{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T04:16:52Z","timestamp":1775708212184,"version":"3.50.1"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"11","license":[{"start":{"date-parts":[[2022,8,26]],"date-time":"2022-08-26T00:00:00Z","timestamp":1661472000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,8,26]],"date-time":"2022-08-26T00:00:00Z","timestamp":1661472000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100018222","name":"Universit\u00e4t Siegen","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100018222","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Mach Learn"],"published-print":{"date-parts":[[2022,11]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Many commonly well-performing convolutional neural network models have shown to be susceptible to input data perturbations, indicating a low model robustness. To reveal model weaknesses, adversarial attacks are specifically optimized to generate small, barely perceivable image perturbations that flip the model prediction. Robustness against attacks can be gained by using adversarial examples during training, which in most cases reduces the measurable model attackability. Unfortunately, this technique can lead to robust overfitting, which results in non-robust models. In this paper, we analyze adversarially trained, robust models in the context of a specific network operation, the downsampling layer, and provide evidence that robust models have learned to downsample more accurately and suffer significantly less from downsampling artifacts, aka.\u00a0aliasing, than baseline models. In the case of robust overfitting, we observe a strong increase in aliasing and propose a novel early stopping approach based on the measurement of aliasing.<\/jats:p>","DOI":"10.1007\/s10994-022-06222-8","type":"journal-article","created":{"date-parts":[[2022,8,26]],"date-time":"2022-08-26T15:06:12Z","timestamp":1661526372000},"page":"3925-3951","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Aliasing and adversarial robust generalization of CNNs"],"prefix":"10.1007","volume":"111","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8371-1734","authenticated-orcid":false,"given":"Julia","family":"Grabinski","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1327-1243","authenticated-orcid":false,"given":"Janis","family":"Keuper","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8437-7993","authenticated-orcid":false,"given":"Margret","family":"Keuper","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,8,26]]},"reference":[{"key":"6222_CR1","unstructured":"Azulay, A., & Weiss, Y. (2018). Why do deep convolutional networks generalize so poorly to small image transformations?arXiv:1805.12177."},{"key":"6222_CR2","doi-asserted-by":"crossref","unstructured":"Bernhard, R., Moellic, P.A., & Mermillod, M., et al. (2021). Impact of spatial frequency based constraints on adversarial robustness.","DOI":"10.1109\/IJCNN52387.2021.9534307"},{"key":"6222_CR3","doi-asserted-by":"crossref","unstructured":"Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks.","DOI":"10.1109\/SP.2017.49"},{"key":"6222_CR4","unstructured":"Carmon, Y., Raghunathan, A., & Schmidt, L., et\u00a0al. (2019). Unlabeled data improves adversarial robustness."},{"key":"6222_CR5","doi-asserted-by":"crossref","unstructured":"Chandrasegaran, K., Tran, N.T., & Cheung, N.M. (2021). A closer look at fourier spectrum discrepancies for cnn-generated images detection.","DOI":"10.1109\/CVPR46437.2021.00712"},{"key":"6222_CR6","unstructured":"Chen, T., Zhang, Z., & Liu, S., et\u00a0al. (2021). Robust overfitting may be mitigated by properly learned smoothening. In: International Conference on Learning Representations, https:\/\/openreview.net\/forum?id=qZzy5urZw9"},{"key":"6222_CR7","unstructured":"Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML"},{"key":"6222_CR8","unstructured":"Croce, F., Andriushchenko, M., & Sehwag, V., et\u00a0al. (2020). Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670"},{"key":"6222_CR9","doi-asserted-by":"crossref","unstructured":"Durall, R., Keuper, M., & Keuper, J. (2020). Watch your up-convolution: Cnn based generative deep neural networks are failing to reproduce spectral distributions.","DOI":"10.1109\/CVPR42600.2020.00791"},{"key":"6222_CR10","unstructured":"Dzanic, T., Shah, K., & Witherden, F. (2020). Fourier spectrum discrepancies in deep network generated images."