{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T15:24:16Z","timestamp":1772119456574,"version":"3.50.1"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2025,1,25]],"date-time":"2025-01-25T00:00:00Z","timestamp":1737763200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,1,25]],"date-time":"2025-01-25T00:00:00Z","timestamp":1737763200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100005713","name":"Technische Universit\u00e4t M\u00fcnchen","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005713","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Knowl Inf Syst"],"published-print":{"date-parts":[[2025,5]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    Knowledge transfer is an effective method for learning, particularly useful when labeled data are limited or when training a model from scratch is too expensive. Most of the research on transfer learning focuses on achieving\n                    <jats:italic>accurate<\/jats:italic>\n                    models, overlooking the crucial aspect of adversarial robustness. However, ensuring robustness is vital, especially when applying transfer learning in safety-critical domains. We compare robustness of models obtained by 11 training procedures on source domains and 3 retraining schemes on target domains, including normal, adversarial, contrastive, and Lipschitz constrained training variants. Robustness is analyzed by adversarial attacks with respect to two different transfer learning model outputs: (i) the latent representations and (ii) the predictions. Studying latent representations in correlation with predictions is crucial for robustness of transfer learning models, since they are solely learned on the source domain. Besides adversarial attacks that aim at changing the prediction, we also analyze the effect of directly attacking representations. Our results show that adversarial robustness can transfer across domains, but effective robust transfer learning requires techniques that ensure robustness independent of the training data to preserve them during the transfer. Retraining on the target domain has a minor impact on the robustness of the target model. Representations exhibit greater robustness compared to predictions across both the source and target domain.\n                  <\/jats:p>","DOI":"10.1007\/s10115-024-02333-x","type":"journal-article","created":{"date-parts":[[2025,1,24]],"date-time":"2025-01-24T18:20:35Z","timestamp":1737742835000},"page":"4139-4206","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Evaluating the transferability of adversarial robustness to target domains"],"prefix":"10.1007","volume":"67","author":[{"given":"Anna-Kathrin","family":"Kopetzki","sequence":"first","affiliation":[]},{"given":"Aleksandar","family":"Bojchevski","sequence":"additional","affiliation":[]},{"given":"Stephan","family":"G\u00fcnnemann","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,1,25]]},"reference":[{"key":"2333_CR1","unstructured":"Shafahi A, Saadatpanah P, Zhu C, Ghiasi A, Studer C, Jacobs D, Goldstein T (2020) Adversarially robust transfer learning. In: International conference on learning representations"},{"key":"2333_CR2","unstructured":"Chen D, Hu H, Wang Q, Li Y, Wang C, Shen C, Li Q (2021) CARTL: cooperative adversarially-robust transfer learning"},{"key":"2333_CR3","unstructured":"Zhang H, Yu Y, Jiao J, Xing EP, Ghaoui LE, Jordan MI (2019) Theoretically principled trade-off between robustness and accuracy. In: proceedings of the 36th international conference on machine learning, vol. 97, pp. 7472\u20137482"},{"key":"2333_CR4","doi-asserted-by":"crossref","unstructured":"Singh M, Sinha A, Kumari N, Machiraju H, Krishnamurthy B, Balasubramanian VN (2019) Harnessing the vulnerability of latent layers in adversarially trained models. Proceedings of the twenty-eighth international joint