Recent progress in empirical and certified robustness promises to deliver reliable and deployable Deep Neural Networks (DNNs). Despite that success, most existing evaluations of DNN robustness have been done on images sampled from the same distribution on which the model was trained. However, in the real world, DNNs may be deployed in dynamic environments that exhibit significant distribution shifts. In this work, we take a first step towards thoroughly investigating the interplay between empirical and certified adversarial robustness on one hand and domain generalization on another. To do so, we train robust models on multiple domains and evaluate their accuracy and robustness on an unseen domain. We observe that: (1) both empirical and certified robustness generalize to unseen domains, and (2) the level of generalizability does not correlate well with input visual similarity, measured by the FID between source and target domains. We also extend our study to cover a real-world medical application, in which adversarial augmentation significantly boosts the generalization of robustness with minimal effect on clean data accuracy.

翻译：经验鲁棒性与可证明鲁棒性的最新进展有望提供可靠且可部署的深度神经网络（DNNs）。然而，尽管取得这一成功，现有大多数DNN鲁棒性评估均基于与训练数据同分布采样的图像。但在现实世界中，DNNs可能部署在呈现显著分布偏移的动态环境中。本研究首次系统探究经验鲁棒性与可证明鲁棒性同领域泛化之间的相互作用。为此，我们在多领域数据集上训练鲁棒模型，并评估其在未见领域上的准确性与鲁棒性。观测结果表明：（1）经验鲁棒性与可证明鲁棒性均可泛化至未见领域；（2）其泛化能力与源域和目标域之间的视觉相似性（通过FID度量）无显著相关性。我们还将研究延伸至真实世界的医疗应用，发现对抗性增强可在几乎不影响干净数据准确性的前提下显著提升鲁棒性的泛化能力。