{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,2]],"date-time":"2025-11-02T16:56:50Z","timestamp":1762102610211,"version":"3.37.3"},"reference-count":211,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"5","funder":[{"DOI":"10.13039\/501100001942","name":"CHIST-ERA Program through the project CORSMAL under Swiss NSF","doi-asserted-by":"publisher","award":["20CH21_180444"],"award-info":[{"award-number":["20CH21_180444"]}],"id":[{"id":"10.13039\/501100001942","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. IEEE"],"published-print":{"date-parts":[[2021,5]]},"DOI":"10.1109\/jproc.2021.3050042","type":"journal-article","created":{"date-parts":[[2021,2,5]],"date-time":"2021-02-05T20:43:29Z","timestamp":1612557809000},"page":"635-659","source":"Crossref","is-referenced-by-count":33,"title":["Optimism in the Face of Adversity: Understanding and Improving Deep Learning Through Adversarial Robustness"],"prefix":"10.1109","volume":"109","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5110-465X","authenticated-orcid":false,"given":"Guillermo","family":"Ortiz-Jimenez","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0113-0838","authenticated-orcid":false,"given":"Apostolos","family":"Modas","sequence":"additional","affiliation":[]},{"given":"Seyed-Mohsen","family":"Moosavi-Dezfooli","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4010-714X","authenticated-orcid":false,"given":"Pascal","family":"Frossard","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"doi-asserted-by":"publisher","key":"ref170","DOI":"10.1186\/s40537-016-0043-6"},{"doi-asserted-by":"publisher","key":"ref172","DOI":"10.1109\/CVPR.2019.00277"},{"key":"ref171","article-title":"What makes ImageNet good for transfer learning?","author":"huh","year":"2016","journal-title":"arXiv 1608 08614"},{"key":"ref174","article-title":"Adversarially-trained deep nets transfer better","author":"utrera","year":"2020","journal-title":"arXiv 2007 05869"},{"key":"ref173","article-title":"Do adversarially robust imagenet models transfer better?","author":"salman","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"doi-asserted-by":"publisher","key":"ref176","DOI":"10.1109\/CVPR.2018.00577"},{"key":"ref175","first-page":"2672","article-title":"Generative adversarial nets","author":"goodfellow","year":"2014","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref178","first-page":"2712","article-title":"Using pre-training can improve model robustness and uncertainty","author":"hendrycks","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref177","DOI":"10.1109\/CVPR.2017.19"},{"key":"ref168","article-title":"Transfer learning","author":"torrey","year":"2009","journal-title":"Handbook Of Research On Machine Learning Applications and Trends Algorithms Methods and Techniques"},{"doi-asserted-by":"publisher","key":"ref169","DOI":"10.1007\/978-3-030-01424-7_27"},{"key":"ref39","article-title":"Quantifying perceptual distortion of adversarial examples","author":"jordan","year":"2019","journal-title":"arXiv 1902 08265"},{"key":"ref38","article-title":"Perceptual adversarial robustness: Defense against unseen threat models","author":"laidlaw","year":"2020","journal-title":"arXiv 2006 12655"},{"doi-asserted-by":"publisher","key":"ref33","DOI":"10.5244\/C.29.106"},{"key":"ref32","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref31","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref30","DOI":"10.1109\/SP.2017.49"},{"doi-asserted-by":"publisher","key":"ref37","DOI":"10.1109\/CVPRW.2018.00211"},{"key":"ref36","first-page":"10408","article-title":"Functional adversarial attacks","author":"laidlaw","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref35","first-page":"1802","article-title":"Exploring the landscape of spatial robustness","author":"engstrom","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref34","DOI":"10.1109\/CVPR.2018.00467"},{"key":"ref181","article-title":"Benchmarking neural network robustness to common corruptions and perturbations","author":"hendrycks","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref180","DOI":"10.1109\/CVPR42600.2020.00041"},{"key":"ref185","article-title":"The many faces of robustness: A critical analysis of out-of-distribution generalization","author":"hendrycks","year":"2020","journal-title":"arXiv 2006 16241"},{"key":"ref184","article-title":"Noise or signal: The role of image backgrounds in object recognition","author":"xiao","year":"2020","journal-title":"arXiv 