Inferensys

Glossary

RobustBench

A standardized benchmark for adversarial robustness that maintains a leaderboard of defenses evaluated against the parameter-free AutoAttack ensemble.
Finance professional using AI FP&A copilot on laptop, board presentation visible on screen, home office work session.

What is RobustBench?

A standardized benchmark for evaluating the empirical adversarial robustness of image classification models, maintaining a public leaderboard of defenses tested against the AutoAttack suite.

RobustBench is a standardized evaluation framework that provides a curated, continuously updated leaderboard for adversarial robustness in image classification. It addresses the crisis of unreliable benchmarking by enforcing a strict, common threat model and evaluating every submitted defense against AutoAttack, a parameter-free ensemble of white-box and black-box attacks. This eliminates the confounding factor of gradient masking and obfuscated gradients, ensuring that reported accuracy genuinely reflects resilience to malicious inputs rather than a failure of the evaluation methodology itself.

By establishing a canonical set of defenses, datasets (CIFAR-10, ImageNet), and perturbation norms (L-infinity, L2), RobustBench enables direct, apples-to-apples comparison of progress in the field. It serves as the definitive empirical ground truth for security researchers, distinguishing truly robust models from those relying on brittle defenses. The platform also catalogs the strongest known adversarial training recipes, driving the community toward reproducible and verifiable standards in certified robustness and evasion attack resistance.

STANDARDIZED ADVERSARIAL EVALUATION

Key Features of RobustBench

RobustBench provides a rigorous, standardized leaderboard for evaluating adversarial robustness, eliminating common pitfalls like gradient obfuscation through its reliance on AutoAttack.

01

Standardized AutoAttack Evaluation

The core of RobustBench is its use of AutoAttack, a parameter-free ensemble of attacks. This eliminates the need for manual tuning and prevents gradient masking defenses from appearing robust. The standard evaluation protocol includes both white-box (APGD) and black-box (Square Attack) components, ensuring a comprehensive assessment that cannot be easily circumvented by obfuscated gradients.

4
Attack Types in Ensemble
03

Threat Model Taxonomy

The benchmark enforces a strict taxonomy of threat models, primarily focusing on Lp-norm bounded perturbations. Defenses are categorized by the specific norm they defend against:

  • L-infinity: Defending against pixel-level changes bounded by a maximum value.
  • L2: Defending against small, overall image perturbations. This clarity prevents the common pitfall of comparing defenses designed for different, incompatible threat models.
04

Mitigating Gradient Masking

A primary contribution of RobustBench is its systematic exposure of gradient masking. Many prior defenses appeared robust because they broke gradient-based attacks, not because they were truly robust. By using a diverse set of attacks including gradient-free methods, RobustBench reliably identifies and disqualifies these brittle defenses, forcing the field toward genuine robustness improvements rather than security through obscurity.

05

Reproducible Model Zoo

RobustBench provides a curated Model Zoo containing pre-trained weights for the top-performing robust models. This allows researchers to easily download, test, and compare against state-of-the-art defenses without re-implementing complex training pipelines. The zoo standardizes the evaluation baseline, ensuring that new defenses are compared against the exact same models in a controlled, reproducible environment.

ROBUSTNESS BENCHMARKING

Frequently Asked Questions

Clear answers to common questions about the RobustBench leaderboard, its evaluation methodology, and its role in standardizing adversarial robustness research.

RobustBench is a standardized benchmark for evaluating the adversarial robustness of image classification models. It maintains a public leaderboard that ranks defenses based on their performance against AutoAttack, a parameter-free ensemble of white-box and black-box attacks. The framework provides a unified evaluation protocol, including fixed threat models (typically L-infinity perturbations of 8/255 on CIFAR-10 and 4/255 on ImageNet), pre-trained base models, and standardized datasets. By eliminating the confounding variable of custom evaluation settings, RobustBench enables direct, apples-to-apples comparisons between proposed defense mechanisms. The project also curates Model Zoo, a collection of pre-trained robust models with verified robustness claims, allowing researchers to benchmark new attacks against state-of-the-art defenses without re-implementing complex training pipelines.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.