Inferensys

Glossary

RobustBench

A standardized benchmark for adversarial robustness that maintains a leaderboard of defenses and attacks, enforcing a rigorous evaluation protocol to track progress.
Data scientist reviewing AI evaluation metrics on dashboard, comparison charts visible, casual WeWork analytics setup.
ADVERSARIAL ROBUSTNESS BENCHMARK

What is RobustBench?

A standardized evaluation framework for adversarial robustness that provides a rigorous, reproducible leaderboard to track progress in defending machine learning models against evasion attacks.

RobustBench is a standardized benchmark for adversarial robustness that enforces a strict evaluation protocol to reliably measure and compare the effectiveness of defense mechanisms. It curates a public leaderboard of models, attacks, and defenses, requiring submissions to adhere to a common threat model—typically an (\ell_\infty)-bounded perturbation of (\epsilon = 8/255) on CIFAR-10—to eliminate the confounding effects of gradient masking and weak attack evaluations that previously inflated reported robustness claims.

The framework's core contribution is its systematic, auto-attack-based evaluation pipeline that serves as a parameter-free, reliable standard for empirical testing. By providing pre-trained model checkpoints and a unified codebase, RobustBench enables researchers to perform reproducible adaptive attack evaluations, ensuring that progress in the field is measured against a consistent, unforgiving baseline rather than through cherry-picked results.

STANDARDIZED ADVERSARIAL ROBUSTNESS EVALUATION

Core Components of RobustBench

RobustBench provides a rigorous, standardized framework for benchmarking adversarial robustness, enforcing a common evaluation protocol to track genuine progress against adaptive attacks.

01

Standardized Threat Model

Enforces a strict, common evaluation protocol based on a specific threat model to prevent methodological inconsistencies. This includes a fixed L-infinity perturbation budget (typically ε=8/255) and a defined set of allowed attacker knowledge. By standardizing these parameters, RobustBench eliminates the common pitfall of comparing defenses evaluated under different, often weaker, attack settings, ensuring a level playing field for all submissions.

02

AutoAttack Evaluation Suite

Uses AutoAttack (AA) as the default, parameter-free benchmark for evaluation. AutoAttack is an ensemble of four diverse attacks:

  • APGD-CE: An adaptive Projected Gradient Descent attack with a cross-entropy loss.
  • APGD-DLR: An adaptive PGD attack using the Difference of Logits Ratio loss.
  • FAB-T: A targeted version of the Fast Adaptive Boundary attack.
  • Square Attack: A query-efficient black-box attack. This ensemble provides a reliable and strong empirical robustness estimate, replacing weaker, obsolete attacks.
03

Public Leaderboard

Maintains a dynamic, publicly accessible leaderboard that ranks defenses by their robust accuracy against AutoAttack on standard datasets like CIFAR-10, CIFAR-100, and ImageNet. The leaderboard tracks both clean accuracy and adversarial accuracy, explicitly highlighting the trade-off between standard performance and robustness. This transparency allows researchers to quickly identify the state-of-the-art and prevents inflated claims of robustness from non-adaptive evaluations.

04

Model Zoo

Provides a curated Model Zoo containing pre-trained, robust models from top-ranked defenses. These models are readily accessible for download and use, serving as standardized baselines for new research. The zoo includes models with varying levels of robustness, enabling researchers to:

  • Benchmark new attacks against known defenses.
  • Perform transfer attack studies.
  • Use robust models as feature extractors for downstream tasks without retraining from scratch.
05

Rigorous Submission Protocol

Implements a strict submission process that requires defenders to provide a full, executable code package. Each submission is independently re-evaluated by the RobustBench maintainers using the standard AutoAttack protocol. This process is designed to detect and reject defenses that rely on gradient masking or other obfuscation techniques that create a false sense of security. The protocol mandates that a defense must be effective against a full adaptive attack to be considered valid.

ROBUSTBENCH CLARIFIED

Frequently Asked Questions

Addressing the most common technical and strategic questions about the RobustBench benchmark, its evaluation protocol, and its role in standardizing adversarial robustness research for security-focused engineering teams.

RobustBench is a standardized benchmark for evaluating the adversarial robustness of image classification models. It operates by maintaining a public leaderboard that ranks defenses based on their performance against a fixed, rigorous evaluation protocol. The core mechanism involves testing a submitted model against a suite of strong, parameter-free adaptive attacks, primarily AutoAttack, to measure its robust accuracy—the model's accuracy on adversarially perturbed inputs. Unlike prior evaluations where researchers often used weak or custom attacks, RobustBench enforces a unified threat model, typically an (L_\infty) or (L_2) norm-bounded perturbation on CIFAR-10 or ImageNet. This prevents gradient masking from being mistaken for true robustness, as the evaluation includes adaptive white-box attacks designed to circumvent obfuscated gradients. The benchmark's leaderboard tracks progress over time, providing a transparent, reproducible measure of how well a model can resist evasion attacks without relying on obfuscation or unrealistic assumptions.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.