{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T15:06:49Z","timestamp":1753888009685,"version":"3.37.3"},"reference-count":46,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2023,8,4]],"date-time":"2023-08-04T00:00:00Z","timestamp":1691107200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,8,4]],"date-time":"2023-08-04T00:00:00Z","timestamp":1691107200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100012325","name":"Bergische Universit\u00e4t Wuppertal","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100012325","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Optim Theory Appl"],"published-print":{"date-parts":[[2023,9]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Deep neural networks (DNNs) have proven to be powerful tools for processing unstructured data. However, for high-dimensional data, like images, they are inherently vulnerable to adversarial attacks. Small almost invisible perturbations added to the input can be used to fool DNNs. Various attacks, hardening methods and detection methods have been introduced in recent years. Notoriously, Carlini\u2013Wagner (CW)-type attacks computed by iterative minimization belong to those that are most difficult to detect. In this work we outline a mathematical proof that the CW attack can be used as a detector itself. That is, under certain assumptions and in the limit of attack iterations this detector provides asymptotically optimal separation of original and attacked images. In numerical experiments, we experimentally validate this statement and furthermore obtain AUROC values up to <jats:inline-formula><jats:alternatives><jats:tex-math>$$99.73\\%$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mrow>\n                    <mml:mn>99.73<\/mml:mn>\n                    <mml:mo>%<\/mml:mo>\n                  <\/mml:mrow>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula> on CIFAR10 and ImageNet. This is in the upper part of the spectrum of current state-of-the-art detection rates for CW attacks.<\/jats:p>","DOI":"10.1007\/s10957-023-02273-6","type":"journal-article","created":{"date-parts":[[2023,8,4]],"date-time":"2023-08-04T17:01:39Z","timestamp":1691168499000},"page":"892-929","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Detection of Iterative Adversarial Attacks via Counter Attack"],"prefix":"10.1007","volume":"198","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3840-0184","authenticated-orcid":false,"given":"Matthias","family":"Rottmann","sequence":"first","affiliation":[]},{"given":"Kira","family":"Maag","sequence":"additional","affiliation":[]},{"given":"Mathis","family":"Peyron","sequence":"additional","affiliation":[]},{"given":"Hanno","family":"Gottschalk","sequence":"additional","affiliation":[]},{"given":"Nata\u0161a","family":"Kreji\u0107","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,8,4]]},"reference":[{"key":"2273_CR1","unstructured":"Arora, R., Basu, A., Mianjy, P., Mukherjee, A.: Understanding deep neural networks with rectified linear units. In: Bengio, Y., LeCun, Y. (eds.) International Conference on Learning Representations (ICLR). (2018)"},{"key":"2273_CR2","first-page":"284","volume-title":"International Conference on Machine Learning (ICML)","author":"A Athalye","year":"2018","unstructured":"Athalye, A., Engstrom, L., Ilyas, A., Kwok, K.: Synthesizing Robust Adversarial Examples. In: Bach, F. (ed.) International Conference on Machine Learning (ICML), pp. 284\u2013293. PMLR, NY (2018)"},{"key":"2273_CR3","first-page":"39","volume-title":"Symposium on Security and Privacy (SP)","author":"N Carlini","year":"2017","unstructured":"Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: Butler, K.R.B. (ed.) Symposium on Security and Privacy (SP), pp. 39\u201357. IEEE, New York (2017)"},{"key":"2273_CR4","doi-asserted-by":"crossref","unstructured":"Carrara, F., Becarelli, R., Caldelli, R., Falchi, F., Amato, G.: Adversarial examples detection in features distance spaces. In: Ferrari, V., Sminchisescu, C., Hebert, M., Weiss, Y. (eds.) European Conference on Computer Vision (ECCV) Workshops (2018)","DOI":"10.1007\/978-3-030-11012-3_26"},{"key":"2273_CR5","doi-asserted-by":"crossref","unstructured":"Chen, P.Y., Sharma, Y., Zhang, H., Yi, J., Hsieh, C.J.: EAD: elastic-net attacks to deep neural networks via adversarial examples. In: Zilberstein, S. (ed.) Proceeding of the AAAI Conference on Artificial Intelligence, vol. 32 (2018)","DOI":"10.1609\/aaai.v32i1.11302"},{"key":"2273_CR6","doi-asserted-by":"publisher","unstructured":"Chen, S., Carlini, N., Wagner, D.: Stateful detection of black-box adversarial attacks. In: X.