{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T18:47:15Z","timestamp":1768589235773,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2018,1,15]],"date-time":"2018-01-15T00:00:00Z","timestamp":1515974400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1406192, 1652698, 1700527"],"award-info":[{"award-number":["1406192, 1652698, 1700527"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2018,1,15]]},"DOI":"10.1145\/3270101.3270111","type":"proceedings-article","created":{"date-parts":[[2018,10,16]],"date-time":"2018-10-16T13:23:10Z","timestamp":1539696190000},"page":"25-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Stochastic Substitute Training"],"prefix":"10.1145","author":[{"given":"Mohammad","family":"Hashemi","sequence":"first","affiliation":[{"name":"University of Colorado Boulder, Boulder, CO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Greg","family":"Cusack","sequence":"additional","affiliation":[{"name":"University of Colorado Boulder, Boulder, CO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eric","family":"Keller","sequence":"additional","affiliation":[{"name":"University of Colorado Boulder, Boulder, CO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,1,15]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings of the 35th International Conference on Machine Learning, ICML 2018 . https:\/\/arxiv.org\/abs\/1802","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye , Nicholas Carlini , and David Wagner . 2018 . Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples . In Proceedings of the 35th International Conference on Machine Learning, ICML 2018 . https:\/\/arxiv.org\/abs\/1802 .00420 Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In Proceedings of the 35th International Conference on Machine Learning, ICML 2018 . https:\/\/arxiv.org\/abs\/1802.00420"},{"key":"e_1_3_2_1_2_1","volume-title":"Proceedings of AAAI-2018 . http:\/\/www.esprockets.com\/papers\/aaai2018","author":"Baluja Shumeet","year":"2018","unstructured":"Shumeet Baluja and Ian Fischer . 2018 . Learning to Attack: Adversarial Transformation Networks . In Proceedings of AAAI-2018 . http:\/\/www.esprockets.com\/papers\/aaai2018 .pdf Shumeet Baluja and Ian Fischer. 2018. Learning to Attack: Adversarial Transformation Networks. In Proceedings of AAAI-2018 . http:\/\/www.esprockets.com\/papers\/aaai2018.pdf"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_4_1","volume-title":"Thermometer Encoding: One Hot Way To Resist Adversarial Examples. In International Conference on Learning Representations . https:\/\/openreview.net\/pdf?id=S18Su--CW","author":"Buckman Jacob","year":"2018","unstructured":"Jacob Buckman , Aurko Roy , Colin Raffel , and Ian Goodfellow . 2018 . Thermometer Encoding: One Hot Way To Resist Adversarial Examples. In International Conference on Learning Representations . https:\/\/openreview.net\/pdf?id=S18Su--CW Jacob Buckman, Aurko Roy, Colin Raffel, and Ian Goodfellow. 2018. Thermometer Encoding: One Hot Way To Resist Adversarial Examples. In International Conference on Learning Representations . https:\/\/openreview.net\/pdf?id=S18Su--CW"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.312"},{"key":"e_1_3_2_1_8_1","volume-title":"Computer Vision and Pattern Recognition","author":"Eykholt Kevin","unstructured":"Kevin Eykholt , Ivan Evtimov , Earlence Fernandes , Bo Li , Amir Rahmati , Chaowei Xiao , Atul Prakash , Tadayoshi Kohno , and Dawn Song . 2018. Robust Physical-World Attacks on Deep Learning Visual Classification . In Computer Vision and Pattern Recognition . IEEE. Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. 2018. Robust Physical-World Attacks on Deep Learning Visual Classification. In Computer Vision and Pattern Recognition. IEEE."},{"key":"e_1_3_2_1_9_1","volume-title":"International Conference on Learning Representations .","author":"Goodfellow Ian J","year":"2015","unstructured":"Ian J Goodfellow , Jonathon Shlens , and Christian Szegedy . 2015 . Explaining and harnessing adversarial examples . In International Conference on Learning Representations . Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.123"},{"key":"e_1_3_2_1_11_1","volume-title":"Deep Residual Learning for Image Recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"He Kaiming","year":"2016","unstructured":"Kaiming He , Xiangyu Zhang , Shaoqing Ren , and Jian Sun . 2016 . Deep Residual Learning for Image Recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016), 770--778. Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016), 770--778."