{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T00:51:51Z","timestamp":1760057511000,"version":"build-2065373602"},"reference-count":38,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2025,2,8]],"date-time":"2025-02-08T00:00:00Z","timestamp":1738972800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Research Fund KU Leuven","award":["06.40.32.33.00.10"],"award-info":[{"award-number":["06.40.32.33.00.10"]}]},{"name":"Cybersecurity Research Program Flanders","award":["06.40.32.33.00.10"],"award-info":[{"award-number":["06.40.32.33.00.10"]}]},{"name":"AIDE project funded by the Belgian SPF BOSA under the programme \u201cFinancing of projects for the development of artificial intelligence in Belgium\u201d","award":["06.40.32.33.00.10"],"award-info":[{"award-number":["06.40.32.33.00.10"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["MAKE"],"abstract":"<jats:p>Adversarial training, a widely used technique for fortifying the robustness of machine learning models, has seen its effectiveness further bolstered by modifying loss functions or incorporating additional terms into the training objective. While these adaptations are validated through empirical studies, they lack a solid theoretical basis to explain the models\u2019 secure and robust behavior. In this paper, we investigate the integration of adversarial triplets within the adversarial training framework, a method previously shown to enhance robustness. However, the reasons behind this increased robustness are poorly understood, and the impact of different adversarial triplet configurations remains unclear. To address this gap, we utilize the robust and non-robust features framework to analyze how various adversarial triplet compositions influence robustness, providing deeper insights into the robustness guarantees of this approach. Specifically, we introduce a novel framework that explains how different compositions of adversarial triplets lead to distinct training dynamics, thereby affecting the model\u2019s adversarial robustness. We validate our theoretical findings through empirical analysis, demonstrating that our framework accurately characterizes the effects of adversarial triplets on the training process. Our results offer a comprehensive explanation of how adversarial triplets influence the security and robustness of models, providing a theoretical foundation for methods that employ adversarial triplets to improve robustness. This research not only enhances our theoretical understanding but also has practical implications for developing more robust machine learning models.<\/jats:p>","DOI":"10.3390\/make7010014","type":"journal-article","created":{"date-parts":[[2025,2,10]],"date-time":"2025-02-10T03:39:47Z","timestamp":1739158787000},"page":"14","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Triple Down on Robustness: Understanding the Impact of Adversarial Triplet Compositions on Adversarial Robustness"],"prefix":"10.3390","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9292-6449","authenticated-orcid":false,"given":"Sander","family":"Joos","sequence":"first","affiliation":[{"name":"DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Heverlee, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0366-4470","authenticated-orcid":false,"given":"Tim Van","family":"hamme","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Heverlee, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3836-1840","authenticated-orcid":false,"given":"Willem","family":"Verheyen","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Heverlee, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6279-4430","authenticated-orcid":false,"given":"Davy","family":"Preuveneers","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Heverlee, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7710-5092","authenticated-orcid":false,"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Heverlee, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,2,8]]},"reference":[{"key":"ref_1","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014, January 14\u201316). Intriguing properties of neural networks. Proceedings of the International Conference on Learning Representations, Banff, AB, Canada."},{"key":"ref_2","unstructured":"Wong, E., Rice, L., and Kolter, J.Z. (May, January 26). Fast is better than free: Revisiting adversarial training. Proceedings of the International Conference on Learning Representations, Online."},{"key":"ref_3","unstructured":"Shafahi, A., Najibi, M., Ghiasi, A., Xu, Z., Dickerson, J.P., Studer, C., Davis, L.S., Taylor, G., and Goldstein, T. (2019, January 8\u201314). Adversarial Training for Free!. Proceedings of the Neural Information Processing Systems, Vancouver, BC, Canada."