conference on artificial intelligence (IJCAI-19), 2779\u20132785","DOI":"10.24963\/ijcai.2019\/385"},{"key":"2333_CR5","first-page":"18661","volume":"33","author":"P Khosla","year":"2020","unstructured":"Khosla P, Teterwak P, Wang C, Sarna A, Tian Y, Isola P, Maschinot A, Liu C, Krishnan D (2020) Supervised contrastive learning. Adv Neural Inf Process Syst 33:18661\u201318673","journal-title":"Adv Neural Inf Process Syst"},{"key":"2333_CR6","unstructured":"Huang Y, Zhang H, Shi Y, Kolter JZ, Anandkumar A (2021) Training certifiably robust neural networks with efficient local lipschitz bounds. In: Ranzato, M., Beygelzimer, A., Dauphin, Y., Liang, P.S., Vaughan, J.W. (eds.) Advances in Neural Information Processing Systems, vol. 34, pp. 22745\u201322757"},{"key":"2333_CR7","unstructured":"Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, Fergus R (2014) Intriguing properties of neural networks. In: Bengio, Y., LeCun, Y. (eds.) 2nd international conference on learning representations, ICLR 2014, Banff, AB, Canada, Apr 14-16, 2014, Conference track proceedings"},{"key":"2333_CR8","unstructured":"Salman H, Ilyas A, Engstrom L, Kapoor A, Madry A (2020) Do adversarially robust imagenet models transfer better? In: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M.F., Lin, H. (eds.) Advances in neural information processing systems, vol. 33, pp. 3533\u20133545"},{"key":"2333_CR9","unstructured":"Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: Bengio, Y., LeCun, Y. (eds.) 3rd international conference on learning representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference track proceedings"},{"key":"2333_CR10","unstructured":"Madry A, Makelov A, Schmidt L, Tsipras D, Vladu, A (2018) Towards deep learning models resistant to adversarial attacks. In: 6th international conference on learning representations, ICLR 2018, Vancouver, BC, Canada, April 30\u2013May 3, 2018, Conference track proceedings"},{"key":"2333_CR11","unstructured":"Utrera F, Kravitz E, Erichson NB, Khanna R, Mahoney MW (2021) Adversarially-trained deep nets transfer better: illustration on image classification. In: International conference on learning representations"},{"key":"2333_CR12","unstructured":"Engstrom L, Ilyas A, Santurkar S, Tsipras D, Tran B, Madry A (2019) Adversarial robustness as a prior for learned representations"},{"key":"2333_CR13","unstructured":"Ilyas A, Santurkar S, Tsipras D, Engstrom L, Tran B, Madry A (2019) Adversarial examples are not bugs, they are features. In: Wallach, H., Larochelle, H., Beygelzimer, A., Alch\u00e9-Buc, F., Fox, E., Garnett, R. (eds.) Advances in neural information processing systems, vol. 32"},{"key":"2333_CR14","doi-asserted-by":"crossref","unstructured":"Allen-Zhu Z, Li Y (2022) Feature purification: how adversarial training performs robust deep learning . In: 2021 IEEE 62nd annual symposium on foundations of computer science (FOCS), pp. 977\u2013988","DOI":"10.1109\/FOCS52979.2021.00098"},{"key":"2333_CR15","unstructured":"Carmon Y, Raghunathan A, Schmidt L, Duchi JC, Liang PS (2019) Unlabeled data improves adversarial robustness. In: Wallach, H., Larochelle, H., Beygelzimer, A., Alch\u00e9-Buc, F., Fox, E., Garnett, R. (eds.) Advances in neural information processing systems, vol. 32"},{"key":"2333_CR16","unstructured":"Rebuffi S-A, Gowal S, Calian DA, Stimberg F, Wiles O, Mann TA (2021) Data augmentation can improve robustness. In: Ranzato, M., Beygelzimer, A., Dauphin, Y., Liang, P.S., Vaughan, J.W. (eds.) Advances in neural information processing systems, vol. 34, pp. 29935\u201329948"},{"key":"2333_CR17","unstructured":"Sehwag V, Mahloujifar S, Handina T, Dai S, Xiang C, Chiang M, Mittal P (2022) Robust learning meets generative models: can proxy distributions improve adversarial robustness? In: International conference on learning representations"},{"key":"2333_CR18","unstructured":"Lee