2006 09994"},{"key":"ref183","article-title":"ImageNet-trained CNNs are biased towards texture: Increasing shape bias improves accuracy and robustness","author":"geirhos","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref182","first-page":"5389","article-title":"Do ImageNet classifiers generalize to ImageNet?","author":"recht","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref189","article-title":"Measuring robustness to natural distribution shifts in image classification","author":"taori","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref188","first-page":"2280","article-title":"Adversarial examples are a natural consequence of test error in noise","author":"gilmer","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref187","article-title":"Do CIFAR-10 classifiers generalize to CIFAR-10?","author":"recht","year":"2018","journal-title":"arXiv 1806 00451"},{"key":"ref186","article-title":"Natural adversarial examples","author":"hendrycks","year":"2019","journal-title":"arXiv 1907 07174"},{"doi-asserted-by":"publisher","key":"ref28","DOI":"10.1007\/s10994-017-5663-3"},{"key":"ref27","first-page":"1632","article-title":"Robustness of classifiers: From adversarial to random noise","author":"fawzi","year":"2016","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref179","article-title":"Adversarially robust transfer learning","author":"shafahi","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref29","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref20","article-title":"Adversarial attacks on multivariate time series","author":"harford","year":"2020","journal-title":"arXiv 2004 00410"},{"doi-asserted-by":"publisher","key":"ref22","DOI":"10.1109\/SPW.2018.00014"},{"doi-asserted-by":"publisher","key":"ref21","DOI":"10.1073\/pnas.1907377117"},{"doi-asserted-by":"publisher","key":"ref24","DOI":"10.1109\/CVPR.2018.00099"},{"doi-asserted-by":"publisher","key":"ref23","DOI":"10.1109\/ICCV.2017.153"},{"doi-asserted-by":"publisher","key":"ref26","DOI":"10.1007\/BF02551274"},{"doi-asserted-by":"publisher","key":"ref25","DOI":"10.1017\/CBO9781107298019"},{"key":"ref50","article-title":"Higher-order certification for randomized smoothing","author":"mohapatra","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref51","article-title":"Enabling certification of verification-agnostic networks via memory-efficient semidefinite programming","author":"dathathri","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref154","first-page":"895","article-title":"Model-agnostic counterfactual explanations for consequential decisions","author":"karimi","year":"2020","journal-title":"Proc Int Conf Artif Intell Statist (AISTATS)"},{"key":"ref153","article-title":"Defending against physically realizable attacks on image classification","author":"wu","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref156","article-title":"Counterfactual explanations without opening the black box: Automated decisions and the GDPR","volume":"31","author":"wachter","year":"2018","journal-title":"Harvard J Law Technol"},{"key":"ref155","article-title":"Counterfactual explanations of machine learning predictions: Opportunities and challenges for AI safety","author":"sokol","year":"2019","journal-title":"Proc AAAI Workshop Artif Intell Saf"},{"key":"ref150","first-page":"4124","article-title":"Full-gradient representation for neural network visualization","author":"srinivas","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"doi-asserted-by":"publisher","key":"ref152","DOI":"10.1109\/ICCV.2019.00304"},{"doi-asserted-by":"publisher","key":"ref151","DOI":"10.1109\/ICCV.2017.371"},{"key":"ref146","article-title":"Striving for simplicity: The all convolutional net","author":"springenberg","year":"2015","journal-title":"Proc Int Conf Learn Represent (ICLR) Workshop Track"},{"doi-asserted-by":"publisher","key":"ref147","DOI":"10.1109\/ICCV.2017.74"},{"key":"ref148","first-page":"3319","article-title":"Axiomatic attribution for deep networks","author":"sundararajan","year":"2017","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref149","DOI":"10.1109\/CVPR42600.2020.00886"},{"key":"ref59","article-title":"The space of transferable adversarial examples","author":"tram\u00e8r","year":"2017","journal-title":"arXiv 1704 03453"},{"doi-asserted-by":"publisher","key":"ref58","DOI":"10.1126\/science.aaw4399"},{"doi-asserted-by":"publisher","key":"ref57","DOI":"10.1109\/MSP.2020.2985363"},{"key":"ref56","first-page":"5866","article-title":"Adversarial