Can we have it all? On the Trade-off between Spatial and Adversarial Robustness of Neural Networks

TL;DR

This paper investigates the inherent trade-off between spatial and adversarial robustness in neural networks, providing theoretical insights and proposing a curriculum learning approach to balance both types of robustness effectively.

Contribution

It establishes a quantitative trade-off between spatial and adversarial robustness and introduces a curriculum learning method to improve both simultaneously.

Findings

Increasing spatial robustness reduces adversarial robustness.

Enhancing adversarial robustness decreases spatial robustness.

Curriculum learning can improve both spatial and adversarial robustness.

Abstract

(Non-)robustness of neural networks to small, adversarial pixel-wise perturbations, and as more recently shown, to even random spatial transformations (e.g., translations, rotations) entreats both theoretical and empirical understanding. Spatial robustness to random translations and rotations is commonly attained via equivariant models (e.g., StdCNNs, GCNNs) and training augmentation, whereas adversarial robustness is typically achieved by adversarial training. In this paper, we prove a quantitative trade-off between spatial and adversarial robustness in a simple statistical setting. We complement this empirically by showing that: (a) as the spatial robustness of equivariant models improves by training augmentation with progressively larger transformations, their adversarial robustness worsens progressively, and (b) as the state-of-the-art robust models are adversarially trained with progressively larger pixel-wise perturbations, their spatial robustness drops progressively. Towards achieving pareto-optimality in this trade-off, we propose a method based on curriculum learning that trains gradually on more difficult perturbations (both spatial and adversarial) to improve spatial and adversarial robustness simultaneously.