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-55524-9_14"},{"key":"e_1_3_2_1_13_1","volume-title":"Adam: A Method for Stochastic Optimization. In International Conference on Learning Representations .","author":"Diederik","unstructured":"Diederik P. Kingma and Jimmy Ba. 2015 . Adam: A Method for Stochastic Optimization. In International Conference on Learning Representations . Diederik P. Kingma and Jimmy Ba. 2015. Adam: A Method for Stochastic Optimization. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_14_1","unstructured":"Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. (2009).  Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_15_1","volume-title":"Adversarial Examples in the Physical World. In International Conference on Learning Representations .","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin , Ian Goodfellow , and Samy Bengio . 2017 . Adversarial Examples in the Physical World. In International Conference on Learning Representations . Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial Examples in the Physical World. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_16_1","unstructured":"Yann LeCun Corinna Cortes and Christopher JC Burges. 1998. The MNIST database of handwritten digits. (1998).  Yann LeCun Corinna Cortes and Christopher JC Burges. 1998. The MNIST database of handwritten digits. (1998)."},{"key":"e_1_3_2_1_17_1","volume-title":"Network In Network. In International Conference on Learning Representations .","author":"Lin Min","year":"2014","unstructured":"Min Lin , Qiang Chen , and Shuicheng Yan . 2014 . Network In Network. In International Conference on Learning Representations . Min Lin, Qiang Chen, and Shuicheng Yan. 2014. Network In Network. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_18_1","volume-title":"International Conference on Learning Representations .","author":"Liu Yanpei","year":"2017","unstructured":"Yanpei Liu , Xinyun Chen , Chang Liu , and Dawn Song . 2017 . Delving into Transferable Adversarial Examples and Black-box Attacks . In International Conference on Learning Representations . Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2017. Delving into Transferable Adversarial Examples and Black-box Attacks. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_19_1","volume-title":"SafetyNet: Detecting and Rejecting Adversarial Examples Robustly. In The IEEE International Conference on Computer Vision (ICCV) .","author":"Lu Jiajun","unstructured":"Jiajun Lu , Theerasit Issaranon , and David A. Forsyth . 2017 . SafetyNet: Detecting and Rejecting Adversarial Examples Robustly. In The IEEE International Conference on Computer Vision (ICCV) . Jiajun Lu, Theerasit Issaranon, and David A. Forsyth. 2017. SafetyNet: Detecting and Rejecting Adversarial Examples Robustly. In The IEEE International Conference on Computer Vision (ICCV) ."},{"key":"e_1_3_2_1_20_1","volume-title":"International Conference on Learning Representations .","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry , Aleksandar Makelov , Ludwig Schmidt , Dimitris Tsipras , and Adrian Vladu . 2018 . Towards Deep Learning Models Resistant to Adversarial Attacks . In International Conference on Learning Representations . Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3005745.3005750"},{"key":"e_1_3_2_1_22_1","volume-title":"On Detecting Adversarial Perturbations. In International Conference on Learning Representations .","author":"Metzen Jan Hendrik","year":"2017","unstructured":"Jan Hendrik Metzen , Tim Genewein , Volker Fischer , and Bastian Bischoff . 2017 . On Detecting Adversarial Perturbations. In International Conference on Learning Representations . Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. 2017. On Detecting Adversarial Perturbations. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature14236"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_25_1","volume-title":"Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv preprint arXiv:1610.00768","author":"Papernot Nicolas","year":"2018","unstructured":"Nicolas Papernot , Fartash Faghri , Nicholas Carlini , Ian Goodfellow , Reuben Feinman , Alexey Kurakin , Cihang Xie , Yash Sharma , Tom Brown , Aurko Roy , Alexander Matyasko , Vahid Behzadan , Karen Hambardzumyan , Zhishuai Zhang , Yi-Lin Juang , Zhi Li , Ryan Sheatsley , Abhibhav Garg , Jonathan Uesato , Willi Gierke , Yinpeng Dong , David Berthelot , Paul Hendricks , Jonas Rauber , and Rujun Long . 2018. Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv preprint arXiv:1610.00768 ( 2018 ). Nicolas Papernot, Fartash Faghri, Nicholas Carlini, Ian Goodfellow, Reuben Feinman, Alexey Kurakin, Cihang Xie, Yash Sharma, Tom Brown, Aurko Roy, Alexander Matyasko, Vahid Behzadan, Karen Hambardzumyan, Zhishuai Zhang, Yi-Lin Juang, Zhi Li, Ryan Sheatsley, Abhibhav Garg, Jonathan Uesato, Willi Gierke, Yinpeng Dong, David Berthelot, Paul Hendricks, Jonas Rauber, and Rujun Long. 2018. Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv preprint arXiv:1610.00768 (2018)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_27_1","volume-title":"2016 IEEE European Symposium on. IEEE, 372--387","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot , Patrick McDaniel , Somesh Jha , Matt Fredrikson , Z Berkay Celik , and Ananthram Swami . 2016 a. The Limitations of Deep Learning in Adversarial Settings. In Security and Privacy (EuroS&P) , 2016 IEEE European Symposium on. IEEE, 372--387 . Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016a. The Limitations of Deep Learning in Adversarial Settings. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on. IEEE, 372--387."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_1_29_1","volume-title":"Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations . https:\/\/arxiv.org\/abs\/1805","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei , Maya Kabkab , and Rama Chellappa . 2018 . Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations . https:\/\/arxiv.org\/abs\/1805 .06605 Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations . https:\/\/arxiv.org\/abs\/1805.06605"},{"key":"e_1_3_2_1_30_1","volume-title":"International Conference on Learning Representations","author":"Schulman John","year":"2016","unstructured":"John Schulman , Philipp Moritz , Sergey Levine , Michael Jordan , and Pieter Abbeel . 2016 . Human-level control through deep reinforcement learning . International Conference on Learning Representations (2016). John Schulman, Philipp Moritz, Sergey Levine, Michael Jordan, and Pieter Abbeel. 2016. Human-level control through deep reinforcement learning. International Conference on Learning Representations (2016)."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature16961"},{"key":"e_1_3_2_1_32_1","volume-title":"Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representations .","author":"Simonyan Karen","year":"2015","unstructured":"Karen Simonyan and Andrew Zisserman . 2015 . Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representations . Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_33_1","volume-title":"Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian Goodfellow , and Rob Fergus . 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 ( 2013 ). Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/WINCOM.2016.7777224"},{"key":"e_1_3_2_1_35_1","volume-title":"International Conference on Learning Representations .","author":"Tram\u00e8r Florian","year":"2018","unstructured":"Florian Tram\u00e8r , Alexey Kurakin , Nicolas Papernot , Ian Goodfellow , Dan Boneh , and Patrick McDaniel . 2018 . Ensemble adversarial training: Attacks and defenses . In International Conference on Learning Representations . Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2018. Ensemble adversarial training: Attacks and defenses. In International Conference on Learning Representations ."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098158"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619239.2631434"},{"key":"e_1_3_2_1_38_1","volume-title":"Wide Residual Networks. arXiv preprint arXiv:1605.07146","author":"Zagoruyko Sergey","year":"2016","unstructured":"Sergey Zagoruyko and Nikos Komodakis . 2016. Wide Residual Networks. arXiv preprint arXiv:1605.07146 ( 2016 ). Sergey Zagoruyko and Nikos Komodakis. 2016. Wide Residual Networks. arXiv preprint arXiv:1605.07146 (2016)."}],"event":{"name":"CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security","location":"Toronto Canada","acronym":"CCS '18","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3270101.3270111","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3270101.3270111","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3270101.3270111","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T01:02:26Z","timestamp":1750208546000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3270101.3270111"}},"subtitle":["A Gray-box Approach to Craft Adversarial Examples Against Gradient Obfuscation Defenses"],"short-title":[],"issued":{"date-parts":[[2018,1,15]]},"references-count":38,"alternative-id":["10.1145\/3270101.3270111","10.1145\/3270101"],"URL":"https:\/\/doi.org\/10.1145\/3270101.3270111","relation":{},"subject":[],"published":{"date-parts":[[2018,1,15]]},"assertion":[{"value":"2018-01-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}