training and robustness for multiple perturbations","author":"tramer","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref55","first-page":"6640","article-title":"Adversarial robustness against the union of multiple perturbation models","author":"maini","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref54","DOI":"10.1109\/CVPR.2019.00930"},{"key":"ref53","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref52","DOI":"10.1145\/3128572.3140444"},{"key":"ref40","first-page":"6808","article-title":"Wasserstein adversarial examples via projected Sinkhorn iterations","author":"wong","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref167","article-title":"Exemplary natural images explain CNN activations better than feature visualizations","author":"borowski","year":"2020","journal-title":"arXiv 2010 12606"},{"key":"ref166","article-title":"Are perceptually-aligned gradients a general property of robust classifiers?","author":"kaur","year":"2019","journal-title":"Proc Sci Meets Eng Deep Learn Workshop NeurIPS"},{"key":"ref165","article-title":"Adversarial robustness as a prior for learned representations","author":"engstrom","year":"2019","journal-title":"arXiv 1906 00945"},{"key":"ref164","first-page":"1262","article-title":"Image synthesis with a single (robust) classifier","author":"santurkar","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref163","article-title":"FAR: A general framework for attributional robustness","author":"ivankay","year":"2020","journal-title":"arXiv 2010 07393"},{"key":"ref162","first-page":"14300","article-title":"Robust attribution regularization","author":"chen","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref161","article-title":"On the robustness of interpretability methods","author":"alvarez-melis","year":"2018","journal-title":"Proc Hum Interpretability Mach Learn Workshop (ICML)"},{"doi-asserted-by":"publisher","key":"ref160","DOI":"10.1609\/aaai.v33i01.33013681"},{"key":"ref4","doi-asserted-by":"crossref","first-page":"484","DOI":"10.1038\/nature16961","article-title":"Mastering the game of go with deep neural networks and tree search","volume":"529","author":"silver","year":"2016","journal-title":"Nature"},{"key":"ref3","first-page":"8634","article-title":"Evaluating machine accuracy on ImageNet","author":"shankar","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref6","DOI":"10.1145\/1014052.1014066"},{"key":"ref5","article-title":"Language models are few-shot learners","author":"brown","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref8","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2013","journal-title":"arXiv 1312 6199"},{"doi-asserted-by":"publisher","key":"ref159","DOI":"10.1007\/978-3-030-28954-6_14"},{"doi-asserted-by":"publisher","key":"ref7","DOI":"10.1145\/1081870.1081950"},{"doi-asserted-by":"publisher","key":"ref49","DOI":"10.1109\/ICCV.2019.00494"},{"doi-asserted-by":"publisher","key":"ref157","DOI":"10.24963\/ijcai.2018\/836"},{"key":"ref9","article-title":"Very deep convolutional networks for large-scale image recognition","author":"simonyan","year":"2015","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref158","article-title":"Imperceptible adversarial attacks on tabular data","author":"ballet","year":"2019","journal-title":"Proc Robust AI Financial Services Workshop NeurIPS"},{"key":"ref46","article-title":"On the effectiveness of interval bound propagation for training verifiably robust models","author":"gowal","year":"2018","journal-title":"Proc Secur Mach Learn Workshop (NeurIPS)"},{"key":"ref45","article-title":"On evaluating adversarial robustness","author":"carlini","year":"2019","journal-title":"arXiv 1902 06705"},{"doi-asserted-by":"publisher","key":"ref48","DOI":"10.1016\/j.cosrev.2020.100270"},{"doi-asserted-by":"publisher","key":"ref47","DOI":"10.24963\/ijcai.2018\/368"},{"doi-asserted-by":"publisher","key":"ref42","DOI":"10.1145\/3374217"},{"key":"ref41","first-page":"10377","article-title":"Stronger and faster Wasserstein adversarial attacks","author":"wu","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref44","DOI":"10.1007\/978-3-319-63387-9_5"},{"key":"ref43","first-page":"1","article-title":"Greedy attack and gumbel attack: Generating adversarial examples for discrete data","volume":"21","author":"yang","year":"2020","journal-title":"J Mach Learn