},{"key":"6222_CR11","unstructured":"Engstrom, L., Ilyas, A., & Salman, H., et\u00a0al. (2019). Robustness (python library). https:\/\/github.com\/MadryLab\/robustness"},{"key":"6222_CR12","unstructured":"Frank, J., Eisenhofer, T., & Sch\u00f6nherr, L., et\u00a0al. (2020). Leveraging frequency analysis for deep fake image recognition."},{"key":"6222_CR13","unstructured":"Goodfellow, I.J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples."},{"key":"6222_CR14","doi-asserted-by":"crossref","unstructured":"Harder, P., Pfreundt, F.J., & Keuper, M., et\u00a0al. (2021). Spectraldefense: Detecting adversarial attacks on cnns in the fourier domain.","DOI":"10.1109\/IJCNN52387.2021.9533442"},{"key":"6222_CR15","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., & Ren, S., et\u00a0al. (2016). Identity mappings in deep residual networks.","DOI":"10.1007\/978-3-319-46493-0_38"},{"key":"6222_CR16","doi-asserted-by":"crossref","unstructured":"He, Y., Yu, N., & Keuper, M., et\u00a0al. (2021). Beyond the spectrum: Detecting deepfakes via re-synthesis. In: 30th International Joint Conference on Artificial Intelligence (IJCAI), https:\/\/cispa.saarland\/group\/fritz\/wp-content\/blogs.dir\/13\/files\/2021\/05\/ijcai21.pdf","DOI":"10.24963\/ijcai.2021\/349"},{"key":"6222_CR17","unstructured":"Hendrycks, D., Lee, K., & Mazeika, M. (2019). Using pre-training can improve model robustness and uncertainty."},{"key":"6222_CR18","unstructured":"Hossain, M.T., Teng, S.W., & Sohel, F., et\u00a0al. (2021). Anti-aliasing deep image classifiers using novel depth adaptive blurring and activation function."},{"key":"6222_CR19","doi-asserted-by":"crossref","unstructured":"Jung, S., & Keuper, M. (2021). Spectral distribution aware image generation. In: AAAI","DOI":"10.1609\/aaai.v35i2.16267"},{"key":"6222_CR20","unstructured":"Karras, T., Aittala, M., & Laine, S., et\u00a0al. (2021). Alias-free generative adversarial networks."},{"key":"6222_CR21","unstructured":"Krizhevsky, A. (2012). Learning multiple layers of features from tiny images. University of Toronto"},{"key":"6222_CR22","unstructured":"Kurakin, A., Goodfellow, I., & Bengio, S. (2017). Adversarial machine learning at scale."},{"key":"6222_CR23","doi-asserted-by":"crossref","unstructured":"Li, J., Xie, H., & Li, J., et\u00a0al. (2021). Frequency-aware discriminative feature learning supervised by single-center loss for face forgery detection.","DOI":"10.1109\/CVPR46437.2021.00639"},{"key":"6222_CR24","doi-asserted-by":"publisher","first-page":"7074","DOI":"10.1109\/tip.2021.3101395","volume":"30","author":"Q Li","year":"2021","unstructured":"Li, Q., Shen, L., Guo, S., et al. (2021). Wavecnet: Wavelet integrated cnns to suppress aliasing effect for noise-robust image classification. IEEE Transactions on Image Processing, 30, 7074\u20137089. https:\/\/doi.org\/10.1109\/tip.2021.3101395.","journal-title":"IEEE Transactions on Image Processing"},{"key":"6222_CR25","unstructured":"Lohn, A.J. (2020). Downscaling attack and defense: Turning what you see back into what you get."},{"key":"6222_CR26","unstructured":"Lorenz, P., Harder, P., & Stra\u00dfel, D., et\u00a0al. (2021). Detecting autoattack perturbations in the frequency domain. In: ICML 2021 Workshop on Adversarial Machine Learning, https:\/\/openreview.net\/forum?id=8uWOTxbwo-Z"},{"key":"6222_CR27","doi-asserted-by":"crossref","unstructured":"Luo, Y., Zhang, Y., & Yan, J., et\u00a0al. (2021). Generalizing face forgery detection with high-frequency features.","DOI":"10.1109\/CVPR46437.2021.01605"},{"key":"6222_CR28","unstructured":"Maiya, S.R., Ehrlich, M., Agarwal, V., et\u00a0al. (2021). A frequency perspective of adversarial robustness."},{"key":"6222_CR29","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks","DOI":"10.1109\/CVPR.2016.282"},{"key":"6222_CR30","unstructured":"Rice, L., Wong, E., & Kolter, J.Z. (2020). Overfitting in adversarially robust deep learning."},{"key":"6222_CR31","doi-asserted-by":"crossref","unstructured":"Rony, J., Hafemann, L.G., & Oliveira, L.S., et\u00a0al. (2019). Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses","DOI":"10.1109\/CVPR.2019.00445"},{"key":"6222_CR32","doi-asserted-by":"crossref","unstructured":"Saikia, T., Schmid, C., & Brox, T. (2021). Improving robustness against common corruptions with frequency biased models.","DOI":"10.1109\/ICCV48922.2021.01005"},{"key":"6222_CR33","unstructured":"Sehwag, V., Mahloujifar, S., & Handina, T., et\u00a0al. (2021). Improving adversarial robustness using proxy distributions."