{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,13]],"date-time":"2025-05-13T16:23:19Z","timestamp":1747153399054,"version":"3.40.5"},"publisher-location":"Cham","reference-count":55,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031731150"},{"type":"electronic","value":"9783031731167"}],"license":[{"start":{"date-parts":[[2024,10,31]],"date-time":"2024-10-31T00:00:00Z","timestamp":1730332800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,10,31]],"date-time":"2024-10-31T00:00:00Z","timestamp":1730332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-73116-7_10","type":"book-chapter","created":{"date-parts":[[2024,10,30]],"date-time":"2024-10-30T15:15:38Z","timestamp":1730301338000},"page":"161-178","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Characterizing Model Robustness via\u00a0Natural Input Gradients"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4130-7696","authenticated-orcid":false,"given":"Adri\u00e1n","family":"Rodr\u00edguez-Mu\u00f1oz","sequence":"first","affiliation":[]},{"given":"Tongzhou","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Antonio","family":"Torralba","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,10,31]]},"reference":[{"key":"10_CR1","unstructured":"Andriushchenko, M., Flammarion, N.: Understanding and improving fast adversarial training. arXiv:2007.02617 (2020). http:\/\/arxiv.org\/abs\/2007.02617"},{"key":"10_CR2","unstructured":"Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. arXiv:1802.00420 (2018). http:\/\/arxiv.org\/abs\/1802.00420"},{"key":"10_CR3","doi-asserted-by":"crossref","unstructured":"Bolme, D.S., Draper, B.A., Beveridge, J.R.: Average of synthetic exact filters. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2105\u20132112 (2009)","DOI":"10.1109\/CVPR.2009.5206701"},{"key":"10_CR4","unstructured":"Carlini, N., et al.: On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 (2019)"},{"key":"10_CR5","unstructured":"Cohen, J.M., Rosenfeld, E., Kolter, J.Z.: Certified adversarial robustness via randomized smoothing. In: International Conference on Machine Learning, pp. 1310\u20131320 (2019)"},{"key":"10_CR6","unstructured":"Croce, F., et al.: RobustBench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670 (2020)"},{"key":"10_CR7","unstructured":"Croce, F., et al.: RobustBench: a standardized adversarial robustness benchmark. In: Neural Information Processing Systems Datasets and Benchmarks Track (2021)"},{"key":"10_CR8","unstructured":"Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: International Conference on Machine Learning, pp. 2206\u20132216 (2020)"},{"key":"10_CR9","doi-asserted-by":"crossref","unstructured":"Cubuk, E.D., Zoph, B., Mane, D., Vasudevan, V., Le, Q.V.: AutoAugment: learning augmentation policies from data. arXiv preprint arXiv:1805.09501 (2018)","DOI":"10.1109\/CVPR.2019.00020"},{"key":"10_CR10","doi-asserted-by":"crossref","unstructured":"Cubuk, E.D., Zoph, B., Shlens, J., Le, Q.: RandAugment: practical automated data augmentation with a reduced search space. In: Advances in Neural Information Processing Systems, pp. 18613\u201318624 (2020)","DOI":"10.1109\/CVPRW50498.2020.00359"},{"key":"10_CR11","doi-asserted-by":"crossref","unstructured":"Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 248\u2013255 (2009)","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"10_CR12","doi-asserted-by":"crossref","unstructured":"Dong, Y., Fu, Q.A., Yang, X., Pang, T., Su, H., Xiao, Z., Zhu, J.: Benchmarking adversarial robustness on image classification. In: Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, pp. 321\u2013331 (2020)","DOI":"10.1109\/CVPR42600.2020.00040"},{"key":"10_CR13","doi-asserted-by":"crossref","unstructured":"Dong, Y., et al.: Boosting adversarial attacks with momentum. