On the Robustness of Kolmogorov-Arnold Networks: An Adversarial Perspective

TL;DR

The paper tackles adversarial vulnerability in image classification by evaluating Kolmogorov-Arnold Networks (KANs)—FCKANs and CKANs—alongside FCNNs and CNNs across multiple datasets and attack regimes. It employs a broad attack suite (white-box and black-box, including AutoAttack) and an extensive experimental protocol with ablations and adversarial training. The findings show that large-scale KANs generally exhibit improved robustness, with CKANs often outperforming CNNs on several tasks, while FCKANs become more robust as size increases; adversarial training further enhances resilience. These results establish KANs as a promising, structured approach for robust function approximation in vision, and they lay groundwork for future theoretical and defense-oriented work on Lipschitz properties and regularization.

Abstract

Kolmogorov-Arnold Networks (KANs) have recently emerged as a novel approach to function approximation, demonstrating remarkable potential in various domains. Despite their theoretical promise, the robustness of KANs under adversarial conditions has yet to be thoroughly examined. In this paper we explore the adversarial robustness of KANs, with a particular focus on image classification tasks. We assess the performance of KANs against standard white box and black-box adversarial attacks, comparing their resilience to that of established neural network architectures. Our experimental evaluation encompasses a variety of standard image classification benchmark datasets and investigates both fully connected and convolutional neural network architectures, of three sizes: small, medium, and large. We conclude that small- and medium-sized KANs (either fully connected or convolutional) are not consistently more robust than their standard counterparts, but that large-sized KANs are, by and large, more robust. This comprehensive evaluation of KANs in adversarial scenarios offers the first in-depth analysis of KAN security, laying the groundwork for future research in this emerging field.

Figures (10)

• Figure 1: Comparative loss dynamics of FCNNs and FCKANs under PGD, MIM, and C&W attacks on the MNIST, FashionMNIST, and KMNIST datasets (from top to bottom, respectively). Each line represents the mean loss across batches, per iteration, with shaded areas indicating the standard deviation.
• Figure 2: Robust accuracy of $\text{FCNN}_{\text{medium}}$, $\text{FCNN}_{\text{large}}$, $\text{FCKAN}_{\text{medium}}$, and $\text{FCKAN}_{\text{large}}$ as a function of FGSM attack strength, with varying $\epsilon$ values. Each bar represents a different model, and robustness is measured as the accuracy of the model against adversarial examples generated with specific $\epsilon$ values. The x-axis indicates the $\epsilon$ values used for FGSM attacks, while the y-axis shows the corresponding robust accuracy of the models.
• Figure 3: Comparative loss dynamics of CNNs and CKANs under PGD, MIM, and C&W attacks on the MNIST, CIFAR-10, SVHM and ImageNet datasets. Each line represents the mean loss across batches, per iteration, with shaded areas indicating the standard deviation. For the MNIST, CIFAR-10 AND SVHN datasets, the shaded areas represent the original standard deviation, whereas for ImageNet, they represent the logarithm of the original std
• Figure 4: Robust accuracy of $\text{CNN}_{\text{medium}}$, $\text{CNN}_{\text{large}}$, $\text{CKAN}_{\text{medium}}$, and $\text{CKAN}_{\text{large}}$ as a function of FGSM attack strength, with varying $\epsilon$ values. Each bar represents a different model, and robustness is measured as the accuracy of the model against adversarial examples generated with specific $\epsilon$ values. The x-axis indicates the $\epsilon$ values used for FGSM attacks, while the y-axis shows the corresponding robust accuracy of the models.
• Figure 5: Robust accuracy of FCKANs under different adversarial attacks, varying the number of knots and spline order.