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Li, P., Yi, J., Zhou, B., and Zhang, L. (2019, January 10\u201316). Improving the Robustness of Deep Neural Networks via Adversarial Training with Triplet Loss. Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, {IJCAI-19}, Macao, China.","DOI":"10.24963\/ijcai.2019\/403"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Zhong, Y., and Deng, W. (November, January 27). Adversarial Learning With Margin-Based Triplet Embedding Regularization. Proceedings of the 2019 IEEE\/CVF International Conference on Computer Vision (ICCV), Seoul, Republic of Korea.","DOI":"10.1109\/ICCV.2019.00665"},{"key":"ref_6","unstructured":"Wallach, H.M., Larochelle, H., Beygelzimer, A., d\u2019Alch\u00e9-Buc, F., Fox, E.B., and Garnett, R. (2019, January 8\u201314). Metric Learning for Adversarial Robustness. Proceedings of the Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, Vancouver, BC, Canada."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"102640","DOI":"10.1016\/j.cose.2022.102640","article-title":"Rethinking maximum-margin softmax for adversarial robustness","volume":"116","author":"Hassanin","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_8","unstructured":"Pang, T., Yang, X., Dong, Y., Xu, K., Zhu, J., and Su, H. (2020, January 6\u201312). Boosting Adversarial Training with Hypersphere Embedding. Proceedings of the Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, Online."},{"key":"ref_9","unstructured":"Zhang, H., Yu, Y., Jiao, J., Xing, E.P., Ghaoui, L.E., and Jordan, M.I. (2019, January 9\u201315). Theoretically Principled Trade-off between Robustness and Accuracy. Proceedings of the International Conference on Machine Learning, Long Beach, CA, USA."},{"key":"ref_10","unstructured":"Wallach, H., Larochelle, H., Beygelzimer, A., d\u2019Alch\u00e9-Buc, F., Fox, E., and Garnett, R. (2019, January 8\u201314). Adversarial Examples Are Not Bugs, They Are Features. Proceedings of the Advances in Neural Information Processing Systems, Vancouver, BC, Canada."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Tram\u00e8r, F., Dupr\u00e9, P., Rusak, G., Pellegrino, G., and Boneh, D. (2019, January 11\u201315). Adversarial: Perceptual ad blocking meets adversarial machine learning. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK.","DOI":"10.1145\/3319535.3354222"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"109009","DOI":"10.1016\/j.patcog.2022.109009","article-title":"Robust Physical-World Attacks on Face Recognition","volume":"133","author":"Zheng","year":"2023","journal-title":"Pattern Recognit."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Feng, R., Mangaokar, N., Chen, J., Fernandes, E., Jha, S., and Prakash, A. (2022). GRAPHITE: Generating Automatic Physical Examples for Machine-Learning Attacks on Computer Vision Systems. arXiv.","DOI":"10.1109\/EuroSP53844.2022.00047"},{"key":"ref_14","unstructured":"Wang, Z., Pang, T., Du, C., Lin, M., Liu, W., and Yan, S. (2023, January 23\u201329). Better diffusion models further improve adversarial training. Proceedings of the International Conference on Machine Learning. PMLR, Honolulu, HI, USA."},{"key":"ref_15","unstructured":"Gowal, S., Qin, C., Uesato, J., Mann, T., and Kohli, P. (2020). Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv."},{"key":"ref_16","first-page":"29935","article-title":"Data augmentation can improve robustness","volume":"34","author":"Rebuffi","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_17","first-page":"4218","article-title":"Improving robustness using generated data","volume":"34","author":"Gowal","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_18","first-page":"5545","article-title":"Exploring architectural ingredients of adversarially robust deep neural networks","volume":"34","author":"Huang","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Huang, S., Lu, Z., Deb, K., and Boddeti, V.N. (2023, January 18\u201322). Revisiting residual networks for adversarial robustness. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, BC, Canada.","DOI":"10.1109\/CVPR52729.2023.00793"},{"key":"ref_20","unstructured":"Peng, S., Xu, W., Cornelius, C., Hull, M., Li, K., Duggal, R., Phute, M., Martin, J., and Chau, D.H. (2023). Robust principles: Architectural design principles for adversarially robust cnns. arXiv."},{"key":"ref_21","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (May, January 30). Towards Deep Learning Models Resistant to Adversarial Attacks. Proceedings of the International Conference on Learning Representations, Vancouver, BC, Canada."