Abstract: Kolmogorov-Arnold Networks (KANs) have recently emerged as a novel paradigm for function approximation by leveraging univariate spline-based decompositions inspired by the Kolmogorov–Arnold theorem. Despite their theoretical appeal---particularly the potential for inducing smoother decision boundaries and lower effective Lipschitz constants---their adversarial robustness remains largely unexplored. In this work, we conduct the first comprehensive evaluation of KAN robustness in adversarial settings, focusing on both fully connected (FCKANs) and convolutional (CKANs) instantiations for image classification tasks. Across a wide range of benchmark datasets (MNIST, FashionMNIST, KMNIST, CIFAR-10, SVHN, and a subset of ImageNet), we compare KANs against conventional architectures using an extensive suite of attacks, including white-box methods (FGSM, PGD, C\&W, MIM), black-box approaches (Square Attack, SimBA, NES), and ensemble attacks (AutoAttack). Our experiments reveal that while small- and medium-scale KANs are not consistently more robust than their standard counterparts, large-scale KANs exhibit markedly enhanced resilience against adversarial perturbations. An ablation study further demonstrates that critical hyperparameters---such as number of knots and spline order---significantly influence robustness. Moreover, adversarial training experiments confirm the inherent safety advantages of KAN-based architectures. Overall, our findings provide novel insights into the adversarial behavior of KANs and lay a rigorous foundation for future research on robust, interpretable network designs.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: **Adversarial Training**
> Conducted additional experiments incorporating adversarial training for KANs.
Detailed experimental results now show improved robustness against a variety of attack types.
**Empirical Analyses and Visualizations**
> Expanded empirical analysis on the structural properties of KANs and their influence on robustness.
Added visualizations of adversarial perturbations (including on an ImageNet subset) to illustrate differences between KANs, FCNNs, and CNNs.
**Theoretical Discussion**
> Extended discussion to include theoretical insights into why KANs might exhibit improved robustness, including considerations of spline-based function decomposition and effective Lipschitz constants.
Discussed potential approaches towards obtaining formal robustness certificates.
**Datasets**
> Extended experiments to include a subset of 10 classes from ImageNet, allowing assessment on higher-resolution and more complex data.
**Ablation Studies and Hyperparameter Tuning**
> Performed a comprehensive ablation study on key hyperparameters (e.g., number of knots and spline order in FCKANs).
Experimented with various attack hyperparameters (e.g., learning rates) to ensure a fair and consistent comparison across architectures.
**Enhanced Attack Evaluation**
> Incorporated AutoAttack and ensemble-based methods into the evaluation framework.
Corrected calculations for attack transferability by excluding self-transfer cases.
**Terminology and Notation Consistency**
> Revised the manuscript to consistently use the term “safety” throughout.
Clarified all symbols at their first occurrence, with explicit definitions (notably in Table 3).
These revisions and additional analyses have significantly strengthened our work and addressed the reviewers’ concerns.
Assigned Action Editor: ~Pin-Yu_Chen1
Submission Number: 3895
Loading