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 9185\u20139193 (2018)","DOI":"10.1109\/CVPR.2018.00957"},{"key":"10_CR14","doi-asserted-by":"publisher","unstructured":"Drucker, H., Le Cun, Y.: Improving generalization performance using double backpropagation. IEEE Trans. Neural Networks 3(6), 991\u2013997 (1992). https:\/\/doi.org\/10.1109\/72.165600, https:\/\/ieeexplore.ieee.org\/document\/165600\/authors#authors, conference Name: IEEE Transactions on Neural Networks","DOI":"10.1109\/72.165600"},{"key":"10_CR15","unstructured":"Finlay, C., Oberman, A.M.: Scaleable input gradient regularization for adversarial robustness. arXiv:1905.11468 (2019). http:\/\/arxiv.org\/abs\/1905.11468"},{"key":"10_CR16","doi-asserted-by":"publisher","unstructured":"Freeman, W., Adelson, E.: The design and use of steerable filters. IEEE Trans. Pattern Anal. Mach. Intell. 13(9), 891\u2013906 (1991). https:\/\/doi.org\/10.1109\/34.93808, https:\/\/ieeexplore.ieee.org\/document\/93808, conference Name: IEEE Transactions on Pattern Analysis and Machine Intelligence","DOI":"10.1109\/34.93808"},{"key":"10_CR17","unstructured":"Ganz, R., Kawar, B., Elad, M.: Do Perceptually aligned gradients imply adversarial robustness? arXiv:2207.11378 (2023). http:\/\/arxiv.org\/abs\/2207.11378"},{"key":"10_CR18","unstructured":"Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015)"},{"key":"10_CR19","unstructured":"Gowal, S., Qin, C., Uesato, J., Mann, T., Kohli, P.: Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv preprint arXiv:2010.03593 (2020)"},{"key":"10_CR20","unstructured":"Guo, C., Rana, M., Cisse, M., Maaten, L.V.D.: Countering adversarial images using input transformations. In: International Conference on Learning Representations (2018)"},{"key":"10_CR21","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770\u2013778 (2016)","DOI":"10.1109\/CVPR.2016.90"},{"key":"10_CR22","doi-asserted-by":"publisher","unstructured":"Hendrycks, D., Gimpel, K.: Gaussian Error Linear Units (GELUs). arXiv:1606.08415 (2023). https:\/\/doi.org\/10.48550\/arXiv.1606.08415, http:\/\/arxiv.org\/abs\/1606.08415","DOI":"10.48550\/arXiv.1606.08415"},{"key":"10_CR23","unstructured":"Izmailov, P., Podoprikhin, D., Garipov, T., Vetrov, D., Wilson, A.G.: Averaging weights leads to wider optima and better generalization. In: 34th Conference on Uncertainty in Artificial Intelligence, pp. 876\u2013885 (2018)"},{"key":"10_CR24","doi-asserted-by":"crossref","unstructured":"Jakubovitz, D., Giryes, R.: Improving DNN robustness to adversarial attacks using jacobian regularization. arXiv:1803.08680 (2019). http:\/\/arxiv.org\/abs\/1803.08680","DOI":"10.1007\/978-3-030-01258-8_32"},{"key":"10_CR25","unstructured":"Kaur, S., Cohen, J., Lipton, Z.C.: Are perceptually-aligned gradients a general property of robust classifiers? arXiv:1910.08640 (2019). http:\/\/arxiv.org\/abs\/1910.08640"},{"key":"10_CR26","doi-asserted-by":"publisher","unstructured":"Kim, H., Lee, W., Lee, J.: Understanding catastrophic overfitting in single-step adversarial training. arXiv:2010.01799 (2020). https:\/\/doi.org\/10.48550\/arXiv.2010.01799, http:\/\/arxiv.org\/abs\/2010.01799","DOI":"10.48550\/arXiv.2010.01799"},{"key":"10_CR27","doi-asserted-by":"publisher","unstructured":"Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv:1412.6980 (2017). https:\/\/doi.org\/10.48550\/arXiv.1412.6980, http:\/\/arxiv.org\/abs\/1412.6980","DOI":"10.48550\/arXiv.1412.6980"},{"key":"10_CR28","unstructured":"Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)"},{"key":"10_CR29","unstructured":"Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. In: International Conference on Learning Representations (2017)"},{"key":"10_CR30","unstructured":"Li, Z., Liu, L., Wang, Z., Zhou, Y., Xie, C.: Bag of tricks for FGSM adversarial training. arXiv:2209.02684 (2022). http:\/\/arxiv.org\/abs\/2209.02684"},{"key":"10_CR31","doi-asserted-by":"crossref","unstructured":"Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., Zhu, J.: Defense against adversarial attacks using high-level representation guided denoiser. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1778\u20131787 (2018)","DOI":"10.1109\/CVPR.2018.00191"},{"key":"10_CR32","doi-asserted-by":"publisher","unstructured":"Liu, C., et al.: A comprehensive study on robustness of image classification models: benchmarking and rethinking. arXiv:2302.14301 (2023).https:\/\/doi.org\/10.48550\/arXiv.2302.14301, http:\/\/arxiv.org\/abs\/2302.14301","DOI":"10.48550\/arXiv.2302.14301"},{"key":"10_CR33","doi-asserted-by":"crossref","unstructured":"Liu, D., Wu, L., Zhao, H., Boussaid, F., Bennamoun, M., Xie, X.: Jacobian norm with selective input gradient regularization for improved and interpretable adversarial defense. arXiv:2207.13036 (2022). http:\/\/arxiv.org\/abs\/2207.13036","DOI":"10.2139\/ssrn.4452072"},{"key":"10_CR34","doi-asserted-by":"crossref","unstructured":"Liu, Z., et al.: Swin transformer: hierarchical vision transformer using shifted windows. In: Proceedings of the IEEE\/CVF International Conference on Computer Vision, pp. 10012\u201310022 (2021)","DOI":"10.1109\/ICCV48922.2021.00986"},{"key":"10_CR35","unstructured":"Loshchilov, I., Hutter, F.: Decoupled weight decay regularization. arXiv preprint arXiv:1711.05101 (2017)"},{"key":"10_CR36","doi-asserted-by":"publisher","unstructured":"Lukac, R., Plataniotis, K.: Color filter arrays: design and performance analysis. IEEE Trans. Consum. Electron. 51(4), 1260\u20131267 (2005). https:\/\/doi.org\/10.1109\/TCE.2005.1561853, https:\/\/ieeexplore.ieee.org\/document\/1561853, conference Name: IEEE Transactions on Consumer Electronics","DOI":"10.1109\/TCE.2005.1561853"},{"key":"10_CR37","doi-asserted-by":"crossref","unstructured":"Lyu, C., Huang, K., Liang, H.N.: A unified gradient regularization family for adversarial examples. arXiv:1511.06385 (2015). http:\/\/arxiv.org\/abs\/1511.06385","DOI":"10.1109\/ICDM.2015.84"},{"key":"10_CR38","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations (2018)"},{"key":"10_CR39","unstructured":"Pang, T., Yang, X., Dong, Y., Su, H., Zhu, J.: Bag of tricks for adversarial training. arXiv:2010.00467 (2021). http:\/\/arxiv.org\/abs\/2010.00467"},{"key":"10_CR40","doi-asserted-by":"crossref","unstructured":"Ross, A.S., Doshi-Velez, F.: Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. arXiv:1711.09404 (2017). http:\/\/arxiv.org\/abs\/1711.09404","DOI":"10.1609\/aaai.v32i1.11504"},{"key":"10_CR41","unstructured":"Salman, H., Ilyas, A., Engstrom, L., Kapoor, A., Madry, A.: Do adversarially robust ImageNet models transfer better? In: Advances in Neural Information Processing Systems, vol.\u00a033, pp. 3533\u20133545 (2020)"},{"key":"10_CR42","doi-asserted-by":"publisher","unstructured":"Santurkar, S., Tsipras, D., Tran, B., Ilyas, A., Engstrom, L., Madry, A.: Image synthesis with a single (robust) classifier. arXiv:1906.09453(2019). https:\/\/doi.org\/10.48550\/arXiv.1906.09453, http:\/\/arxiv.org\/abs\/1906.09453","DOI":"10.48550\/arXiv.1906.09453"},{"key":"10_CR43","doi-asserted-by":"publisher","unstructured":"Seck, I., Loosli, G., Canu, S.: L 1-norm double backpropagation adversarial defense. arXiv:1903.01715 (2019). https:\/\/doi.org\/10.48550\/arXiv.1903.01715, http:\/\/arxiv.org\/abs\/1903.01715","DOI":"10.48550\/arXiv.1903.01715"},{"key":"10_CR44","unstructured":"Simon-Gabriel, C.J., Ollivier, Y., Bottou, L., Sch\u00f6lkopf, B., Lopez-Paz, D.: