benchmark 2026

A Comparative Study of Adversarial Robustness in CNN and CNN-ANFIS Architectures

Kaaustaaub Shankar , Bharadwaj Dogga , Kelly Cohen

University of Cincinnati

0 citations · 25 references · arXiv (Cornell University)
α

Published on arXiv

2602.07028

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

ANFIS integration is not universally beneficial for adversarial robustness: ResNet18-ANFIS gains robustness under PGD and Square attacks while VGG-ANFIS degrades relative to the VGG baseline.

DCNFIS

Novel technique introduced

Convolutional Neural Networks (CNNs) achieve strong image classification performance but lack interpretability and are vulnerable to adversarial attacks. Neuro-fuzzy hybrids such as DCNFIS replace fully connected CNN classifiers with Adaptive Neuro-Fuzzy Inference Systems (ANFIS) to improve interpretability, yet their robustness remains underexplored. This work compares standard CNNs (ConvNet, VGG, ResNet18) with their ANFIS-augmented counterparts on MNIST, Fashion-MNIST, CIFAR-10, and CIFAR-100 under gradient-based (PGD) and gradient-free (Square) attacks. Results show that ANFIS integration does not consistently improve clean accuracy and has architecture-dependent effects on robustness: ResNet18-ANFIS exhibits improved adversarial robustness, while VGG-ANFIS often underperforms its baseline. These findings suggest that neuro-fuzzy augmentation can enhance robustness in specific architectures but is not universally beneficial.

Key Contributions

  • First systematic adversarial robustness comparison of standard CNNs (ConvNet, VGG, ResNet18) vs. their ANFIS-augmented (DCNFIS) counterparts across four datasets
  • Demonstrates that neuro-fuzzy augmentation has architecture-dependent robustness effects: ResNet18-ANFIS improves robustness while VGG-ANFIS often underperforms its CNN baseline
  • Evaluates both gradient-based (PGD) and gradient-free (Square) attacks to cover white-box and black-box threat models simultaneously

🛡️ Threat Analysis

Input Manipulation Attack

The paper systematically evaluates CNN and CNN-ANFIS architectures under gradient-based (PGD, white-box) and gradient-free (Square, black-box) adversarial input manipulation attacks at inference time — adversarial robustness is the paper's central contribution.

Details

Domains
vision
Model Types
cnntraditional_ml
Threat Tags
white_boxblack_boxinference_timeuntargeted
Datasets
MNISTFashion-MNISTCIFAR-10CIFAR-100
Applications
image classification
Read PDF arXiv DOI

Similar Papers

benchmark

Adversarial Vulnerability Transcends Computational Paradigms: Feature Engineering Provides No Defense Against Neural Adversarial Transfer

2026 0 cit.
Input Manipulation Attack
92%
defense

Sparse Representations Improve Adversarial Robustness of Neural Network Classifiers

2025 0 cit.
Input Manipulation Attack
85%
benchmark

Lower Bounds on Adversarial Robustness for Multiclass Classification with General Loss Functions

2025 0 cit.
Input Manipulation Attack
83%
benchmark

Empirical evaluation of the Frank-Wolfe methods for constructing white-box adversarial attacks

2025 0 cit.
Input Manipulation Attack
79%
benchmark

Defense That Attacks: How Robust Models Become Better Attackers

2025 0 cit.
Input Manipulation Attack
79%
benchmark

On the Trade-Off Between Transparency and Security in Adversarial Machine Learning

2025 0 cit.
Input Manipulation Attack
77%
benchmark

Verifying Local Robustness of Pruned Safety-Critical Networks

2026 0 cit.
Input Manipulation Attack
77%
benchmark

Volatility in Certainty (VC): A Metric for Detecting Adversarial Perturbations During Inference in Neural Network Classifiers

2025 0 cit.
Input Manipulation Attack
77%