Adversarial Robustness of ResNet-34 on ImageNet

I designed and implemented a structured adversarial robustness evaluation against an ImageNet-pretrained ResNet-34. The study covered five attack implementations: FGSM at ε=0.02, three PGD variants sharing that same ε=0.02 budget (targeted, untargeted with random start, and momentum), and a patch-based targeted attack within a randomly placed 32×32 region using a much larger per-pixel budget (ε=0.5) confined to that small region, applied to 500 test images across 100 ImageNet classes. A clean baseline established 70.40% top-1 and 87.00% top-5 accuracy on ResNet-34, and top-1 accuracy fell to 43.20% under FGSM, as low as 0.60% under the strongest PGD variant, and 23.40% under the patch attack. I then evaluated all four generated adversarial test sets against DenseNet-121, a model that never saw the attacks during generation, to measure how much of that degradation transferred across architectures.

Small, tightly-bounded pixel perturbations can silently break deployed image classifiers. I built a structured evaluation to measure exactly how much accuracy degrades under increasing attack sophistication, and whether that degradation transfers across architectures, a stronger test of model fragility than single-model accuracy alone.

Written for ML researchers and engineers who need to understand adversarial fragility in vision models before deployment.

The evaluation ran through five sequential tasks in a single Colab-compatible notebook. Task 1 established the clean baseline on ResNet-34 using ImageNet normalization over 500 images from 100 classes, reaching 70.40% top-1 and 87.00% top-5 accuracy. Task 2 generated AdversarialTestSet1 via FGSM at ε=0.02, which cut ResNet-34 top-1 accuracy to 43.20%, with a post-generation L∞ distance check. Task 3 implemented three PGD variants sharing the same ε=0.02 budget: targeted PGD (40 steps, α=0.0025, a fixed incorrect target class), untargeted PGD with random start (20 steps, α=0.003), and momentum PGD (20 steps, α=0.0025, μ=1.0), reaching ResNet-34 top-1 accuracy of 0.60%, 39.60%, and 44.00% respectively. Targeted PGD was the strongest and was saved as the 500-image AdversarialTestSet2. Task 4 implemented a targeted PGD attack within a randomly placed 32×32 patch (ε=0.5, α=0.05, 40 steps, an L0 threat model), cutting ResNet-34 top-1 accuracy to 23.40% and producing AdversarialTestSet3. Task 5 evaluated all four test sets against DenseNet-121 using the same ImageNet normalization but a model architecture that was never involved in crafting the attacks.

I personally implemented every task in the notebook: the clean baseline evaluation, the FGSM attack with a post-generation L∞ distance check, all three PGD variants with the comparison and selection step, the 32×32 patch attack, and the full cross-architecture transferability evaluation against DenseNet-121.

• Implemented FGSM with ε = 0.02, cutting ResNet-34 top-1 accuracy from 70.40% to 43.20%, and ran a post-generation L∞ distance check, producing and saving all 500 adversarial images to AdversarialTestSet1.
• Designed and compared three distinct PGD variants sharing the same ε=0.02 budget: targeted PGD (40 steps, a fixed incorrect target class, cutting top-1 to 0.60%), untargeted PGD with random start (20 steps, cutting top-1 to 39.60%), and momentum PGD (20 steps, cutting top-1 to 44.00%). Selected targeted PGD as the strongest by top-1 degradation and saved results as AdversarialTestSet2.
• Implemented a 32×32 randomly placed patch-based targeted PGD attack (ε=0.5, α=0.05, 40 steps) operating under an L0 threat model, cutting ResNet-34 top-1 accuracy to 23.40% and producing AdversarialTestSet3.
• Evaluated all four adversarial test sets against DenseNet-121 without any DenseNet-specific optimization, cleanly isolating the cross-architecture transferability signal.
• Visualized adversarial examples alongside clean originals and captured correct and incorrect prediction examples at each stage of the evaluation.

I validated each attack through clean and adversarial top-1 and top-5 accuracy comparisons on ResNet-34, then evaluated the generated adversarial sets on DenseNet-121 to measure cross-architecture transfer. I also recorded a post-generation L∞ distance diagnostic for the FGSM set.

On ResNet-34, the model the attacks were crafted on, top-1 accuracy fell from a 70.40% clean baseline (87.00% top-5) to 43.20% under FGSM (ε=0.02), 39.60% and 44.00% under the two weaker PGD variants, 0.60% under the strongest PGD variant (the same ε=0.02 budget run for more steps), and 23.40% under the patch attack (ε=0.5 within a 32×32 region). Transferred cold to DenseNet-121, which never saw any attack during generation, top-1 accuracy dropped from a 68.20% clean baseline to 29.20% on the FGSM set, 15.60% on the strongest PGD set, and 42.40% on the patch set, confirming substantial cross-architecture transfer without any model-specific tuning.

This is a controlled research evaluation rather than a running service. The findings are scoped to the pretrained models, 500-image ImageNet sample, perturbation budgets, and attack configurations tested, and they should not be interpreted as certified robustness guarantees.

Notebook-based research (Colab-compatible). The three adversarial test sets and the evaluation notebook are committed to the repository for reproducibility.

• The strongest white-box attack also transferred most effectively: targeted PGD cut ResNet-34 top-1 accuracy to 0.60% and produced the lowest DenseNet-121 transfer accuracy at 15.60% among the three threat models. The patch attack told a different story. It degraded ResNet-34 more than FGSM did (23.40% vs. 43.20% top-1) but transferred worse than FGSM to DenseNet-121 (42.40% vs. 29.20%), suggesting the localized perturbation exploited something closer to ResNet-34-specific structure rather than a feature any convolutional classifier would share.