This paper presents a study on adversarial robustness in deep learning models through the lens of robust optimization. The authors propose a principled approach to train neural networks that are resistant to adversarial attacks by formulating the problem as a min-max optimization task. This formulation allows for a unified view of prior work on adversarial robustness and provides a concrete security guarantee against any adversary. The authors demonstrate that first-order methods, such as projected gradient descent (PGD), can reliably solve this optimization problem, leading to networks with significantly improved resistance to a wide range of adversarial attacks. The study shows that the capacity of the network plays a crucial role in adversarial robustness. Networks with larger capacity are more robust to adversarial examples, as they can learn more complex decision boundaries. The authors train networks on MNIST and CIFAR10 datasets, achieving high accuracy against a variety of adversarial attacks, including white-box and black-box attacks. Their MNIST model achieves over 89% accuracy against the strongest adversaries, while the CIFAR10 model achieves 46% accuracy. These results suggest that secure neural networks are within reach, and the authors invite the community to test their models in a challenge to further evaluate their robustness. The paper also explores the impact of different attack methods on network robustness. It shows that adversarial training, which directly optimizes the saddle point formulation, leads to robust classifiers. The authors argue that the saddle point formulation provides a clear goal for robust classifiers and a quantitative measure of their robustness. They also demonstrate that the saddle point formulation can be used to analyze the structure of adversarial examples and the effectiveness of different attack methods. The study highlights the importance of first-order adversaries in adversarial robustness. The authors argue that the saddle point formulation provides a universal view of adversarial robustness, as it captures the essence of the problem in a principled manner. They show that the saddle point formulation can be used to train networks that are robust against a wide range of adversarial attacks, including those that are difficult to detect. The authors also discuss the implications of their findings for the broader field of machine learning, suggesting that robustness against first-order adversaries is an important step towards fully resistant deep learning models.This paper presents a study on adversarial robustness in deep learning models through the lens of robust optimization. The authors propose a principled approach to train neural networks that are resistant to adversarial attacks by formulating the problem as a min-max optimization task. This formulation allows for a unified view of prior work on adversarial robustness and provides a concrete security guarantee against any adversary. The authors demonstrate that first-order methods, such as projected gradient descent (PGD), can reliably solve this optimization problem, leading to networks with significantly improved resistance to a wide range of adversarial attacks. The study shows that the capacity of the network plays a crucial role in adversarial robustness. Networks with larger capacity are more robust to adversarial examples, as they can learn more complex decision boundaries. The authors train networks on MNIST and CIFAR10 datasets, achieving high accuracy against a variety of adversarial attacks, including white-box and black-box attacks. Their MNIST model achieves over 89% accuracy against the strongest adversaries, while the CIFAR10 model achieves 46% accuracy. These results suggest that secure neural networks are within reach, and the authors invite the community to test their models in a challenge to further evaluate their robustness. The paper also explores the impact of different attack methods on network robustness. It shows that adversarial training, which directly optimizes the saddle point formulation, leads to robust classifiers. The authors argue that the saddle point formulation provides a clear goal for robust classifiers and a quantitative measure of their robustness. They also demonstrate that the saddle point formulation can be used to analyze the structure of adversarial examples and the effectiveness of different attack methods. The study highlights the importance of first-order adversaries in adversarial robustness. The authors argue that the saddle point formulation provides a universal view of adversarial robustness, as it captures the essence of the problem in a principled manner. They show that the saddle point formulation can be used to train networks that are robust against a wide range of adversarial attacks, including those that are difficult to detect. The authors also discuss the implications of their findings for the broader field of machine learning, suggesting that robustness against first-order adversaries is an important step towards fully resistant deep learning models.