First-order adversarial vulnerability of neural networks and input dimension. arXiv:1802.01421 (2019). http:\/\/arxiv.org\/abs\/1802.01421"},{"key":"10_CR45","unstructured":"Srinivas, S., Bordt, S., Lakkaraju, H.: Which models have perceptually-aligned gradients? An explanation via off-manifold robustness. arXiv:2305.19101(2023). http:\/\/arxiv.org\/abs\/2305.19101"},{"key":"10_CR46","doi-asserted-by":"publisher","unstructured":"Szegedy, C., et al.: Intriguing properties of neural networks. arXiv:1312.6199 (2014).https:\/\/doi.org\/10.48550\/arXiv.1312.6199, http:\/\/arxiv.org\/abs\/1312.6199","DOI":"10.48550\/arXiv.1312.6199"},{"key":"10_CR47","doi-asserted-by":"crossref","unstructured":"Tram\u00e8r, F., Kurakin, A., Papernot, N., Boneh, D., McDaniel, P.: Ensemble adversarial training: attacks and defenses. In: International Conference on Learning Representations (2018)","DOI":"10.1145\/3319535.3354222"},{"key":"10_CR48","doi-asserted-by":"publisher","unstructured":"Wightman, R.: PyTorch image models (2019). https:\/\/doi.org\/10.5281\/zenodo.4414861, https:\/\/github.com\/rwightman\/pytorch-image-models, publication Title: GitHub repository","DOI":"10.5281\/zenodo.4414861"},{"key":"10_CR49","unstructured":"Wong, E., Kolter, Z.: Provable defenses against adversarial examples via the convex outer adversarial polytope. In: International Conference on Machine Learning, pp. 5286\u20135295 (2018)"},{"key":"10_CR50","unstructured":"Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: revisiting adversarial training. arXiv:2001.03994 (2020). http:\/\/arxiv.org\/abs\/2001.03994"},{"key":"10_CR51","unstructured":"Xie, C., Tan, M., Gong, B., Yuille, A., Le, Q.V.: Smooth adversarial training. arXiv:2006.14536 (2021). http:\/\/arxiv.org\/abs\/2006.14536"},{"key":"10_CR52","unstructured":"Xie, C., Wang, J., Zhang, Z., Ren, Z., Yuille, A.: Mitigating adversarial effects through randomization. In: International Conference on Learning Representations (2018)"},{"key":"10_CR53","doi-asserted-by":"crossref","unstructured":"Xie, C., et al.: Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2730\u20132739 (2019)","DOI":"10.1109\/CVPR.2019.00284"},{"key":"10_CR54","unstructured":"Zhang, H., Cisse, M., Dauphin, Y.N., Lopez-Paz, D.: mixup: beyond empirical risk minimization. In: International Conference on Learning Representations (2018)"},{"key":"10_CR55","unstructured":"Zhang, Z., Jung, C., Liang, X.: Adversarial defense by suppressing high-frequency components. arXiv preprint arXiv:1908.06566 (2019)"}],"container-title":["Lecture Notes in Computer Science","Computer Vision \u2013 ECCV 2024"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-73116-7_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,30]],"date-time":"2024-10-30T15:23:55Z","timestamp":1730301835000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-73116-7_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,31]]},"ISBN":["9783031731150","9783031731167"],"references-count":55,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-73116-7_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2024,10,31]]},"assertion":[{"value":"31 October 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ECCV","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Conference on Computer Vision","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Milan","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 September 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 October 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"eccv2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/eccv2024.ecva.net\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}