\u00a0Xing, Y.H. Lin (eds.) Proceedings of the ACM Workshop on Security and Privacy on Artificial Intelligence, pp. 30\u201339 (2020). https:\/\/doi.org\/10.1145\/3385003.3410925","DOI":"10.1145\/3385003.3410925"},{"key":"2273_CR7","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611971309","volume-title":"Optimization and Nonsmooth Analysis","author":"F Clarke","year":"1990","unstructured":"Clarke, F.: Optimization and Nonsmooth Analysis. SIAM, Philadelphia (1990). https:\/\/doi.org\/10.1137\/1.9781611971309"},{"key":"2273_CR8","unstructured":"Croce, F., Andriushchenko, M., Hein, M.: Provable robustness of ReLU networks via maximization of linear regions. In: K.\u00a0Chaudhuri, M.\u00a0Sugiyama (eds.) International Conference on Artificial Intelligence and Statistics (AISTATS), pp. 2057\u20132066. PMLR (2019)"},{"key":"2273_CR9","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4899-4549-5","volume-title":"A Course in Large Sample Theory","author":"T Ferguson","year":"1996","unstructured":"Ferguson, T.: A Course in Large Sample Theory. Springer, Berlin (1996)"},{"key":"2273_CR10","first-page":"20","volume":"1050","author":"IJ Goodfellow","year":"2015","unstructured":"Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. stat 1050, 20 (2015)","journal-title":"stat"},{"key":"2273_CR11","unstructured":"Google: Tensorflow inception network. http:\/\/download.tensorflow.org\/models\/image\/imagenet\/inception-2015-12-05.tgz (2015)"},{"key":"2273_CR12","unstructured":"Grosse, K., Manoharan, P., Papernot, N., Backes, M., McDaniel, P.D.: On the (statistical) detection of adversarial examples. CoRR abs\/1702.06280 (2017). http:\/\/arxiv.org\/abs\/1702.06280"},{"key":"2273_CR13","unstructured":"Guo, C., Rana, M., Cisse, M., van\u00a0der Maaten, L.: Countering adversarial images using input transformations. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2018)"},{"key":"2273_CR14","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: R.\u00a0Bajcsy, F.F. Li, T.\u00a0Tuytelaars (eds.) Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770\u2013778 (2016)","DOI":"10.1109\/CVPR.2016.90"},{"key":"2273_CR15","doi-asserted-by":"publisher","unstructured":"Hein, M., Andriushchenko, M., Bitterwolf, J.: Why relu networks yield high-confidence predictions far away from the training data and how to mitigate the problem. In: L.\u00a0Davis, P.\u00a0Torr, S.C. Zhu (eds.) Conference on Computer Vision and Pattern Recognition (CVPR), pp. 41\u201350. IEEE\/CVF (2019). https:\/\/doi.org\/10.1109\/CVPR.2019.00013","DOI":"10.1109\/CVPR.2019.00013"},{"key":"2273_CR16","doi-asserted-by":"publisher","unstructured":"Jha, S., Jang, U., Jha, S., Jalaian, B.: Detecting adversarial examples using data manifolds. In: J.\u00a0Shea (ed.) IEEE Military Communications Conference (MILCOM), pp. 547\u2013552 (2018). https:\/\/doi.org\/10.1109\/MILCOM.2018.8599691","DOI":"10.1109\/MILCOM.2018.8599691"},{"key":"2273_CR17","unstructured":"Krizhevsky, A.: Learning multiple layers of features from tiny images (2009). https:\/\/www.cs.toronto.edu\/~kriz\/cifar.html"},{"key":"2273_CR18","first-page":"1097","volume-title":"Advances in Neural Information Processing Systems 25","author":"A Krizhevsky","year":"2012","unstructured":"Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Pereira, F., Burges, C.J.C., Bottou, L., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems 25, pp. 1097\u20131105. Curran Associates Inc, Red Hook (2012)"},{"key":"2273_CR19","unstructured":"Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial machine learning at scale. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2017)"},{"key":"2273_CR20","unstructured":"Lee, S., Park, S., Lee, J.: Defensive denoising methods against adversarial attack. In: C.J. Lin, H.\u00a0Xiong (eds.) ACM SIGKDD Conference on Knowledge Discovery and Data Mining (2018)"},{"issue":"1","key":"2273_CR21","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1109\/TDSC.2018.2874243","volume":"18","author":"B Liang","year":"2021","unstructured":"Liang, B., Li, H., Su, M., Li, X., Shi, W., Wang, X.: Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Trans. Dependable Secur. Comput. 