Our research aims to unify existing works' diverging opinions on how architectural components affect the adversarial robustness of CNNs. To accomplish our goal, we synthesize a suite of three generalizable robust architectural design principles: (a) optimal range for depth and width configurations, (b) preferring convolutional over patchify stem stage, and (c) robust residual block design through adopting squeeze and excitation blocks and non-parametric smooth activation functions. Through extensive experiments across a wide spectrum of dataset scales, adversarial training methods, model parameters, and network design spaces, our principles consistently and markedly improve AutoAttack accuracy: 1-3 percentage points (pp) on CIFAR-10 and CIFAR-100, and 4-9 pp on ImageNet. The code is publicly available at https://github.com/poloclub/robust-principles.

翻译：本研究旨在统一现有工作中关于架构组件如何影响CNN对抗鲁棒性的分歧观点。为实现这一目标，我们综合提出了一套包含三条可泛化的鲁棒架构设计原则：（a）深度与宽度配置的最优范围，（b）优先采用卷积而非分块的主干阶段（stem stage），以及（c）通过引入压缩-激励块（squeeze and excitation block）和非参数化光滑激活函数实现鲁棒残差块设计。通过在广泛的数据集规模、对抗训练方法、模型参数及网络设计空间上的大量实验，我们的原则持续且显著地提升了AutoAttack精度：在CIFAR-10和CIFAR-100上提升1-3个百分点，在ImageNet上提升4-9个百分点。代码已公开于https://github.com/poloclub/robust-principles。