Res"},{"key":"ref73","first-page":"10749","article-title":"With friends like these, who needs adversaries?","author":"jetley","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref72","first-page":"11292","article-title":"Provably robust deep learning via adversarially trained smoothed classifiers","author":"salman","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref71","first-page":"10693","article-title":"Randomized smoothing of all shapes and sizes","author":"yang","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref70","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","author":"cohen","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref76","article-title":"Adversarial examples in the physical world","author":"kurakin","year":"2017","journal-title":"Proc Int Conf Learn Represent (ICLR) Workshop Track"},{"doi-asserted-by":"publisher","key":"ref77","DOI":"10.1109\/CVPR.2018.00175"},{"doi-asserted-by":"publisher","key":"ref74","DOI":"10.1109\/ICCV.2019.00499"},{"doi-asserted-by":"publisher","key":"ref75","DOI":"10.1109\/CVPR42600.2020.00847"},{"key":"ref78","first-page":"2137","article-title":"Black-box adversarial attacks with limited queries and information","author":"ilyas","year":"2018","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref79","first-page":"2484","article-title":"Simple black-box adversarial attacks","author":"guo","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref60","article-title":"Robustness of classifiers to universal perturbations: A geometric perspective","author":"moosavi-dezfooli","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref62","article-title":"Hold me tight! Influence of discriminative features on deep network boundaries","author":"ortiz-jimenez","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"doi-asserted-by":"publisher","key":"ref61","DOI":"10.1109\/CVPR.2018.00396"},{"doi-asserted-by":"publisher","key":"ref63","DOI":"10.1109\/CVPR.2016.90"},{"year":"2009","author":"krizhevsky","article-title":"Learning multiple layers of features from tiny images","key":"ref64"},{"doi-asserted-by":"publisher","key":"ref65","DOI":"10.1109\/CVPR.2019.00929"},{"doi-asserted-by":"publisher","key":"ref66","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref67","article-title":"Uncovering the limits of adversarial training against norm-bounded adversarial examples","author":"gowal","year":"2020","journal-title":"arXiv 2010 03593"},{"key":"ref68","first-page":"13847","article-title":"Adversarial robustness through local linearization","author":"qin","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref69","first-page":"8981","article-title":"Second-order provable defenses against adversarial attacks","author":"singla","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref197","DOI":"10.1109\/CVPR.2019.00498"},{"doi-asserted-by":"publisher","key":"ref198","DOI":"10.1109\/CVPR42600.2020.00123"},{"key":"ref199","article-title":"Learning perturbation sets for robust machine learning","author":"wong","year":"2020","journal-title":"arXiv 2007 08450"},{"doi-asserted-by":"publisher","key":"ref193","DOI":"10.18653\/v1\/P19-1425"},{"key":"ref194","article-title":"Spatially transformed adversarial examples","author":"xiao","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref195","first-page":"284","article-title":"Synthesizing robust adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref196","article-title":"ADEF: An iterative algorithm to construct adversarial deformations","author":"alaifari","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref95","DOI":"10.1146\/annurev-vision-091718-014951"},{"key":"ref94","first-page":"5014","article-title":"Adversarially robust generalization requires more data","author":"schmidt","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref190","article-title":"YOLOv4: Optimal speed and accuracy of object detection","author":"bochkovskiy","year":"2020","journal-title":"arXiv 2004 10934"},{"key":"ref93","article-title":"Feature purification: How adversarial training performs robust deep learning","author":"allen-zhu","year":"2020","journal-title":"arXiv 2005 10190"},{"key":"ref191","article-title":"Adversarial training methods for semi-supervised text classification","author":"miyato","year":"2017","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref92","article-title":"Learning the difference that makes a difference with counterfactually-augmented