Robustness against image perturbations bounded by a $\ell_p$ ball have been well-studied in recent literature. Perturbations in the real-world, however, rarely exhibit the pixel independence that $\ell_p$ threat models assume. A recently proposed Wasserstein distance-bounded threat model is a promising alternative that limits the perturbation to pixel mass movements. We point out and rectify flaws in previous definition of the Wasserstein threat model and explore stronger attacks and defenses under our better-defined framework. Lastly, we discuss the inability of current Wasserstein-robust models in defending against perturbations seen in the real world. Our code and trained models are available at https://github.com/edwardjhu/improved_wasserstein .

翻译：近年来，针对$\ell_p$球约束的图像扰动鲁棒性研究已较为充分。然而，现实世界中的扰动很少呈现$\ell_p$威胁模型假设的像素独立性。近期提出的Wasserstein距离约束威胁模型作为替代方案，可有效限制像素质量迁移。本研究指出并修正了先前Wasserstein威胁模型定义中的缺陷，并在更完善的框架下探索了更强的攻击与防御方法。最后，我们讨论了当前Wasserstein鲁棒模型在防御现实扰动时的局限性。相关代码与预训练模型已发布于 https://github.com/edwardjhu/improved_wasserstein 。