},{"issue":"1","key":"6222_CR34","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1109\/JRPROC.1949.232969","volume":"37","author":"C Shannon","year":"1949","unstructured":"Shannon, C. (1949). Communication in the presence of noise. Proceedings of the IRE, 37(1), 10\u201321. https:\/\/doi.org\/10.1109\/JRPROC.1949.232969.","journal-title":"Proceedings of the IRE"},{"key":"6222_CR35","unstructured":"Szegedy, C., Zaremba, W., & Sutskever, I., et\u00a0al. (2014). Intriguing properties of neural networks. In: International Conference on Learning Representations, arXiv:1312.6199"},{"key":"6222_CR36","doi-asserted-by":"crossref","unstructured":"Wang, H., Wu, X., & Huang, Z., et\u00a0al. (2020). High frequency component helps explain the generalization of convolutional neural networks.","DOI":"10.1109\/CVPR42600.2020.00871"},{"key":"6222_CR37","doi-asserted-by":"crossref","unstructured":"Wang, S.Y., Wang, O., & Zhang, R., et\u00a0al. (2020). Cnn-generated images are surprisingly easy to spot...for now. In: CVPR","DOI":"10.1109\/CVPR42600.2020.00872"},{"key":"6222_CR38","unstructured":"Wang, Y., Zou, D., & Yi, J., et\u00a0al. (2020). Improving adversarial robustness requires revisiting misclassified examples. In: International Conference on Learning Representations, https:\/\/openreview.net\/forum?id=rklOg6EFwS"},{"key":"6222_CR39","unstructured":"Wong, E., Rice, L., & Kolter, J.Z. (2020). Fast is better than free: Revisiting adversarial training."},{"key":"6222_CR40","unstructured":"Xiao, Q., Li, K., & Zhang, D., et\u00a0al. (2017). Wolf in sheep\u2019s clothing\u2014the downscaling attack against deep learning applications."},{"key":"6222_CR41","doi-asserted-by":"crossref","unstructured":"Xu, Q., Zhang, R., & Zhang, Y., et al. (2021). A fourier-based framework for domain generalization.","DOI":"10.1109\/CVPR46437.2021.01415"},{"key":"6222_CR42","doi-asserted-by":"crossref","unstructured":"Yang, Y., & Soatto, S. (2020). Fda: Fourier domain adaptation for semantic segmentation.","DOI":"10.1109\/CVPR42600.2020.00414"},{"key":"6222_CR43","unstructured":"Yin, D., Lopes, R.G., & Shlens, J., et\u00a0al. (2020). A fourier perspective on model robustness in computer vision."},{"key":"6222_CR44","doi-asserted-by":"crossref","unstructured":"Zagoruyko, S., & Komodakis, N. (2017). Wide residual networks.","DOI":"10.5244\/C.30.87"},{"key":"6222_CR45","unstructured":"Zhang, H., Yu, Y., & Jiao, J., et\u00a0al. (2019). Theoretically principled trade-off between robustness and accuracy."},{"key":"6222_CR46","unstructured":"Zhang, R. (2019). Making convolutional networks shift-invariant again."},{"key":"6222_CR47","unstructured":"Zou, X., Xiao, F., & Yu, Z., et\u00a0al. (2020). Delving deeper into anti-aliasing in convnets. In: BMVC"}],"container-title":["Machine Learning"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10994-022-06222-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10994-022-06222-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10994-022-06222-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,11,23]],"date-time":"2022-11-23T19:08:02Z","timestamp":1669230482000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10994-022-06222-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,26]]},"references-count":47,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2022,11]]}},"alternative-id":["6222"],"URL":"https:\/\/doi.org\/10.1007\/s10994-022-06222-8","relation":{},"ISSN":["0885-6125","1573-0565"],"issn-type":[{"value":"0885-6125","type":"print"},{"value":"1573-0565","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,8,26]]},"assertion":[{"value":"10 December 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 May 2022","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 July 2022","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 August 2022","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors are affiliated with the University of Mannheim, University of Siegen, the Max Planck Institute for Informatics, Saarland Informatics Campus, Fraunhofer ITWM, Kaiserslautern and the University of Offenburg.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"Some of the experiments have been accepted for presentation as a non-archival short workshop paper at the AAAI workshop on Adversarial Machine Learning.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"All authors consent for publication.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}}]}}