18(1), 72\u201385 (2021). https:\/\/doi.org\/10.1109\/TDSC.2018.2874243","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"2273_CR22","doi-asserted-by":"crossref","unstructured":"Liu, Z., Liu, Q., Liu, T., Xu, N., Lin, X., Wang, Y., Wen, W.: Feature distillation: Dnn-oriented jpeg compression against adversarial examples. In: Davis, L., Torr, P., Zhu, S.C. (eds.) 2019 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 860\u2013868. IEEE (2019)","DOI":"10.1109\/CVPR.2019.00095"},{"key":"2273_CR23","doi-asserted-by":"crossref","unstructured":"Lu, J., Issaranon, T., Forsyth, D.: Safetynet: Detecting and rejecting adversarial examples robustly. In: K.\u00a0Ikeuchi, G.\u00a0Medioni, M.\u00a0Pelillo (eds.) Proceedings of the IEEE International Conference on Computer Vision (ICCV), pp. 446\u2013454 (2017)","DOI":"10.1109\/ICCV.2017.56"},{"key":"2273_CR24","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2018)"},{"key":"2273_CR25","unstructured":"Metzen, J.H., Genewein, T., Fischer, V., Bischoff, B.: On detecting adversarial perturbations. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2017)"},{"key":"2273_CR26","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks. In: R.\u00a0Bajcsy, F.F. Li, T.\u00a0Tuytelaars (eds.) Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 2574\u20132582 (2016)","DOI":"10.1109\/CVPR.2016.282"},{"key":"2273_CR27","unstructured":"Papernot, N., Faghri, F., Carlini, N., Goodfellow, I., Feinman, R., Kurakin, A., Xie, C., Sharma, Y., Brown, T., Roy, A., Matyasko, A., Behzadan, V., Hambardzumyan, K., Zhang, Z., Juang, Y.L., Li, Z., Sheatsley, R., Garg, A., Uesato, J., Gierke, W., Dong, Y., Berthelot, D., Hendricks, P., Rauber, J., Long, R.: Technical report on the cleverhans v2.1.0 adversarial examples library. arXiv preprint arXiv:1610.00768 (2018)"},{"key":"2273_CR28","first-page":"582","volume-title":"Symposium on Security and Privacy (SP)","author":"N Papernot","year":"2016","unstructured":"Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks. In: Locasto, M. (ed.) Symposium on Security and Privacy (SP), pp. 582\u2013597. IEEE, New York (2016)"},{"key":"2273_CR29","doi-asserted-by":"publisher","unstructured":"Prakash, A., Moran, N., Garber, S., DiLillo, A., Storer, J.: Protecting JPEG images against adversarial attacks. In: Data Compression Conference, pp. 137\u2013146. IEEE (2018). https:\/\/doi.org\/10.1109\/DCC.2018.00022","DOI":"10.1109\/DCC.2018.00022"},{"issue":"3","key":"2273_CR30","doi-asserted-by":"publisher","first-page":"346","DOI":"10.1016\/j.eng.2019.12.012","volume":"6","author":"K Ren","year":"2020","unstructured":"Ren, K., Zheng, T., Qin, Z., Liu, X.: Adversarial attacks and defenses in deep learning. Engineering 6(3), 346\u2013360 (2020). https:\/\/doi.org\/10.1016\/j.eng.2019.12.012","journal-title":"Engineering"},{"key":"2273_CR31","unstructured":"Roth, K., Kilcher, Y., Hofmann, T.: The odds are odd: A statistical test for detecting adversarial examples. In: E.\u00a0Xing (ed.) International Conference on Machine Learning (ICML), pp. 5498\u20135507. PMLR (2019)"},{"key":"2273_CR32","unstructured":"Samangouei, P., Kabkab, M., Chellappa, R.: Defense-GAN: Protecting classifiers against adversarial attacks using generative models. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2018)"},{"key":"2273_CR33","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-4340-7","volume-title":"Introduction to Piecewise Differentiable Equations","author":"S Scholtes","year":"2012","unstructured":"Scholtes, S.: Introduction to Piecewise Differentiable Equations. SpringerBriefs in Optimization. Springer, New York (2012). https:\/\/doi.org\/10.1007\/978-1-4614-4340-7"},{"key":"2273_CR34","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781107298019","volume-title":"Understanding Machine Learning\u2014From Theory to Algorithms","author":"S Shalev-Shwartz","year":"2014","unstructured":"Shalev-Shwartz, S., Ben-David, S.: Understanding Machine Learning\u2014From Theory to Algorithms. Cambridge University Press, Cambridge (2014)"},{"key":"2273_CR35","unstructured":"Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2015)"},{"key":"2273_CR36","doi-asserted-by":"publisher","first-page":"663","DOI":"10.1023\/A:1022680114518","volume":"98","author":"MV Sodolov","year":"1998","unstructured":"Sodolov, M.V., Zavriev, S.K.: Error stability properties of generalized gradient-type algorithms. JOTA 98, 663\u2013680 (1998). https:\/\/doi.org\/10.1023\/A:1022680114518","journal-title":"JOTA"},{"key":"2273_CR37","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I.J., Fergus, R.: Intriguing properties of neural networks. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2014)"},{"key":"2273_CR38","doi-asserted-by":"crossref","unstructured":"Taran, O., Rezaeifar, S., Holotyak, T., Voloshynovskiy, S.: Defending against adversarial attacks by randomized diversification. In: L.\u00a0Davis, P.\u00a0Torr, S.C. Zhu (eds.) Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 11226\u201311233 (2019)","DOI":"10.1109\/CVPR.2019.01148"},{"key":"2273_CR39","unstructured":"Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., Gu, Q.: On the convergence and robustness of adversarial training. In: Chaudhuri, K., Salakhutdinov, R. (eds.) International Conference on Machine Learning (ICML), vol. 97, pp. 6586\u20136595. PMLR, Long Beach, California(2019)"},{"key":"2273_CR40","doi-asserted-by":"publisher","unstructured":"Worzyk, N., Kramer, O.: Adversarials $${}^{{-1}}$$: Defending by attacking. In: M.\u00a0Vellasco, P.\u00a0Estevez (eds.) International Joint Conference on Neural Networks, IJCNN 2018, Rio de Janeiro, Brazil, July 8-13, 2018, pp. 1\u20138. IEEE (2018). https:\/\/doi.org\/10.1109\/IJCNN.2018.8489630","DOI":"10.1109\/IJCNN.2018.8489630"},{"key":"2273_CR41","unstructured":"Worzyk, N., Kramer, O.: Properties of adv-1 - adversarials of adversarials. In: European Symposium on Artificial Neural Networks, ESANN 2018, Bruges, Belgium, April 25-27, 2018 (2018)"},{"key":"2273_CR42","unstructured":"Xie, C., Wang, J., Zhang, Z., Ren, Z., Yuille, A.: Mitigating adversarial effects through randomization. In: Y.\u00a0Bengio, Y.\u00a0LeCun (eds.) International Conference on Learning Representations (ICLR) (2018)"},{"issue":"2","key":"2273_CR43","doi-asserted-by":"publisher","first-page":"151","DOI":"10.1007\/s11633-019-1211-x","volume":"17","author":"H Xu","year":"2020","unstructured":"Xu, H., Ma, Y., Liu, H., Deb, D., Liu, H., Tang, J., Jain, A.K.: Adversarial attacks and defenses in images, graphs and text: a review. Int. J. Autom. Comput. 17(2), 151\u2013178 (2020). https:\/\/doi.org\/10.1007\/s11633-019-1211-x","journal-title":"Int. J. Autom. Comput."},{"key":"2273_CR44","unstructured":"Yin, X., Kolouri, S., Rohde, G.K.: Divide-and-conquer adversarial detection. CoRR abs\/1905.11475 (2019). http:\/\/arxiv.org\/abs\/1905.11475"},{"key":"2273_CR45","unstructured":"Zheng, Z., Hong, P.: Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks. In: S.\u00a0Bengio, H.\u00a0Wallach (eds.) Proceedings of the International Conference on Neural Information Processing Systems, NIPS, pp. 7924\u20137933. Curran Associates Inc., USA (2018)"},{"key":"2273_CR46","doi-asserted-by":"publisher","first-page":"146","DOI":"10.1007\/978-3-030-59013-0_8","volume-title":"Computer Security - ESORICS 2020","author":"Q Zhou","year":"2020","unstructured":"Zhou, Q., Zhang, R., Wu, B., Li, W., Mo, T.: Detection by attack: detecting adversarial samples by undercover attack. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) Computer Security - ESORICS 2020, pp. 146\u2013164. Springer, Cham (2020)"}],"container-title":["Journal of Optimization Theory and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10957-023-02273-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10957-023-02273-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10957-023-02273-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,8,31]],"date-time":"2023-08-31T15:35:39Z","timestamp":1693496139000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10957-023-02273-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,4]]},"references-count":46,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,9]]}},"alternative-id":["2273"],"URL":"https:\/\/doi.org\/10.1007\/s10957-023-02273-6","relation":{},"ISSN":["0022-3239","1573-2878"],"issn-type":[{"type":"print","value":"0022-3239"},{"type":"electronic","value":"1573-2878"}],"subject":[],"published":{"date-parts":[[2023,8,4]]},"assertion":[{"value":"14 May 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 July 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 August 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}