Boosting Adversarial Robustness and Generalization with Structural Prior

TL;DR

The paper tackles the plateau in adversarial robustness by introducing Elastic Dictionary Learning Networks (EDLNets) that integrate a structural prior via a learnable balance parameter and an unrolled RISTA solver. It provides a theoretical robustness analysis using influence functions to compare Vanilla, Robust, and Elastic dictionary learning, showing how Elastic DL can balance natural accuracy and robustness. Empirically, the approach yields state-of-the-art robustness on RobustBench across CIFAR-10/100 and Tiny-ImageNet when combined with existing adversarial training methods, while also reducing robust overfitting and preserving generalization. The work demonstrates that incorporating structural priors into CNNs is a powerful, orthogonal direction for improving robustness under strong adaptive attacks, with practical implications for safer deployment of vision models.

Abstract

This work investigates a novel approach to boost adversarial robustness and generalization by incorporating structural prior into the design of deep learning models. Specifically, our study surprisingly reveals that existing dictionary learning-inspired convolutional neural networks (CNNs) provide a false sense of security against adversarial attacks. To address this, we propose Elastic Dictionary Learning Networks (EDLNets), a novel ResNet architecture that significantly enhances adversarial robustness and generalization. This novel and effective approach is supported by a theoretical robustness analysis using influence functions. Moreover, extensive and reliable experiments demonstrate consistent and significant performance improvement on open robustness leaderboards such as RobustBench, surpassing state-of-the-art baselines. To the best of our knowledge, this is the first work to discover and validate that structural prior can reliably enhance deep learning robustness under strong adaptive attacks, unveiling a promising direction for future research.

Figures (19)

• Figure 1: Overview of Elastic DL Networks (EDLNets). EDLNets are constructed by replacing the convolutional layers in conventional backbones (e.g., ResNets) with EDL layers that are unrolled with the proposed efficient RISTA algorithm. Each EDL layer introduces a dictionary structural prior, assuming the input signal ${\bm{z}}^{(l)}$ is encoded as a sparse code ${\bm{z}}^{(l+1)}$ using a few atoms from diction $\mathbf{A}^{(l)}$.
• Figure 2: Test robust accuracy during the adversarial training. we pretrain the Vanilla DL model for 150 epochs and fine-tune the Elastic DL model starting from 150-th epoch. Our Elastic DL method can achieve the best adversarial robustness.
• Figure 3: Adversarial robustness under various settings. Our Elastic DL outperforms Vanilla DL across various datasets (CIFAR10 / CIFAR100 / Tiny-ImageNet), backbones (ResNet10 / ResNet18 / ResNet34 / ResNet50) and attacks (PGD / FGSM / CW / AA).
• Figure 4: Hidden embedding visualization under clean and attacked scenarios. The difference between clean and attacked embeddings in Elastic DL is smaller compared to Vanilla DL, with this effect becoming more significant in deeper layers. Consequently, while an adversarial attack alters the Vanilla DL output from "SHIP" to "FROG", Elastic DL successfully preserves the correct prediction.
• Figure 5: Embedding difference. Our Elastic DL shows smaller embedding difference than Vanilla DL.

Theorems & Definitions (7)

• Lemma 4.1
• proof
• Theorem 4.2: Robustness Analysis via Influence Function
• proof
• proof
• proof
• proof