},{"key":"ref_22","unstructured":"Chopra, S., Hadsell, R., and LeCun, Y. (2005, January 20\u201326). Learning a similarity metric discriminatively, with application to face verification. Proceedings of the 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR\u201905), San Diego, CA, USA."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Schroff, F., Kalenichenko, D., and Philbin, J. (2015, January 8\u201312). FaceNet: A unified embedding for face recognition and clustering. Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, USA.","DOI":"10.1109\/CVPR.2015.7298682"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Deng, J., Guo, J., Xue, N., and Zafeiriou, S. (2019, January 16\u201320). ArcFace: Additive Angular Margin Loss for Deep Face Recognition. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, CA, USA.","DOI":"10.1109\/CVPR.2019.00482"},{"key":"ref_25","unstructured":"Wu, Y., and Huang, H. (2025, February 06). Understanding Metric Learning on Unit Hypersphere and Generating Better Examples for Adversarial Training. Available online: https:\/\/openreview.net\/forum?id=DkeCkhLIVGZ."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Duan, Y., Zheng, W., Lin, X., Lu, J., and Zhou, J. (2018, January 18\u201322). Deep Adversarial Metric Learning. Proceedings of the 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Salt Lake City, UT, USA.","DOI":"10.1109\/CVPR.2018.00294"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Springer, J.M., Mitchell, M., and Kenyon, G.T. (2021). Adversarial Perturbations Are Not So Weird: Entanglement of Robust and Non-Robust Features in Neural Network Classifiers. arXiv.","DOI":"10.2172\/1823733"},{"key":"ref_28","unstructured":"Engstrom, L., Ilyas, A., Santurkar, S., Tsipras, D., Tran, B., and Madry, A. (2019). Adversarial Robustness as a Prior for Learned Representations. arXiv."},{"key":"ref_29","unstructured":"Kaur, S., Cohen, J., and Lipton, Z.C. (2019). Are Perceptually-Aligned Gradients a General Property of Robust Classifiers?. arXiv."},{"key":"ref_30","unstructured":"Krizhevsky, A., and Hinton, G. (2009). Learning Multiple Layers of Features from Tiny Images, University of Toronto."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Cao, Q., Shen, L., Xie, W., Parkhi, O.M., and Zisserman, A. (2018, January 15\u201319). VGGFace2: A Dataset for Recognising Faces across Pose and Age. Proceedings of the 2018 13th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2018), Xi\u2019an, China.","DOI":"10.1109\/FG.2018.00020"},{"key":"ref_32","unstructured":"Zagoruyko, S., and Komodakis, N. (2016, January 19\u201322). Wide Residual Networks. Proceedings of the British Machine Vision Conference, York, UK."},{"key":"ref_33","unstructured":"Croce, F., Andriushchenko, M., Sehwag, V., Debenedetti, E., Flammarion, N., Chiang, M., Mittal, P., and Hein, M. (2020). RobustBench: A standardized adversarial robustness benchmark. arXiv."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.neunet.2017.12.012","article-title":"Sigmoid-weighted linear units for neural network function approximation in reinforcement learning","volume":"107","author":"Elfwing","year":"2018","journal-title":"Neural Netw."},{"key":"ref_35","unstructured":"He, K., Zhang, X., Ren, S., and Sun, J. (July, January 26). Deep residual learning for image recognition. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA."},{"key":"ref_36","unstructured":"Yun, S., Han, D., Oh, S.J., Chun, S., Choe, J., and Yoo, Y. (November, January 27). CutMix: Regularization Strategy to Train Strong Classifiers with Localizable Features. Proceedings of the International Conference on Computer Vision (ICCV), Seoul, Republic of Korea."},{"key":"ref_37","unstructured":"Croce, F., and Hein, M. (2020, January 12\u201318). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. Proceedings of the International Conference on Machine Learning, Online."},{"key":"ref_38","unstructured":"Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., and Gelly, S. (2021, January 3\u20137). An Image is Worth 16 \u00d7 16 Words: Transformers for Image Recognition at Scale. Proceedings of the International Conference on Learning Representations, Online, Austria."}],"container-title":["Machine Learning and Knowledge Extraction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-4990\/7\/1\/14\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T16:29:38Z","timestamp":1760027378000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-4990\/7\/1\/14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,8]]},"references-count":38,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,3]]}},"alternative-id":["make7010014"],"URL":"https:\/\/doi.org\/10.3390\/make7010014","relation":{},"ISSN":["2504-4990"],"issn-type":[{"type":"electronic","value":"2504-4990"}],"subject":[],"published":{"date-parts":[[2025,2,8]]}}}