≈ [0.64, 0.26, 0.10], which emphasizes the most relevant expert while retaining contributions from others.

These additions aim to lower the learning barrier while maintaining technical rigor.

---

Q2: Practicality concerns due to complexity (ViT ×2, MBRFF, α estimation)

A2: We appreciate this concern and agree that practical deployment feasibility is a key consideration. While our system introduces several components, each design decision was made with efficiency and real-world scalability in mind. Specifically:

In Appendix-D.4, we showed that DSEF trains faster than DER++(Adv) despite more modules:

TinyImageNet: DSEF (91.26M, 7.63min) vs. DER++(Adv) (86.3M, 16.51min)

To better communicate this, we will add a new Table 3 comparing training time, parameter growth, and inference latency under growing task numbers:

These clarifications will be placed in Section 4.4 with details moved from Appendix-D.

---

Q3: No ablation isolating RDRO vs. MBRFF vs. Siamese

A3: In addition to Fig. 1(c) of the appendix (which compared "noMI", "noRDRO", and "Both"), we now present a new expanded ablation table to isolate each core component.

Table 4. Ablation on Split CIFAR-10 (Clean + Avg. Adv Accuracy %)

• RDRO improves forgetting and robustness by aligning dynamic/static predictions and features.
• MBRFF enables effective reuse of relevant past experts, particularly under strong attacks.
• The Siamese backbone (static + dynamic) outperforms both flat ViT and static-only backbones. These results will be included in the revised Appendix-D.3 with supporting curves.

---

Q4: Innovation lies in orchestration, but underlying techniques are known.

A4: We appreciate this candid observation and agree that our work builds upon established ideas (e.g., MMD, adversarial training, expert expansion). However, we argue that the novelty lies in bridging three challenges—plasticity, stability, and robustness—in a unified and theoretically grounded way.

Key novel orchestration elements include:

• A Siamese ViT that merges local and global representations per task in a modular, update-efficient manner.
• RDRO regularizes both outputs and representations, for both clean and adversarial inputs, which is missing in prior work.
• MBRFF proposes a formal mutual information-driven fusion strategy, quantitatively estimating historical relevance, avoiding fixed or heuristic fusion as in [DER++, AIR].

Prior works often treated adversarial robustness and continual learning separately or heuristically. Our method tightly integrates them with clear losses, objectives, and reusability. This synergy is not incremental, but necessary for OCAD scenarios (see detailed discussion in Appendix-A).

---

Q5: How stable are mutual information estimates (αₖ)? Do weights fluctuate heavily?

A5: To investigate this, we now include a statistical analysis of αₖ weights across tasks on CIFAR-100 and TinyImageNet.

• Observation: αₖ typically concentrates on 1–3 experts, avoiding over-fragmentation.
• Using softmax + label smoothing avoids MI overestimation under class imbalance.
• Entropy shows meaningful knowledge transfer distribution, not degenerate αₖ.

We will visualize this via a histogram of αₖ (per task) in Appendix-D.5, and briefly summarize in Section 4.4.

---

Q6: Could you quantify compute scaling, GPU hours, inference throughput?

A6: Yes. We now provide concrete compute statistics in the following Table:

• DSEF scales linearly with task count in memory but sublinearly in runtime (experts frozen).
• Inference time is kept bounded (<12ms) as only a single expert is used at test time, not full ensemble.

We thank the reviewers for their insightful feedback. This summary outlines our responses to the key concerns and details our planned revisions to strengthen the paper.

1. Acknowledged Strengths

There is a clear consensus on the paper's main contributions:

• Novelty and Importance: All reviewers (R-hHLN, R-ysVy, R-MBtF, R-4XjH) agreed that the paper addresses a critical and under-explored problem, with a well-motivated framework that simultaneously tackles plasticity, stability, and adversarial robustness.
• Methodological Soundness: The proposed DSEF, including the Siamese backbone, RDRO, and MBRFF, was praised as technically sound and interesting (R-hHLN, R-ysVy).
• Clarity and Quality: The paper was described as well-written with clear diagrams (R-hHLN, R-4XjH) and extensive empirical validation demonstrating state-of-the-art performance.

2. Addressing Key Concerns and Planned Revisions

Q1: Clarity of Notation and Methodological Justification

As noted by R-MBtF and R-hHLN, some mathematical notations were ambiguous. Furthermore, R-ysVy questioned the synergy between components, suggesting the approach could be a "kitchen sink" of existing techniques.

A1: We will thoroughly revise the manuscript to improve clarity.

1. Notation Refinement: We meticulously fix all mathematical symbols upon their first use and add a comprehensive notation table in the appendix to resolve any ambiguity regarding terms like $C_s, T_i$, etc.
2. Improving Intuition: To demystify complex sections, we will enhance Section 3 by adding inline pseudocode and simplified explanations for the RDRO and MBRFF mechanisms, providing a more algorithmic and intuitive understanding.
3. Articulating Synergy: We will explicitly state in the introduction that our core novelty lies in the synergistic orchestration of the framework's components. We will clarify that the Siamese architecture provides the foundation, RDRO regulates the dynamic backbone to learn robust features without forgetting, and MBRFF leverages this stable, robust knowledge for effective forward transfer. This integrated design is non-trivial and essential for the challenging OCAD setting.

Q2: Lack of Granular Ablation Study

As correctly requested by R-hHLN, R-MBtF, and R-4XjH, a more detailed ablation study was needed to isolate the contribution of each core component of DSEF.

A2: We have conducted a new, comprehensive ablation study on Split CIFAR-10, the results of which will be added to the appendix. This study powerfully validates our design choices.

• RDRO is paramount for robustness: Removing RDRO causes a catastrophic drop in adversarial accuracy, with performance on AutoAttack declines sharply. This highlights RDRO's critical role in learning and preserving robust representations.
• MBRFF effectively transfers knowledge: The inclusion of MBRFF provides a significant and consistent performance boost, especially on adversarial samples, confirming its effectiveness in reusing historical expert knowledge.
• The full DSEF architecture is superior: The complete model demonstrably outperforms all reduced configurations, proving that the integrated design is more effective than the sum of its parts.

Q3: Relationship between Continual Learning (CL) and Adversarial Defense

R-4XjH and R-ysVy raised an important point regarding the need for a more convincing conceptual link between CL and adversarial defense.

A3: We will strengthen this link in the introduction and methodology sections.

• Conceptual Framing: We will frame adversarial attacks as a form of severe, task-like distributional shift. An attack can cause a model to "forget" how to classify clean samples, a phenomenon directly analogous to catastrophic forgetting in CL.
• Empirical Evidence: To substantiate this, we calculate the "Forgetting Rate (%)" under adversarial conditions. Our results show that strong attacks like AutoAttack significantly exacerbate forgetting, increasing the rate from ~5% on clean data to over 20% on adversarial data for baseline models. This empirically proves that robustness and stability are intertwined challenges, justifying our integrated framework.