data","author":"kaushik","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref192","DOI":"10.1109\/TPAMI.2018.2858821"},{"key":"ref91","article-title":"Conditional variance penalties and domain shift robustness","author":"heinze-deml","year":"2019","journal-title":"arXiv 1710 11469"},{"doi-asserted-by":"publisher","key":"ref90","DOI":"10.1109\/DSW.2018.8439889"},{"doi-asserted-by":"publisher","key":"ref98","DOI":"10.1007\/978-3-030-58571-6_19"},{"key":"ref99","first-page":"1646","article-title":"Generalized no free lunch theorem for adversarial robustness","author":"dohmatob","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref96","first-page":"819","article-title":"Adversarial examples improve image recognition","author":"xie","year":"2020","journal-title":"Proc IEEE Conf Comput Vis Pattern Recognit (CVPR)"},{"key":"ref97","article-title":"FreeLB: Enhanced adversarial training for natural language understanding","author":"zhu","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref82","first-page":"7909","article-title":"Understanding and mitigating the tradeoff between robustness and accuracy","author":"raghunathan","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref81","first-page":"1178","article-title":"Adversarial vulnerability for any classifier","author":"fawzi","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref84","article-title":"Predicting the generalization gap in deep networks with margin distributions","author":"jiang","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref83","article-title":"Adversarial spheres","author":"gilmer","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR) Workshop Track"},{"key":"ref80","article-title":"A survey of black-box adversarial attacks on computer vision models","author":"bhambri","year":"2019","journal-title":"arXiv 1912 01667"},{"year":"2017","author":"peters","journal-title":"Elements of Causal Inference Foundations and Learning Algorithms","key":"ref89"},{"key":"ref85","first-page":"7858","article-title":"Detecting overfitting via adversarial examples","author":"werpachowski","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"doi-asserted-by":"publisher","key":"ref86","DOI":"10.1007\/BF00994018"},{"key":"ref87","article-title":"Sensitivity and generalization in neural networks: An empirical study","author":"novak","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref88","first-page":"125","article-title":"Adversarial examples are not bugs, they are features","author":"ilyas","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"doi-asserted-by":"publisher","key":"ref200","DOI":"10.1109\/CVPR.2019.00013"},{"key":"ref101","first-page":"11192","article-title":"Unlabeled data improves adversarial robustness","author":"carmon","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref100","first-page":"12214","article-title":"Are labels required for improving adversarial robustness?","author":"alayrac","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref209","article-title":"Adversarially robust neural architectures","author":"dong","year":"2020","journal-title":"arXiv 2009 00902"},{"key":"ref203","first-page":"7472","article-title":"Theoretically principled trade-off between robustness and accuracy","author":"zhang","year":"2019","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref204","DOI":"10.1145\/3338501.3357369"},{"doi-asserted-by":"publisher","key":"ref201","DOI":"10.1109\/ICCV.2019.00608"},{"key":"ref202","first-page":"9155","article-title":"Confidence-calibrated adversarial training: Generalizing to unseen attacks","author":"stutz","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref207","article-title":"Smooth adversarial training","author":"xie","year":"2020","journal-title":"arXiv 2006 14536"},{"doi-asserted-by":"publisher","key":"ref208","DOI":"10.1109\/CVPR42600.2020.00071"},{"key":"ref205","first-page":"11615","article-title":"Uniform convergence may be unable to explain generalization in deep learning","author":"nagarajan","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref206","article-title":"Neural anisotropy directions","author":"ortiz-jimenez","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref211","article-title":"Biologically inspired mechanisms for adversarial robustness","author":"reddy","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref210","article-title":"Simulating a primary visual cortex at the front of CNNs improves robustness to image