A Comparative Study of Adversarial Robustness in CNN and CNN-ANFIS Architectures

Convolutional Neural Networks (CNNs) achieve strong image classification performance but lack interpretability and are vulnerable to adversarial attacks. Neuro-fuzzy hybrids such as DCNFIS replace fully connected CNN classifiers with Adaptive Neuro-Fuzzy Inference Systems (ANFIS) to improve interpretability, yet their robustness remains underexplored. This work compares standard CNNs (ConvNet, VGG, ResNet18) with their ANFIS-augmented counterparts on MNIST, Fashion-MNIST, CIFAR-10, and CIFAR-100 under gradient-based (PGD) and gradient-free (Square) attacks. Results show that ANFIS integration does not consistently improve clean accuracy and has architecture-dependent effects on robustness: ResNet18-ANFIS exhibits improved adversarial robustness, while VGG-ANFIS often underperforms its baseline. These findings suggest that neuro-fuzzy augmentation can enhance robustness in specific architectures but is not universally beneficial.

💡 Research Summary

This paper investigates how integrating an Adaptive Neuro‑Fuzzy Inference System (ANFIS) into conventional convolutional neural networks (CNNs) influences adversarial robustness. The authors select three widely used CNN architectures—ConvNet (a LeNet‑style shallow network), VGG, and ResNet18—and replace each model’s final fully‑connected classification layer with an ANFIS module consisting of 20 fuzzy rules, following the design of prior DCNFIS work. All models are trained on four benchmark image classification datasets of increasing complexity: MNIST, Fashion‑MNIST, CIFAR‑10, and CIFAR‑100, using identical training hyper‑parameters to ensure a fair comparison.

Two families of adversarial attacks are employed. Gradient‑based Projected Gradient Descent (PGD) is applied with dataset‑specific ε values (0.1–0.3 for the grayscale datasets, 2/255–16/255 for CIFAR). A gradient‑free Square attack, limited to 1,000 model queries, is also used with the same ε settings. Model performance is measured by clean test accuracy and adversarial accuracy; a “Robustness Ratio” (adversarial accuracy divided by clean accuracy) quantifies resilience.

Results on clean data show that all models achieve high accuracy on MNIST and Fashion‑MNIST (≈92‑99%). On CIFAR‑10 and CIFAR‑100, deeper architectures (VGG, ResNet18) outperform the shallow ConvNet, as expected. Adding ANFIS does not systematically improve clean accuracy; in some cases (e.g., VGG‑ANFIS on CIFAR‑100) it yields a modest gain, while in others (e.g., ConvNet‑ANFIS on CIFAR‑10) it slightly degrades performance.

Adversarial robustness, however, reveals a clear architecture‑dependent pattern. Under PGD, ResNet18‑ANFIS consistently outperforms its baseline counterpart by roughly 2–5 percentage points across all ε levels, indicating that the residual connections in ResNet help the fuzzy inference layer to reinforce decision boundaries. In contrast, VGG‑ANFIS underperforms the plain VGG model for every ε tested, suggesting that the purely sequential convolutional pipeline does not benefit from the added fuzzy logic and may even suffer from increased non‑linearity. The Square attack mirrors these trends: ResNet18‑ANFIS achieves higher adversarial accuracy than ResNet18, while VGG‑ANFIS lags behind VGG. The Robustness Ratio analysis confirms that ResNet18‑ANFIS maintains ratios above 0.9 in most settings, whereas VGG‑ANFIS drops below 0.8.

The authors interpret these findings as evidence that neuro‑fuzzy augmentation is not a universal robustness booster. Its effectiveness hinges on the underlying CNN architecture; residual networks can exploit the fuzzy layer to gain modest but consistent protection against both gradient‑based and gradient‑free attacks, whereas architectures lacking such mechanisms may see no benefit or even a penalty. The paper also notes that the number of fuzzy rules and the parameterization of membership functions were kept constant across experiments, leaving open the possibility that more tailored ANFIS designs could yield different outcomes.

In conclusion, the study contributes three main insights: (1) ANFIS integration provides interpretability without guaranteeing accuracy or robustness gains; (2) Residual‑based CNNs (ResNet18) can leverage ANFIS to achieve measurable adversarial robustness improvements; (3) Traditional sequential CNNs (VGG) may experience degraded robustness when combined with ANFIS. Future work is suggested to explore stronger, adaptive attacks targeting the fuzzy component, adversarial training of the hybrid models, and systematic tuning of ANFIS hyper‑parameters, as well as scaling the evaluation to larger datasets and safety‑critical applications.