{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,7]],"date-time":"2025-06-07T04:31:15Z","timestamp":1749270675657,"version":"3.37.3"},"reference-count":57,"publisher":"Springer Science and Business Media LLC","issue":"8","license":[{"start":{"date-parts":[[2024,5,5]],"date-time":"2024-05-05T00:00:00Z","timestamp":1714867200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,5,5]],"date-time":"2024-05-05T00:00:00Z","timestamp":1714867200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea","doi-asserted-by":"publisher","award":["2019R1A2C2002358"],"award-info":[{"award-number":["2019R1A2C2002358"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Institute of Information & communications Technology Planning & Evaluation","award":["2022-0-00984"],"award-info":[{"award-number":["2022-0-00984"]}]},{"DOI":"10.13039\/501100002551","name":"Seoul National University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100002551","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Ambient Intell Human Comput"],"published-print":{"date-parts":[[2024,8]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Recently, deep-learning-based models have achieved impressive performance on tasks that were previously considered to be extremely challenging. However, recent works have shown that various deep learning models are susceptible to adversarial data samples. In this paper, we propose the sliced Wasserstein adversarial training method to encourage the logit distributions of clean and adversarial data to be similar to each other. We capture the dissimilarity between two distributions using the Wasserstein metric and then align distributions using an end-to-end training process. We present the theoretical background of the motivation for our study by providing generalization error bounds for adversarial data samples. We performed experiments on three standard datasets and the results demonstrate that our method is more robust against white box attacks compared to previous methods.<\/jats:p>","DOI":"10.1007\/s12652-024-04791-1","type":"journal-article","created":{"date-parts":[[2024,5,5]],"date-time":"2024-05-05T09:01:30Z","timestamp":1714899690000},"page":"3229-3242","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Sliced Wasserstein adversarial training for improving adversarial robustness"],"prefix":"10.1007","volume":"15","author":[{"given":"Woojin","family":"Lee","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sungyoon","family":"Lee","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hoki","family":"Kim","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jaewook","family":"Lee","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,5,5]]},"reference":[{"key":"4791_CR1","unstructured":"Allen-Zhu Z, Li Y, Song Z (2019) A convergence theory for deep learning via over-parameterization. In: international conference on machine learning, pp 242\u2013252"},{"key":"4791_CR2","unstructured":"Arjovsky M, Bottou L (2017) Towards principled methods for training generative adversarial networks. arxiv e-prints, art. arXiv preprint arXiv:1701.04862"},{"key":"4791_CR3","unstructured":"Athalye A, Carlini N, Wagner D (2018) Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: International conference on machine learning, pp 274\u2013283"},{"key":"4791_CR4","unstructured":"Bonnotte N (2013) Unidimensional and evolution methods for optimal transportation. Ph.D. Thesis, Paris 11"},{"issue":"8","key":"4791_CR5","doi-asserted-by":"publisher","first-page":"2929","DOI":"10.1007\/s12652-018-0714-6","volume":"10","author":"N Cao","year":"2019","unstructured":"Cao N, Li G, Zhu P et al (2019) Handling the adversarial attacks. J Ambient Intell Humaniz Comput 10(8):2929\u20132943","journal-title":"J Ambient Intell Humaniz Comput"},{"key":"4791_CR6","doi-asserted-by":"crossref","unstructured":"Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (SP), IEEE, pp 39\u201357","DOI":"10.1109\/SP.2017.49"},{"key":"4791_CR7","doi-asserted-by":"crossref","unstructured":"Chen PY, Sharma Y, Zhang H, et al (2018) Ead: elastic-net attacks to deep neural networks via adversarial examples. In: Proceedings of the AAAI conference on artificial intelligence, pp 