# Disentangling Adversarial Robustness and Generalization

**Authors:** David Stutz, Matthias Hein, Bernt Schiele

arXiv: 1812.00740 · 2019-04-11

## TL;DR

This paper investigates the relationship between adversarial robustness and generalization in deep networks, proposing that they are not inherently conflicting, especially when considering on-manifold adversarial examples, supported by theoretical assumptions and extensive experiments.

## Contribution

The paper introduces the concept of on-manifold adversarial examples and demonstrates that robustness and generalization can coexist, challenging the belief that they are mutually exclusive.

## Key findings

- On-manifold adversarial examples are equivalent to generalization errors.
- On-manifold adversarial training improves generalization.
- Regular adversarial examples often leave the data manifold.

## Abstract

Obtaining deep networks that are robust against adversarial examples and generalize well is an open problem. A recent hypothesis even states that both robust and accurate models are impossible, i.e., adversarial robustness and generalization are conflicting goals. In an effort to clarify the relationship between robustness and generalization, we assume an underlying, low-dimensional data manifold and show that: 1. regular adversarial examples leave the manifold; 2. adversarial examples constrained to the manifold, i.e., on-manifold adversarial examples, exist; 3. on-manifold adversarial examples are generalization errors, and on-manifold adversarial training boosts generalization; 4. regular robustness and generalization are not necessarily contradicting goals. These assumptions imply that both robust and accurate models are possible. However, different models (architectures, training strategies etc.) can exhibit different robustness and generalization characteristics. To confirm our claims, we present extensive experiments on synthetic data (with known manifold) as well as on EMNIST, Fashion-MNIST and CelebA.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.00740/full.md

## Figures

112 figures with captions in the complete paper: https://tomesphere.com/paper/1812.00740/full.md

## References

110 references — full list in the complete paper: https://tomesphere.com/paper/1812.00740/full.md

---
Source: https://tomesphere.com/paper/1812.00740