You can't have it all: On Spatial vs Adversarial Robustness of Neural Network Models

Neural network models are known to be vulnerable to small, adversarial pixel-wise perturbations. More recently, they have been shown to be vulnerable to even random spatial transformations (e.g., translations, rotations). Spatial robustness to random translations and rotations is commonly attained via equivariant models (e.g., StdCNNs, GCNNs) and training augmentation. In this paper, we prove a quantitative trade-off between spatial and adversarial robustness in a simple statistical setting. We complement this by empirically studying the following two cases: (a) change in adversarial robustness as we improve only the spatial robustness via training augmentation in equivariant models, (b) change in spatial robustness as we improve only the adversarial robustness using adversarial training. We observe that the spatial robustness of equivariant models improves when their training is augmented with progressively larger transformations but while doing so, it progressively worsens their adversarial robustness. On the other hand, we take state-of-the-art adversarially trained models, and observe that adversarial training with progressively larger perturbations results in a progressive drop in their spatial robustness.