1\u201319","DOI":"10.1609\/aaai.v32i1.11302"},{"key":"4791_CR8","unstructured":"Cohen J, Rosenfeld E, Kolter Z (2019) Certified adversarial robustness via randomized smoothing. In: International conference on machine learning, pp 1310\u20131320"},{"key":"4791_CR9","unstructured":"Croce F, Andriushchenko M, Sehwag V et al (2020) Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670"},{"key":"4791_CR10","unstructured":"Dhillon GS, Azizzadenesheli K, Lipton ZC et al (2018) Stochastic activation pruning for robust adversarial defense. arXiv preprint arXiv:1803.01442"},{"issue":"1","key":"4791_CR11","doi-asserted-by":"publisher","first-page":"497","DOI":"10.1007\/s12652-020-02014-x","volume":"12","author":"A Drewek-Ossowicka","year":"2021","unstructured":"Drewek-Ossowicka A, Pietro\u0142aj M, Rumi\u0144ski J (2021) A survey of neural networks usage for intrusion detection systems. J Ambient Intell Humaniz Comput 12(1):497\u2013514","journal-title":"J Ambient Intell Humaniz Comput"},{"key":"4791_CR12","first-page":"1","volume":"28","author":"C Frogner","year":"2015","unstructured":"Frogner C, Zhang C, Mobahi H et\u00a0al (2015) Learning with a wasserstein loss. Adv Neural Inf Process Syst 28:1\u20138","journal-title":"Adv Neural Inf Process Syst"},{"issue":"1","key":"4791_CR13","first-page":"1","volume":"17","author":"Y Ganin","year":"2016","unstructured":"Ganin Y, Ustinova E, Ajakan H et al (2016) Domain-adversarial training of neural networks. J Mach Learn Res 17(1):1\u201335","journal-title":"J Mach Learn Res"},{"key":"4791_CR14","unstructured":"Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572"},{"key":"4791_CR15","unstructured":"Guo C, Rana M, Cisse M et\u00a0al (2017) Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117"},{"issue":"1","key":"4791_CR16","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1006\/jcss.1995.1011","volume":"50","author":"KU Hoffgen","year":"1995","unstructured":"Hoffgen KU, Simon HU, Vanhorn KS (1995) Robust trainability of single neurons. J Comput Syst Sci 50(1):114\u2013125","journal-title":"J Comput Syst Sci"},{"key":"4791_CR17","unstructured":"Huang S, Papernot N, Goodfellow I et\u00a0al (2017) Adversarial attacks on neural network policies. arXiv preprint arXiv:1702.02284"},{"key":"4791_CR18","unstructured":"Kannan H, Kurakin A, Goodfellow I (2018) Adversarial logit pairing. arXiv preprint arXiv:1803.06373"},{"key":"4791_CR20","doi-asserted-by":"crossref","unstructured":"Kim H, Lee W, Lee J (2021) Understanding catastrophic overfitting in single-step adversarial training. In: Proceedings of the AAAI conference on artificial intelligence, pp 8119\u20138127","DOI":"10.1609\/aaai.v35i9.16989"},{"key":"4791_CR19","doi-asserted-by":"crossref","unstructured":"Kim C, Choi J, Yoon J et\u00a0al (2023a) Fairness-aware multimodal learning in automatic video interview assessment. IEEE Access 11:122677\u2013122693","DOI":"10.1109\/ACCESS.2023.3325891"},{"key":"4791_CR21","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1016\/j.neunet.2023.08.024","volume":"167","author":"H Kim","year":"2023","unstructured":"Kim H, Lee W, Lee S et al (2023b) Bridged adversarial training. Neural Netw 167:266\u2013282","journal-title":"Neural Netw"},{"key":"4791_CR22","unstructured":"Kim H, Park J, Choi Y, et\u00a0al (2023c) Fantastic robustness measures: the secrets of robust generalization. In: Thirty-seventh conference on neural information processing systems"},{"issue":"109","key":"4791_CR23","first-page":"286","volume":"137","author":"H Kim","year":"2023","unstructured":"Kim H, Park J, Lee J (2023d) Generating transferable adversarial examples for speech classification. Pattern Recogn 137(109):286","journal-title":"Pattern Recogn"},{"key":"4791_CR24","unstructured":"Kolouri S, Pope PE, Martin CE et\u00a0al (2018) Sliced wasserstein auto-encoders. In: International conference on learning representations, pp 1\u201319"},{"key":"4791_CR25","unstructured":"Kolouri S, Nadjahi K, Simsekli U et al (2019) Generalized sliced wasserstein distances. In: NeurIPS 2019, pp 1\u201312"},{"key":"4791_CR26","unstructured":"Krizhevsky A, Hinton G (2009) Learning multiple layers of features from tiny images. Tech. rep, Citeseer"},{"key":"4791_CR27","unstructured":"Kurakin A, Goodfellow I, Bengio S (2016) Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533"},{"key":"4791_CR28","doi-asserted-by":"crossref","unstructured":"Lee CY, Batra T, Baig MH, et\u00a0al (2019) Sliced wasserstein discrepancy for unsupervised domain adaptation. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 10,285\u201310,295","DOI":"10.1109\/CVPR.2019.01053"},{"key":"4791_CR29","first-page":"953","volume":"34","author":"S Lee","year":"2021","unstructured":"Lee S, Lee W, Park J et al (2021) Towards better understanding of training certifiably robust models against adversarial examples. Adv Neural Inf Process Syst 34:953\u2013964","journal-title":"Adv Neural Inf Process Syst"},{"issue":"107","key":"4791_CR30","first-page":"763","volume":"112","author":"W Lee","year":"2021","unstructured":"Lee W, Kim H, Lee J (2021) Compact class-conditional domain invariant learning for multi-class domain adaptation. Pattern Recogn 112(107):763","journal-title":"Pattern Recogn"},{"key":"4791_CR31","unstructured":"Li G, Zhu P, Li J, et\u00a0al (2018) Security matters: a survey on adversarial machine learning. arXiv preprint arXiv:1810.07339"},{"key":"4791_CR32","doi-asserted-by":"publisher","first-page":"370","DOI":"10.1016\/j.neucom.2019.10.085","volume":"379","author":"Y Li","year":"2020","unstructured":"Li Y, Zhang H, Bermudez C et al (2020) Anatomical context protects deep learning from adversarial perturbations in medical imaging. Neurocomputing 379:370\u2013378","journal-title":"Neurocomputing"},{"key":"4791_CR33","unstructured":"Liu Z, Chan AB (2022) Boosting adversarial robustness from the perspective of effective margin regularization. arXiv preprint arXiv:2210.05118"},{"key":"4791_CR34","unstructured":"Long M, Zhu H, Wang J, et\u00a0al (2017) Deep transfer learning with joint adaptation networks. In: Proceedings of the 34th international conference on machine learning-volume 70, JMLR. org, pp 2208\u20132217"},{"issue":"Nov","key":"4791_CR35","first-page":"2579","volume":"9","author":"Maaten Lvd","year":"2008","unstructured":"Lvd Maaten, Hinton G (2008) Visualizing data using t-SNE. J Mach Learn Res 9(Nov):2579\u20132605","journal-title":"J Mach Learn Res"},{"key":"4791_CR36","unstructured":"Madry A, Makelov A, Schmidt L et\u00a0al (2017) Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083"},{"key":"4791_CR37","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1016\/j.neucom.2019.11.052","volume":"382","author":"J Martin","year":"2020","unstructured":"Martin J, Elster C (2020) Inspecting adversarial examples using the fisher information. Neurocomputing 382:80\u201386","journal-title":"Neurocomputing"},{"key":"4791_CR38","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli SM, Fawzi A, Frossard P (2016) Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2574\u20132582","DOI":"10.1109\/CVPR.2016.282"},{"key":"4791_CR39","unstructured":"Netzer Y, Wang T, Coates A, et\u00a0al (2011) Reading digits in natural images with unsupervised feature learning. NIPS workshop on deep learning and unsupervised feature learning 2011"},{"key":"4791_CR40","unstructured":"Pang T, Yang X, Dong Y et\u00a0al (2020) Boosting adversarial training with hypersphere embedding. arXiv preprint arXiv:2002.08619"},{"key":"4791_CR41","doi-asserted-by":"crossref","unstructured":"Redko I, Habrard A, Sebban M (2017) Theoretical analysis of domain adaptation with optimal transport. In: Joint European conference on machine learning and knowledge discovery in databases. Springer, pp 737\u2013753","DOI":"10.1007\/978-3-319-71246-8_45"},{"key":"4791_CR42","unstructured":"Samangouei P, Kabkab M, Chellappa R (2018) Defense-GAN: protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605"},{"key":"4791_CR43","first-page":"1","volume":"32","author":"A Shafahi","year":"2019","unstructured":"Shafahi A, Najibi M, Ghiasi MA et\u00a0al (2019) Adversarial training for free! Adv Neural Inf Process Syst 32:1\u20139","journal-title":"Adv Neural Inf Process Syst"},{"key":"4791_CR44","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1016\/j.neucom.2018.04.027","volume":"307","author":"U