Described herein are embodiments for joint adversarial training methods that incorporate both spatial transformation-based and pixel-value based attacks for improving image model robustness. Embodiments of a spatial transformation-based attack with an explicit notion of budgets are disclosed and embodiments of a practical methodology for efficient spatial attack generation are also disclosed. Furthermore, both pixel and spatial attacks are integrated into embodiments of a generation model and the complementary strengths of each other are leveraged for improving the overall model robustness. Extensive experimental results on several benchmark datasets compared with state-of-the-art methods verified the effectiveness of the presented method.