perturbations","author":"dapello","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref127","first-page":"14785","article-title":"Invariance-inducing regularization using worst-case transformations suffices to boost accuracy and spatial robustness","author":"yang","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref126","article-title":"Laplacian networks: Bounding indicator function smoothness for neural network robustness","author":"lassance","year":"2018","journal-title":"arXiv 1805 10133"},{"key":"ref125","first-page":"281","article-title":"Random search for hyper-parameter optimization","volume":"13","author":"bergstra","year":"2012","journal-title":"J Mach Learn Res"},{"key":"ref124","first-page":"2206","article-title":"Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks","author":"croce","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"doi-asserted-by":"publisher","key":"ref129","DOI":"10.24963\/ijcai.2017\/371"},{"doi-asserted-by":"publisher","key":"ref128","DOI":"10.1109\/CVPR.2016.485"},{"key":"ref130","article-title":"Enhancing the reliability of out-of-distribution image detection in neural networks","author":"liang","year":"2018","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref133","DOI":"10.1145\/3319535.3354211"},{"doi-asserted-by":"publisher","key":"ref134","DOI":"10.1109\/SP.2019.00044"},{"key":"ref131","first-page":"3711","article-title":"DROCC: Deep robust one-class classification","author":"goyal","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref132","first-page":"513","article-title":"AttriGuard: A practical defense against attribute inference attacks via adversarial machine learning","author":"jia","year":"2018","journal-title":"Proc 27th USENIX Secur Symp"},{"key":"ref136","article-title":"Censoring representations with an adversary","author":"edwards","year":"2016","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref135","article-title":"Training individually fair ML models with sensitive subspace robustness","author":"yurochkin","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"doi-asserted-by":"publisher","key":"ref138","DOI":"10.1145\/3278721.3278779"},{"doi-asserted-by":"publisher","key":"ref137","DOI":"10.1145\/3306618.3317950"},{"key":"ref139","first-page":"3384","article-title":"Learning adversarially fair and transferable representations","author":"madras","year":"2018","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref140","article-title":"The many faces of robustness: A critical analysis of out-of-distribution generalization","author":"hendrycks","year":"2020","journal-title":"arXiv 2006 16241"},{"year":"2009","author":"erhan","article-title":"Visualizing higher-layer features of a deep network","key":"ref141"},{"key":"ref142","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1038\/323533a0","article-title":"Learning representations by back-propagating errors","volume":"323","author":"rumelhart","year":"1986","journal-title":"Nature"},{"doi-asserted-by":"publisher","key":"ref143","DOI":"10.1145\/2939672.2939778"},{"key":"ref2","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1038\/nature14539","article-title":"Deep learning","volume":"521","author":"lecun","year":"2015","journal-title":"Nature"},{"doi-asserted-by":"publisher","key":"ref144","DOI":"10.1371\/journal.pone.0130140"},{"doi-asserted-by":"publisher","key":"ref1","DOI":"10.1007\/BF02478259"},{"key":"ref145","article-title":"Deep inside convolutional networks: Visualising image classification models and saliency maps","author":"simonyan","year":"2013","journal-title":"arXiv 1312 6034"},{"doi-asserted-by":"publisher","key":"ref109","DOI":"10.24963\/ijcai.2019\/470"},{"key":"ref108","article-title":"When do neural networks outperform kernel methods?","author":"ghorbani","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref107","article-title":"Relational inductive biases, deep learning, and graph networks","author":"battaglia","year":"2018","journal-title":"arXiv 1806 01261"},{"year":"1980","author":"mitchell","article-title":"The need for biases in learning generalizations","key":"ref106"},{"key":"ref105","first-page":"13255","article-title":"A Fourier perspective on model robustness in computer vision","author":"yin","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref104","first-page":"1670","article-title":"More data can expand the generalization gap between adversarially robust and standard