Adversarial Examples Are a Natural Consequence of Test Error in Noise
This work addresses the issue of model robustness for researchers and practitioners in machine learning, suggesting that improving adversarial defenses should also enhance performance under general image corruptions, though it is incremental in linking existing research areas.
The paper tackles the problem of adversarial examples and random image corruptions in machine learning models, showing through empirical and theoretical evidence that these are manifestations of the same underlying phenomenon, with connections established between adversarial and corruption robustness.
Over the last few years, the phenomenon of adversarial examples --- maliciously constructed inputs that fool trained machine learning models --- has captured the attention of the research community, especially when the adversary is restricted to small modifications of a correctly handled input. Less surprisingly, image classifiers also lack human-level performance on randomly corrupted images, such as images with additive Gaussian noise. In this paper we provide both empirical and theoretical evidence that these are two manifestations of the same underlying phenomenon, establishing close connections between the adversarial robustness and corruption robustness research programs. This suggests that improving adversarial robustness should go hand in hand with improving performance in the presence of more general and realistic image corruptions. Based on our results we recommend that future adversarial defenses consider evaluating the robustness of their methods to distributional shift with benchmarks such as Imagenet-C.