H, Choi K, Kwon D, Park S, Jaiswal MS, Park N, Choi J, Lee J (2024) DataFreeShield: Defending adversarial attacks without training data. In: Salakhutdinov, R., Kolter, Z., Heller, K., Weller, A., Oliver, N., Scarlett, J., Berkenkamp, F. (eds.) Proceedings of the 41st international conference on machine learning, vol. 235, pp. 26515\u201326545"},{"key":"2333_CR19","doi-asserted-by":"crossref","unstructured":"Singh K, Navaratnam T, Holmer J, Schaub-Meyer S, Roth S (2024) Is synthetic data all we need? benchmarking the robustness of models trained with synthetic images. In: CVPR 2024 workshop Syntagen: harnessing generative models for synthetic visual datasets","DOI":"10.1109\/CVPRW63382.2024.00257"},{"key":"2333_CR20","doi-asserted-by":"publisher","first-page":"3318","DOI":"10.1109\/TMM.2020.3023792","volume":"23","author":"M Azzam","year":"2021","unstructured":"Azzam M, Wu W, Cao W, Wu S, Wong H-S (2021) Ktransgan: variational inference-based knowledge transfer for unsupervised conditional generative learning. IEEE Trans Multimedia 23:3318\u20133331","journal-title":"IEEE Trans Multimedia"},{"key":"2333_CR21","doi-asserted-by":"crossref","unstructured":"Goldblum M, Fowl L, Feizi S, Goldstein T (2020) Adversarially robust distillation. Proceedings of the AAAI conference on artificial intelligence 34(04):3996\u20134003","DOI":"10.1609\/aaai.v34i04.5816"},{"key":"2333_CR22","unstructured":"Vaishnavi P, Eykholt K, Rahmati A (2022) Transferring adversarial robustness through robust representation matching. In: 31st USENIX security symposium (USENIX Security 22), pp. 2083\u20132098"},{"key":"2333_CR23","doi-asserted-by":"crossref","unstructured":"Chan A, Tay Y, Ong Y (2020) What it thinks is important is important: robustness transfers through input gradients. 2020 IEEE\/CVF conference on computer vision and pattern recognition (CVPR), 329\u2013338","DOI":"10.1109\/CVPR42600.2020.00041"},{"key":"2333_CR24","doi-asserted-by":"crossref","unstructured":"Yamada Y, Otani M (2022) Does robustness on imagenet transfer to downstream tasks? In: 2022 IEEE\/CVF conference on computer vision and pattern recognition (CVPR), pp. 9205\u20139214","DOI":"10.1109\/CVPR52688.2022.00900"},{"key":"2333_CR25","unstructured":"Nern LF, Raj H, Georgi MA, Sharma Y (2023) On transfer of adversarial robustness from pretraining to downstream tasks. In: Advances in neural information processing systems, vol. 36, pp. 59206\u201359226"},{"key":"2333_CR26","unstructured":"Vaishnavi P, Eykholt K, Rahmati A (2024) A study of the effects of transfer learning on adversarial robustness. Trans Mach Learning Res"},{"key":"2333_CR27","unstructured":"Tsipras D, Santurkar S, Engstrom L, Turner A, Madry A (2019) Robustness may be at odds with accuracy. In: International conference on learning representations"},{"key":"2333_CR28","doi-asserted-by":"crossref","unstructured":"He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: 2016 IEEE conference on computer vision and pattern recognition (CVPR), pp. 770\u2013778","DOI":"10.1109\/CVPR.2016.90"},{"key":"2333_CR29","unstructured":"Paszke A, Gross S, Massa F, Lerer A, Bradbury J, Chanan G, Killeen T, Lin Z, Gimelshein N, Antiga L, Desmaison A, Kopf A, Yang E, DeVito Z, Raison M, Tejani A, Chilamkurthy S, Steiner B, Fang L, Bai J, Chintala S (2019) Pytorch: An imperative style, high-performance deep learning library. In: Wallach, H., Larochelle, H., Beygelzimer, A., Alch\u00e9-Buc, F., Fox, E., Garnett, R. (eds.) Advances in neural information processing systems, vol. 32"},{"issue":"3","key":"2333_CR30","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1093\/biomet\/33.3.239","volume":"33","author":"MG Kendall","year":"1945","unstructured":"Kendall MG (1945) The treatment of ties in ranking problems. Biometrika 33(3):239\u2013252","journal-title":"Biometrika"},{"key":"2333_CR31","doi-asserted-by":"crossref","unstructured":"Abdelkader