{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T17:04:44Z","timestamp":1770743084966,"version":"3.49.0"},"reference-count":86,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Innovation Project of Guangxi Graduate Education","award":["YCBZ2021019"],"award-info":[{"award-number":["YCBZ2021019"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2023]]},"DOI":"10.1109\/tifs.2023.3278458","type":"journal-article","created":{"date-parts":[[2023,5,22]],"date-time":"2023-05-22T17:46:59Z","timestamp":1684777619000},"page":"3267-3276","source":"Crossref","is-referenced-by-count":19,"title":["The Art of Defense: Letting Networks Fool the Attacker"],"prefix":"10.1109","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3457-1982","authenticated-orcid":false,"given":"Jinlai","family":"Zhang","sequence":"first","affiliation":[{"name":"College of Mechanical Engineering, Guangxi University, Nanning, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yinpeng","family":"Dong","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Minchi","family":"Kuang","sequence":"additional","affiliation":[{"name":"Department of Precision Instrument, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1644-3098","authenticated-orcid":false,"given":"Binbin","family":"Liu","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bo","family":"Ouyang","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6830-1211","authenticated-orcid":false,"given":"Jihong","family":"Zhu","sequence":"additional","affiliation":[{"name":"Department of Precision Instrument, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Houqing","family":"Wang","sequence":"additional","affiliation":[{"name":"Department of Precision Instrument, Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yanmei","family":"Meng","sequence":"additional","affiliation":[{"name":"College of Mechanical Engineering, Guangxi University, Nanning, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01490"},{"key":"ref57","article-title":"PixelDefend: Leveraging generative models to understand and defend against adversarial examples","author":"song","year":"2017","journal-title":"arXiv 1710 10766"},{"key":"ref12","first-page":"16048","article-title":"Understanding and improving fast adversarial training","volume":"33","author":"andriushchenko","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref56","article-title":"Characterizing adversarial subspaces using local intrinsic dimensionality","author":"ma","year":"2018","journal-title":"arXiv 1801 02613"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01234-2_23"},{"key":"ref59","article-title":"Thwarting adversarial examples: An L0-robustsparse Fourier transform","author":"bafna","year":"2018","journal-title":"arXiv 1812 05013"},{"key":"ref14","first-page":"7717","article-title":"Randomization matters how to defend against strong adversarial attacks","author":"pinot","year":"2020","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref58","article-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models","author":"samangouei","year":"2018","journal-title":"arXiv 1805 06605"},{"key":"ref53","article-title":"GAT: Generative adversarial training for adversarial example detection and robust classification","author":"yin","year":"2019","journal-title":"arXiv 1905 11475"},{"key":"ref52","first-page":"5498","article-title":"The odds are odd: A statistical test for detecting adversarial examples","author":"roth","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref11","article-title":"Adversarial training for free!","volume":"32","author":"shafahi","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref55","first-page":"3804","article-title":"Are generative classifiers more robust to adversarial attacks?","author":"li","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00040"},{"key":"ref54","article-title":"A new defense against adversarial images: Turning a weakness into a strength","author":"yu","year":"2019","journal-title":"arXiv 1910 07629"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3169217"},{"key":"ref16","article-title":"Adv-BNN: Improved adversarial defense through robust Bayesian neural network","author":"liu","year":"2018","journal-title":"arXiv 1810 01279"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00669"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.01148"},{"key":"ref51","article-title":"Stochastic activation pruning for robust adversarial defense","author":"dhillon","year":"2018","journal-title":"arXiv 1803 01442"},{"key":"ref50","article-title":"Mitigating adversarial effects through randomization","author":"xie","year":"2017","journal-title":"arXiv 1711 01991"},{"key":"ref46","article-title":"Thermometer encoding: One hot way to resist adversarial examples","author":"buckman","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref45","article-title":"Rethinking softmax cross-entropy loss for adversarial robustness","author":"pang","year":"2019","journal-title":"arXiv 1905 10626"},{"key":"ref48","first-page":"4970","article-title":"Improving adversarial robustness via promoting ensemble diversity","author":"pang","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref47","article-title":"EMPIR: Ensembles of mixed precision deep networks for increased robustness against adversarial attacks","author":"sen","year":"2020","journal-title":"arXiv 2004 10162"},{"key":"ref42","article-title":"You only propagate once: Accelerating adversarial training via maximal principle","author":"zhang","year":"2019","journal-title":"arXiv 1905 00877"},{"key":"ref86","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tram\u00e8r","year":"2017","journal-title":"arXiv 1705 07204"},{"key":"ref41","article-title":"Adversarial training for free!","author":"shafahi","year":"2019","journal-title":"arXiv 1904 12843"},{"key":"ref85","article-title":"PointDP: Diffusion-driven purification against adversarial attacks on 3D point cloud recognition","author":"sun","year":"2023","journal-title":"Proc 40th Int Conf Mach Learn"},{"key":"ref44","article-title":"Cascade