Adversarial Robustness and Generalization

Quick links: Pre-Print | BibTeX | Code


Obtaining deep networks that are robust against adversarial examples and generalize well is an open problem. A recent hypothesis [][] even states that both robust and accurate models are impossible, i.e., adversarial robustness and generalization are conflicting goals. In an effort to clarify the relationship between robustness and generalization, we assume an underlying, low-dimensional data manifold and show that: 1. regular adversarial examples leave the manifold; 2. adversarial examples constrained to the manifold, i.e., on-manifold adversarial examples, exist; 3. on-manifold adversarial examples are generalization errors, and on-manifold adversarial training boosts generalization; 4. regular robustness and generalization are not necessarily contradicting goals. These assumptions imply that both robust and accurate models are possible. However, different models (architectures, training strategies etc.) can exhibit different robustness and generalization characteristics. To confirm our claims, we present extensive experiments on synthetic data (with known manifold) as well as on EMNIST [], Fashion-MNIST [] and CelebA [].

Download & Citing

The paper is available as pre-print on ArXiv:

Paper on ArXiv
    author    = {David Stutz and Matthias Hein and Bernt Schiele},
    title     = {Disentangling Adversarial Robustness and Generalization},
    booktitle = {IEEE Conference on Computer Vision and Pattern Recognition (CVPR)},
    publisher = {IEEE Computer Society},
    year      = {2019}

Code & Data

The code is available in the following repository:

Code on GitHub

The repository includes installation instructions and a getting started guide for reproducing the experiments presented in the paper. Some components (attacks, utilities, adversarial training etc.) of the code can also be used individually.

The data, in HDF5 format, required for the experiments can be downloaded below:

File Link
FONTS cvpr2019_adversarial_robustness_fonts.tar.gz
EMNIST cvpr2019_adversarial_robustness_emnist.tar.gz
Fashion-MNIST cvpr2019_adversarial_robustness_fashion.tar.gz
Pre-Trained VAE-GANs cvpr2019_adversarial_robustness_manifolds.tar.gz

Due to the license of CelebA, the dataset cannot be offered as download in the right format. Code for converting the dataset is included in the repository.

News & Updates

Apr 7, 2019. Code and data are available on GitHub: davidstutz/cvpr2019-adversarial-robustness.

Apr 5, 2019. A short version of the paper will be presented at the ICML'19 Workshop on Uncertainty and Robustness in Deep Learning.

Mar 1, 2019. The paper was accepted at CVPR'19.


  • [] D. Su, H. Zhang, H. Chen, J. Yi, P.-Y. Chen, and Y. Gao. Is robustness the cost of accuracy? – a comprehensive study on the robustness of 18 deep image classification models. arXiv.org, abs/1808.01688, 2018.
  • [] D. Tsipras, S. Santurkar, L. Engstrom, A. Turner, and A. Madry. Robustness may be at odds with accuracy. arXiv.org, abs/1805.12152, 2018.
  • [] G. Cohen, S. Afshar, J. Tapson, and A. van Schaik. EMNIST: an extension of MNIST to handwritten letters. arXiv.org, abs/1702.05373, 2017.
  • [] H. Xiao, K. Rasul, and R. Vollgraf. Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. arXiv.org, abs/1708.07747, 2017.
  • [] Z. Liu, P. Luo, X. Wang, and X. Tang. Deep learning face attributes in the wild. In ICCV, 2015.