Shaham","year":"2018","unstructured":"Shaham U, Yamada Y, Negahban S (2018) Understanding adversarial training: increasing local stability of supervised models through robust optimization. Neurocomputing 307:195\u2013204","journal-title":"Neurocomputing"},{"key":"4791_CR45","doi-asserted-by":"crossref","unstructured":"Sharif M, Bhagavatula S, Bauer L et\u00a0al (2016) Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 1528\u20131540","DOI":"10.1145\/2976749.2978392"},{"key":"4791_CR46","unstructured":"Song C, He K, Wang L, et\u00a0al (2018) Improving the generalization of adversarial training with domain adaptation. arXiv preprint arXiv:1810.00740"},{"key":"4791_CR47","doi-asserted-by":"crossref","unstructured":"Stutz D, Hein M, Schiele B (2021) Relating adversarially robust generalization to flat minima. In: Proceedings of the IEEE\/CVF international conference on computer vision, pp 7807\u20137817","DOI":"10.1109\/ICCV48922.2021.00771"},{"key":"4791_CR48","unstructured":"Szegedy C, Zaremba W, Sutskever I, et\u00a0al (2013) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199"},{"key":"4791_CR49","doi-asserted-by":"crossref","unstructured":"Tzeng E, Hoffman J, Saenko K, et\u00a0al (2017) Adversarial discriminative domain adaptation. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 7167\u20137176","DOI":"10.1109\/CVPR.2017.316"},{"key":"4791_CR50","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1016\/j.neucom.2019.11.051","volume":"382","author":"Y Wang","year":"2020","unstructured":"Wang Y, Wang K, Zhu Z et al (2020) Adversarial attacks on faster r-cnn object detector. Neurocomputing 382:87\u201395","journal-title":"Neurocomputing"},{"key":"4791_CR51","unstructured":"Wong E, Rice L, Kolter JZ (2020) Fast is better than free: revisiting adversarial training. arXiv preprint arXiv:2001.03994"},{"key":"4791_CR52","doi-asserted-by":"crossref","unstructured":"Wu J, Huang Z, Acharya D, et\u00a0al (2019) Sliced Wasserstein generative models. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 3713\u20133722","DOI":"10.1109\/CVPR.2019.00383"},{"key":"4791_CR53","unstructured":"Xiao H, Rasul K, Vollgraf R (2017) Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747"},{"key":"4791_CR54","unstructured":"Xiao KY, Tjeng V, Shafiullah NM et\u00a0al (2018) Training for faster adversarial robustness verification via inducing relu stability. arXiv preprint arXiv:1809.03008"},{"key":"4791_CR55","unstructured":"Xie C, Wang J, Zhang Z et\u00a0al (2017) Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991"},{"key":"4791_CR56","doi-asserted-by":"crossref","unstructured":"Ye H, Liu X, Li C (2020) Dscae: a denoising sparse convolutional autoencoder defense against adversarial examples. J Ambient Intell Humaniz Comput 1\u201311","DOI":"10.1007\/s12652-020-02642-3"},{"key":"4791_CR57","doi-asserted-by":"publisher","first-page":"123,783","DOI":"10.1109\/ACCESS.2020.3005987","volume":"8","author":"T Yoon","year":"2020","unstructured":"Yoon T, Lee J, Lee W (2020) Joint transfer of model knowledge and fairness over domains using wasserstein distance. IEEE Access 8:123,783-123,798","journal-title":"IEEE Access"}],"container-title":["Journal of Ambient Intelligence and Humanized Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s12652-024-04791-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s12652-024-04791-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s12652-024-04791-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T15:24:33Z","timestamp":1718897073000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s12652-024-04791-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,5,5]]},"references-count":57,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2024,8]]}},"alternative-id":["4791"],"URL":"https:\/\/doi.org\/10.1007\/s12652-024-04791-1","relation":{},"ISSN":["1868-5137","1868-5145"],"issn-type":[{"type":"print","value":"1868-5137"},{"type":"electronic","value":"1868-5145"}],"subject":[],"published":{"date-parts":[[2024,5,5]]},"assertion":[{"value":"11 January 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 March 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 May 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}