A Analysis of models

We observe that the measured robust accuracy converges after 50 steps. This is further indication that attacks converge in 100 steps. Finally, we analyze the adversarial loss landscapes of the model considered in the previous paragraph. Implementation details of the augmentations used in the paper . W A reaches 55.68% robust accuracy (and 86.51% clean accuracy).