Learning Robustness at Test-Time from a Non-Robust Teacher

TL;DR

This paper investigates how to improve adversarial robustness at test-time by adapting non-robust pretrained models using a label-free framework, demonstrating enhanced stability and robustness-accuracy trade-offs.

Contribution

It introduces a novel label-free adaptation framework that leverages a non-robust teacher's predictions to improve adversarial robustness during test-time.

Findings

Proposed method achieves better robustness-accuracy trade-off.

Enhanced stability and lower sensitivity to hyperparameters.

Outperforms existing baselines on CIFAR-10 and ImageNet.

Abstract

Nowadays, pretrained models are increasingly used as general-purpose backbones and adapted at test-time to downstream environments where target data are scarce and unlabeled. While this paradigm has proven effective for improving clean accuracy on the target domain, adversarial robustness has received far less attention, especially when the original pretrained model is not explicitly designed to be robust. This raises a practical question: \emph{can a pretrained, non-robust model be adapted at test-time to improve adversarial robustness on a target distribution?} To face this question, this work studies how adversarial training strategies behave when integrated into adaptation schemes for the unsupervised test-time setting, where only a small set of unlabeled target samples is available. It first analyzes how classical adversarial training formulations can be extended to this scenario, showing that straightforward distillation-based adaptations remain unstable and highly sensitive to hyperparameter tuning, particularly when the teacher itself is non-robust. To address these limitations, the work proposes a label-free framework that uses the predictions of a non-robust teacher model as a semantic anchor for both the clean and adversarial objectives during adaptation. We further provide theoretical insights showing that our formulation yields a more stable alternative to the self-consistency-based regularization commonly used in classical adversarial training. Experiments evaluate the proposed approach on CIFAR-10 and ImageNet under induced photometric transformations. The results support the theoretical insights by showing that the proposed approach achieves improved optimization stability, lower sensitivity to parameter choices, and a better robustness-accuracy trade-off than existing baselines in this post-deployment test-time setting.