A, Curry MJ, Fowl L, Goldstein T, Schwarzschild A, Shu M, Studer C, Zhu C (2020) Headless horseman: adversarial attacks on transfer learning models. ICASSP 2020\u20132020 IEEE international conference on acoustics, speech and signal processing (ICASSP), 3087\u20133091","DOI":"10.1109\/ICASSP40776.2020.9053181"},{"key":"2333_CR32","volume-title":"Reading digits in natural images with unsupervised feature learning","author":"Y Netzer","year":"2011","unstructured":"Netzer Y, Wang T, Coates A, Bissacco A, Wu B, Ng AY (2011) Reading digits in natural images with unsupervised feature learning. Neural Information Processing Systems, Deep Learning and Unsupervised Feature Learning Workshop"},{"key":"2333_CR33","unstructured":"LeCun Y, Cortes C (2010) MNIST handwritten digit database. National Institute of Standards and Technology"},{"key":"2333_CR34","unstructured":"Krizhevsky A, Nair V, Hinton G. Cifar-100. Canadian Institute for Advanced Research"},{"key":"2333_CR35","unstructured":"Krizhevsky A, Nair V, Hinton G (2009) Cifar-10. Canadian Institute for Advanced Research"},{"key":"2333_CR36","unstructured":"Adam\u00a0Coates AYN, Honglak\u00a0Lee (2011) An analysis of single layer networks in unsupervised feature learning. AISTATS"},{"key":"2333_CR37","unstructured":"Xiao H, Rasul K, Vollgraf R (2017) Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. Zalando SE"},{"key":"2333_CR38","doi-asserted-by":"crossref","unstructured":"Cohen G, Afshar S, Tapson J, Schaik AV (2017) Emnist: Extending MNIST to handwritten letters. 2017 International joint conference on neural networks (IJCNN)","DOI":"10.1109\/IJCNN.2017.7966217"},{"key":"2333_CR39","volume-title":"Deep learning for classical Japanese literature","author":"T Clanuwat","year":"2018","unstructured":"Clanuwat T, Bober-Irizar M, Kitamoto A, Lamb A, Yamamoto K, Ha D (2018) Deep learning for classical Japanese literature. Neural Information Processing Systems, Machine Learning for Creativity and Design Workshop"},{"issue":"53","key":"2333_CR40","doi-asserted-by":"publisher","first-page":"2607","DOI":"10.21105\/joss.02607","volume":"5","author":"J Rauber","year":"2020","unstructured":"Rauber J, Zimmermann R, Bethge M, Brendel W (2020) Foolbox native: fast adversarial attacks to benchmark the robustness of machine learning models in Pytorch, Tensorflow, and Jax. J Open Sour Soft 5(53):2607","journal-title":"J Open Sour Soft"}],"container-title":["Knowledge and Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10115-024-02333-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10115-024-02333-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10115-024-02333-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,11]],"date-time":"2025-04-11T23:43:35Z","timestamp":1744415015000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10115-024-02333-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,25]]},"references-count":40,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,5]]}},"alternative-id":["2333"],"URL":"https:\/\/doi.org\/10.1007\/s10115-024-02333-x","relation":{"has-preprint":[{"id-type":"doi","id":"10.21203\/rs.3.rs-5117436\/v1","asserted-by":"object"}]},"ISSN":["0219-1377","0219-3116"],"issn-type":[{"value":"0219-1377","type":"print"},{"value":"0219-3116","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,1,25]]},"assertion":[{"value":"19 September 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 November 2024","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 December 2024","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 January 2025","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no relevant financial or non-financial interests to disclose.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"Yes.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}}]}}