Deep neural networks are highly vulnerable to adversarial attacks, yet existing robust training methods suffer from high computational costs and limited generalization. This work proposes a lightweight preprocessing approach that combines Gaussian noise injection with bilateral filtering, theoretically revealing for the first time their complementary mechanisms in enhancing robustness and achieving superlinear gains. Requiring only approximately 35% of the training FLOPs, 50% of the parameters, 33% of the training epochs, and 15% of the data, the method ranks second on the RobustBench benchmark under AutoAttack evaluation. It achieves a 2–8× improvement in computational efficiency while maintaining robustness across attack strengths spanning three orders of magnitude.

The vulnerability of deep neural networks to adversarial examples poses a significant challenge for real-world deployment. Existing techniques to enhance deep network robustness rely on adversarial training, an approach that is powerful but computationally intensive and typically tailored to specific attack types. To address these limitations, existing works have explored techniques such as adding gaussian noise or filtering images, both of which can boost the network robustness to various adversarial attacks, albeit modestly. Here, we theoretically demonstrate that these two approaches enhance robustness against adversarial attacks through complementary mechanisms, resulting in supralinear robustness when combined. Building on this insight, we experimentally show that a simple preprocessor combining Gaussian noise and bilateral filtering yields supralinear improvements in adversarial robustness with minimal computational cost. Next, we combine our preprocessor with adversarial training and test on RobustBench to assess its supralinear improvement over state-of-the-art defenses. First, this combination ranks second on AutoAttack and third overall, while using only $\sim$35% of the training FLOPs, using a model with $\sim$50% less parametets, trained with $\sim$33% of the epochs and $\sim$15% the data compared to state-of-the-art defenses. Second, our method scales efficiently, matching the accuracy of competing models with roughly 2-8x less total compute across 3 orders of magnitude. Overall, our approach provides a principled and easily integrable framework for enhancing adversarial robustness, offering negligible computational overhead and a simple yet theoretically grounded design.