Defense That Attacks: How Robust Models Become Better Attackers

Deep learning has achieved great success in computer vision, but remains vulnerable to adversarial attacks. Adversarial training is the leading defense designed to improve model robustness. However, its effect on the transferability of attacks is underexplored. In this work, we ask whether adversarial training unintentionally increases the transferability of adversarial examples. To answer this, we trained a diverse zoo of 36 models, including CNNs and ViTs, and conducted comprehensive transferability experiments. Our results reveal a clear paradox: adversarially trained (AT) models produce perturbations that transfer more effectively than those from standard models, which introduce a new ecosystem risk. To enable reproducibility and further study, we release all models, code, and experimental scripts. Furthermore, we argue that robustness evaluations should assess not only the resistance of a model to transferred attacks but also its propensity to produce transferable adversarial examples.

Key Contributions

Large-scale model zoo of 36 adversarially trained CNN and ViT models publicly released for reproducibility
Empirical discovery that adversarially trained models consistently produce more transferable adversarial examples than standard models
Proposed transferability benchmark using MIG (ε=16) and argued that robustness evaluations should also measure a model's propensity to produce transferable attacks

🛡️ Threat Analysis

Input Manipulation Attack

The paper studies adversarial example transferability (a core ML01 concern), specifically how adversarial training reshapes gradient landscapes to inadvertently improve black-box transfer attack success across CNN and ViT architectures.