The adversarial robustness of a neural network mainly relies on two factors: model capacity and anti-perturbation ability. In this paper, we study the anti-perturbation ability of the network from the feature maps of convolutional layers. Our theoretical analysis discovers that larger convolutional feature maps before average pooling can contribute to better resistance to perturbations, but the conclusion is not true for max pooling. It brings new inspiration to the design of robust neural networks and urges us to apply these findings to improve existing architectures. The proposed modifications are very simple and only require upsampling the inputs or slightly modifying the stride configurations of downsampling operators. We verify our approaches on several benchmark neural network architectures, including AlexNet, VGG, RestNet18, and PreActResNet18. Non-trivial improvements in terms of both natural accuracy and adversarial robustness can be achieved under various attack and defense mechanisms. The code is available at \url{https://github.com/MTandHJ/rcm}.

翻译：神经网络的对抗鲁棒性主要依赖于两个因素：模型容量与抗扰动能力。本文从卷积层特征图的角度研究网络的抗扰动能力。理论分析发现，平均池化前更大的卷积特征图有助于提升对扰动的抵抗能力，但该结论在最大池化下并不成立。这一发现为设计鲁棒神经网络提供了新启示，并促使我们将这些发现应用于改进现有架构。所提出的修改方案非常简洁，仅需对输入进行上采样或略微调整下采样算子的步长配置。我们在包括AlexNet、VGG、ResNet18和PreActResNet18在内的多个基准神经网络架构上验证了所提方法。在多种攻击与防御机制下，自然准确率与对抗鲁棒性均实现了显著提升。代码开源地址为\url{https://github.com/MTandHJ/rcm}。