adversarial machine learning regularized with a unified embedding","author":"na","year":"2017","journal-title":"arXiv 1708 02582"},{"key":"ref43","article-title":"Fast is better than free: Revisiting adversarial training","author":"wong","year":"2020","journal-title":"arXiv 2001 03994"},{"key":"ref49","article-title":"Enhancing adversarial defense by k-winners-take-all","author":"xiao","year":"2019","journal-title":"arXiv 1905 10510"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1016\/j.jfoodeng.2020.109965"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00620"},{"key":"ref4","article-title":"Language models are few-shot learners","author":"brown","year":"2020","journal-title":"arXiv 2005 14165"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.91"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2019.01.006"},{"key":"ref5","first-page":"5099","article-title":"PointNet++: Deep hierarchical feature learning on point sets in a metric space","volume":"30","author":"qi","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00295"},{"key":"ref81","article-title":"Adversarial attack and defense on point sets","author":"yang","year":"2019","journal-title":"arXiv 1902 10899"},{"key":"ref40","article-title":"Generative adversarial networks","author":"goodfellow","year":"2014","journal-title":"arXiv 1406 2661"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01486"},{"key":"ref83","first-page":"15498","article-title":"Adversarially robust 3D point cloud recognition using self-supervisions","volume":"34","author":"sun","year":"2021","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref80","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2017","journal-title":"arXiv 1706 06083"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00205"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00095"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2020.3044712"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1007\/s41095-021-0229-5"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00168"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3394171.3413875"},{"key":"ref31","article-title":"Adam: A method for stochastic optimization","author":"kingma","year":"2014","journal-title":"arXiv 1412 6980"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3326362"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00128"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5443"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00319"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00935"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00985"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2020.3024643"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01054"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01037"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58610-2_15"},{"key":"ref71","first-page":"1912","article-title":"3D ShapeNets: A deep representation for volumetric shapes","author":"wu","year":"2015","journal-title":"Proc IEEE Conf Comput Vis Pattern Recognit (CVPR)"},{"key":"ref70","first-page":"284","article-title":"Synthesizing robust adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2022.07.049"},{"key":"ref72","article-title":"IF-defense: 3D adversarial point cloud defense via implicit function based restoration","author":"wu","year":"2020","journal-title":"arXiv 2010 05272"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref68","first-page":"1633","article-title":"On adaptive attacks to adversarial example defenses","volume":"33","author":"tramer","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.16"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"ref69","article-title":"Towards the science of security and privacy in machine learning","author":"papernot","year":"2016","journal-title":"arXiv 1611 03814"},{"key":"ref20","article-title":"Countering adversarial images using input transformations","author":"guo","year":"2017","journal-title":"arXiv 1711 00117"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01153"},{"key":"ref63","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref22","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2013","journal-title":"arXiv 1312 6199"},{"key":"ref66","first-page":"1","article-title":"Interpreting and boosting dropout from a game-theoretic view","author":"zhang","year":"2020","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref21","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","author":"cohen","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref65","article-title":"Towards a unified game-theoretic view of adversarial perturbations and robustness","volume":"34","author":"ren","year":"2021","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref28","article-title":"Adversarial machine learning at scale","author":"kurakin","year":"2016","journal-title":"arXiv 1611 01236"},{"key":"ref27","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2014","journal-title":"arXiv 1412 6572"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"ref60","article-title":"Mixup inference: Better exploiting mixup to defend adversarial attacks","author":"pang","year":"2019","journal-title":"arXiv 1909 11515"},{"key":"ref62","first-page":"8646","article-title":"Error correcting output codes improve probability estimation and adversarial robustness of deep neural networks","volume":"32","author":"verma","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref61","article-title":"ME-Net: Towards effective adversarial robustness with matrix estimation","author":"yang","year":"2019","journal-title":"arXiv 1905 11971"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9970396\/10130393.pdf?arnumber=10130393","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,6,26]],"date-time":"2023-06-26T18:30:34Z","timestamp":1687804234000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10130393\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"references-count":86,"URL":"https:\/\/doi.org\/10.1109\/tifs.2023.3278458","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]}}}