Production Architecture: Fast Path vs Slow Path for Adversarial Defense

Production fraud detection systems serve predictions at 50,000 to 500,000 requests per second globally with p99 latency under 100 milliseconds to avoid checkout friction. Adversarial defenses must fit within this budget while adding robustness checks. The solution is a two tier architecture with a fast path for most traffic and a slow path for high risk requests that need deeper scrutiny. The fast path executes in 20 to 40 milliseconds total. Feature extraction takes 1 to 5 milliseconds, pulling precomputed aggregates from cache (like user transaction velocity over 24 hours) and computing real time features (current transaction amount ratio to user average). The robust model inference runs in 5 to 20 milliseconds, using adversarially trained models that already baked robustness into their weights. Post model checks add 1 to 5 milliseconds for lightweight detection: uncertainty estimation from prediction margin, out of distribution detection comparing input features to training distribution statistics, or conformal prediction nonconformity scores computed during calibration. When fast path checks flag high uncertainty (prediction margin below 0.3), out of distribution features (Mahalanobis distance exceeds 3 standard deviations), or high value transactions (above $5,000), the request routes to the slow path. This adds 20 to 80 milliseconds but provides deeper defense. A second independent model votes on the decision, reducing the chance both models are fooled by the same adversarial perturbation. Heavier input transformations like JPEG compression or feature discretization can disrupt carefully crafted attacks. A rules engine with business context checks constraints that pure ML models miss, like flagging shipping addresses that recently appeared on fraud reports. Rate limiting is critical infrastructure. The system enforces 10 to 60 queries per minute per identity signal (IP address, device fingerprint, user account). This prevents attackers from cheaply probing thousands of variations to map decision boundaries. Aggressive caching stores costly aggregate features with 30 second to 5 minute time to live, serving repeated similar requests without recomputing. For entities with high trust scores (established accounts with clean history), even lighter checks apply to preserve capacity for risky traffic. Stripe and PayPal use this architecture to balance robustness and latency. Stripe routes approximately 1 to 3% of transactions to the slow path based on uncertainty and value thresholds, keeping most checkout experiences under 50 milliseconds while applying 80 millisecond deep checks to the riskiest cases. PayPal combines fast path scoring with manual review queues for the top 0.1 to 1% riskiest transactions, limiting false positive impact while maintaining online latency budgets. Amazon marketplaces use multi layer placement: pre ingestion filters (fast), per item scoring at publication (fast path), and post publication audits (slow path offline), requiring attackers to bypass multiple independent checks.

Stripe transaction scoring: Fast path handles 98.5% of transactions in median 28ms. High value transactions over $5,000 or uncertainty scores above 0.7 trigger slow path with second XGBoost model vote and address verification, adding 45ms p50 and 120ms p99.

PayPal fraud detection: Fast path uses adversarially trained neural network scoring in 15ms. Top 0.3% by risk score route to manual review queue with 2 to 24 hour SLA, avoiding false positive friction for 99.7% of legitimate transactions.

Amazon seller abuse detection: Pre ingestion filters reject obvious violations in under 5ms. Per item scoring at publication takes 30ms fast path. Post publication audits run offline batch jobs daily on slow path, catching sophisticated evasion with no online latency impact.