On the Interaction of Compressibility and Adversarial Robustness
Melih Barsbey, Ant\^onio H. Ribeiro, Umut \c{S}im\c{s}ekli, Tolga Birdal
TL;DR
This paper investigates how different forms of neural network compressibility influence adversarial robustness, revealing a fundamental tension and providing a framework to understand and improve model security and efficiency.
Contribution
We develop a unified theoretical framework analyzing the impact of neuron-level and spectral compressibility on adversarial robustness, supported by empirical validation.
Findings
Compressibility induces sensitive directions exploitable by adversaries.
Vulnerabilities persist across different compression methods and training regimes.
Structured compression can lead to universal adversarial perturbations.
Abstract
Modern neural networks are expected to simultaneously satisfy a host of desirable properties: accurate fitting to training data, generalization to unseen inputs, parameter and computational efficiency, and robustness to adversarial perturbations. While compressibility and robustness have each been studied extensively, a unified understanding of their interaction still remains elusive. In this work, we develop a principled framework to analyze how different forms of compressibility - such as neuron-level sparsity and spectral compressibility - affect adversarial robustness. We show that these forms of compression can induce a small number of highly sensitive directions in the representation space, which adversaries can exploit to construct effective perturbations. Our analysis yields a simple yet instructive robustness bound, revealing how neuron and spectral compressibility impact…
Peer Reviews
Decision·ICLR 2026 Poster
1. This paper is in general well-written and presents results clearly. 2. The motivating hypothesis is very interesting and described clearly in Figure 2. 3. Abundant numerical results are provided to testify the paper's theoretical results.
1. One central claim of this paper is that the compressibility may result to a few potent direction that increases the sensitivity to perturbations, and the adversarial attacks might exploit these directions. However, I cannot picture when and how the advesaries might be able to figure out these directions. Is the neural network and the compressibility totally white-box to the adversaries, which could hardly happen? 2. The evaluation of adversarially robustness of NN models seems to be dependent
- Paper is well motivated and well written - Provides a well-explained theoretical contribution between compressibility and adversarial robustness, tying together concepts from pruning, low-rankness, and Lipschitz theory. - Empirical analysis covers diverse architectures and datasets, including FCN, convolutional and transformer families, and multiple attack settings
- The theory uses global operator norm–based Lipschitz bounds. and The bounds rely on scale-normalized parameters (using ∥W∥_F) and strict (q, k, ε)-compressibility. Can this reflect practical training dynamics with normalization layers or adaptive scaling or deep non-linear networks. - How does it position itself with other works exploring the same paradigm [1][2], As some works claim that some sparsity helps robustness - The claim that compressibility fosters universal adversarial examples is
1. Provides a unified norm-based framework connecting structured compressibility and adversarial robustness. 2. Characterizing the l∞ and l2 operator norms of the parameters by decomposing the effects into compressibility and Frobenius norm terms, thereby further formalizing an upper bound on the model’s Lipschitz constant. 3. The analysis shows that the impact of compressibility on robustness persists in adversarial training and transfer learning, and it can facilitate the emergence of universa
Although the theoretical analysis is mathematically sound and logically consistent with prior robustness theory, the overall reasoning builds on well-known intuitions (ideas such as model structured compression concentrates sensitivity along a small number of directions in representation space, which in turn results in decreased robustness), and the upper bound mainly formalize this intuition rather than uncover new mechanisms. The experiments, though thorough, largely confirm expected behaviors
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Energetic Materials and Combustion