models","author":"chen","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref103","first-page":"5541","article-title":"Robustness to adversarial perturbations in learning from incomplete data","author":"najafi","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"},{"key":"ref102","article-title":"Adversarially robust generalization just requires more unlabeled data","author":"zhai","year":"2019","journal-title":"arXiv 1906 00555"},{"key":"ref111","article-title":"Redundant features can hurt robustness to distribution shift","author":"ortiz-jimenez","year":"2020","journal-title":"Proc Uncertainty Robustness Deep Learn Workshop (ICML)"},{"doi-asserted-by":"publisher","key":"ref112","DOI":"10.1016\/S0079-7421(08)60536-8"},{"doi-asserted-by":"publisher","key":"ref110","DOI":"10.1109\/CVPR.2019.00014"},{"doi-asserted-by":"publisher","key":"ref10","DOI":"10.1109\/CVPR.2009.5206848"},{"doi-asserted-by":"publisher","key":"ref11","DOI":"10.1016\/j.patcog.2018.07.023"},{"doi-asserted-by":"publisher","key":"ref12","DOI":"10.1109\/ACCESS.2018.2807385"},{"doi-asserted-by":"publisher","key":"ref13","DOI":"10.1109\/TNNLS.2018.2886017"},{"doi-asserted-by":"publisher","key":"ref14","DOI":"10.1109\/JPROC.2020.2970615"},{"doi-asserted-by":"publisher","key":"ref15","DOI":"10.1109\/MSP.2017.2740965"},{"key":"ref16","first-page":"1660","article-title":"Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients","author":"ross","year":"2018","journal-title":"Proc AAAI Conf Artif Intell"},{"key":"ref118","first-page":"9561","article-title":"Fundamental tradeoffs between invariance and sensitivity to adversarial perturbations","author":"tram\u00e8r","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref17","article-title":"Robustness may be at odds with accuracy","author":"tsipras","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref117","article-title":"Excessive invariance causes adversarial vulnerability","author":"jacobsen","year":"2019","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref18","article-title":"Adversarial attacks, regression, and numerical stability regularization","author":"nguyen","year":"2019","journal-title":"Proc Eng Dependable Secure Mach Learn Syst WORKSHOP AAAI"},{"key":"ref19","article-title":"The troublesome kernel: Why deep learning for inverse problems is typically unstable","author":"gottschling","year":"2020","journal-title":"arXiv 2001 01258"},{"doi-asserted-by":"publisher","key":"ref119","DOI":"10.1038\/s41467-019-08931-6"},{"key":"ref114","article-title":"Robust optimization in machine learning","author":"caramanis","year":"2012","journal-title":"Optimization for Machine Learning"},{"key":"ref113","first-page":"1485","article-title":"Robustness and regularization of support vector machines","volume":"10","author":"xu","year":"2009","journal-title":"J Mach Learn Res"},{"doi-asserted-by":"publisher","key":"ref116","DOI":"10.1109\/ICISIP.2004.1287696"},{"key":"ref115","first-page":"555","article-title":"A robust minimax approach to classification","volume":"3","author":"lanckriet","year":"2003","journal-title":"J Mach Learn Res"},{"key":"ref120","first-page":"8093","article-title":"Overfitting in adversarially robust deep learning","author":"rice","year":"2020","journal-title":"Proc Int Conf Mach Learn (ICML)"},{"key":"ref121","article-title":"Understanding deep learning requires rethinking generalization","author":"zhang","year":"2017","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref122","article-title":"Fast is better than free: Revisiting adversarial training","author":"wong","year":"2020","journal-title":"Proc Int Conf Learn Represent (ICLR)"},{"key":"ref123","article-title":"Understanding and improving fast adversarial training","author":"andriushchenko","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst (NeurIPS)"}],"container-title":["Proceedings of the IEEE"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/5\/9420072\/09348948.pdf?arnumber=9348948","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,10,6]],"date-time":"2021-10-06T03:06:05Z","timestamp":1633489565000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9348948\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5]]},"references-count":211,"journal-issue":{"issue":"5"},"URL":"https:\/\/doi.org\/10.1109\/jproc.2021.3050042","relation":{},"ISSN":["0018-9219","1558-2256"],"issn-type":[{"type":"print","value":"0018-9219"},{"type":"electronic","value":"1558-2256"}],"subject":[],"published":{"date-parts":[[2021,5]]}}}