{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T02:05:33Z","timestamp":1762999533216,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":68,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,11,11]],"date-time":"2019-11-11T00:00:00Z","timestamp":1573430400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-1704105,CNS-1553437,CIF-1617286,EARS1642962"],"award-info":[{"award-number":["CNS-1704105,CNS-1553437,CIF-1617286,EARS1642962"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Office of Naval Research Young Investigator Award"},{"DOI":"10.13039\/100002418","name":"Intel Corporation","doi-asserted-by":"publisher","award":["Faculty research award"],"award-info":[{"award-number":["Faculty research award"]}],"id":[{"id":"10.13039\/100002418","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Army Research Office Young Investigator Prize"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,11,11]]},"DOI":"10.1145\/3338501.3357372","type":"proceedings-article","created":{"date-parts":[[2019,11,8]],"date-time":"2019-11-08T13:40:33Z","timestamp":1573220433000},"page":"105-116","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":40,"title":["Analyzing the Robustness of Open-World Machine Learning"],"prefix":"10.1145","author":[{"given":"Vikash","family":"Sehwag","sequence":"first","affiliation":[{"name":"Princeton University, Princeton, NJ, USA"}]},{"given":"Arjun Nitin","family":"Bhagoji","sequence":"additional","affiliation":[{"name":"Princeton University, Princeton, NJ, USA"}]},{"given":"Liwei","family":"Song","sequence":"additional","affiliation":[{"name":"Princeton University, Princeton, NJ, USA"}]},{"given":"Chawin","family":"Sitawarin","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}]},{"given":"Daniel","family":"Cullina","sequence":"additional","affiliation":[{"name":"Pennsylvania State University, Centre County, PA, USA"}]},{"given":"Mung","family":"Chiang","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"given":"Prateek","family":"Mittal","sequence":"additional","affiliation":[{"name":"Princeton University, Princeton, NJ, USA"}]}],"member":"320","published-online":{"date-parts":[[2019,11,11]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2008. https:\/\/www.absolute.com\/en\/go\/reports\/the-cost-of-insecure-endpoints.(2008). [Online; accessed 10-November-2018].  2008. https:\/\/www.absolute.com\/en\/go\/reports\/the-cost-of-insecure-endpoints.(2008). [Online; accessed 10-November-2018]."},{"key":"e_1_3_2_1_2_1","unstructured":"2019. Picsum Random image generator. \"https:\/\/picsum.photos\/\". (2019).  2019. Picsum Random image generator. \"https:\/\/picsum.photos\/\". (2019)."},{"key":"e_1_3_2_1_3_1","unstructured":"Anish Athalye Nicholas Carlini and David Wagner. 2018a. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML.  Anish Athalye Nicholas Carlini and David Wagner. 2018a. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML."},{"key":"e_1_3_2_1_4_1","unstructured":"Anish Athalye Logan Engstrom Andrew Ilyas and Kevin Kwok. 2018b. Synthesizing Robust Adversarial Examples. In ICML. 284--293.  Anish Athalye Logan Engstrom Andrew Ilyas and Kevin Kwok. 2018b. Synthesizing Robust Adversarial Examples. In ICML. 284--293."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298799"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.173"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Arjun Nitin Bhagoji Warren He Bo Li and Dawn Song. 2018. Practical Black-box Attacks on Deep Neural Networks using Efficient Query Mechanisms. In ECCV.  Arjun Nitin Bhagoji Warren He Bo Li and Dawn Song. 2018. Practical Black-box Attacks on Deep Neural Networks using Efficient Query Mechanisms. In ECCV.","DOI":"10.1007\/978-3-030-01258-8_10"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_9_1","unstructured":"Mariusz Bojarski Davide Del Testa Daniel Dworakowski Bernhard Firner Beat Flepp Prasoon Goyal Lawrence D Jackel Mathew Monfort Urs Muller Jiakai Zhang et almbox. 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316 (2016).  Mariusz Bojarski Davide Del Testa Daniel Dworakowski Bernhard Firner Beat Flepp Prasoon Goyal Lawrence D Jackel Mathew Monfort Urs Muller Jiakai Zhang et almbox. 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316 (2016)."},{"key":"e_1_3_2_1_10_1","unstructured":"Nicholas Carlini and David Wagner. 2017. MagNet and ?Efficient DefensesAgainst Adversarial Attacks\" are Not Robust to Adversarial Examples.arXivpreprint arXiv:1711.08478(2017).  Nicholas Carlini and David Wagner. 2017. MagNet and ?Efficient DefensesAgainst Adversarial Attacks\" are Not Robust to Adversarial Examples.arXivpreprint arXiv:1711.08478(2017)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_12_1","unstructured":"Yair Carmon Aditi Raghunathan Ludwig Schmidt Percy Liang and John C Duchi. 2019. Unlabeled data improves adversarial robustness. arXiv preprint arXiv:1905.13736 (2019).  Yair Carmon Aditi Raghunathan Ludwig Schmidt Percy Liang and John C Duchi. 2019. Unlabeled data improves adversarial robustness. arXiv preprint arXiv:1905.13736 (2019)."},{"key":"e_1_3_2_1_13_1","unstructured":"Raghavendra Chalapathy and Sanjay Chawla. 2019. Deep Learning for Anomaly Detection: A Survey. arXiv e-prints (Jan. 2019). arxiv: cs.LG\/1901.03407  Raghavendra Chalapathy and Sanjay Chawla. 2019. Deep Learning for Anomaly Detection: A Survey. arXiv e-prints (Jan. 2019). arxiv: cs.LG\/1901.03407"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-71249-9_3"},{"key":"e_1_3_2_1_15_1","unstructured":"Eric I Chang and Richard P Lippmann. 1994. Figure of merit training for detection and spotting. In NeurIPS. 1019--1026.  Eric I Chang and Richard P Lippmann. 1994. Figure of merit training for detection and spotting. In NeurIPS. 1019--1026."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.312"},{"volume-title":"NDSS.","author":"Danezis George","key":"e_1_3_2_1_17_1"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_19_1","unstructured":"Akshay Raj Dhamija Manuel G\u00fcnther and Terrance Boult. 2018. Reducing Network Agnostophobia. In NeurIPS. 9175--9186.  Akshay Raj Dhamija Manuel G\u00fcnther and Terrance Boult. 2018. Reducing Network Agnostophobia. In NeurIPS. 9175--9186."},{"key":"e_1_3_2_1_20_1","unstructured":"Logan Engstrom Andrew Ilyas and Anish Athalye. 2018. Evaluating and Understanding the Robustness of Adversarial Logit Pairing. arXiv preprint arXiv:1807.10272 (2018).  Logan Engstrom Andrew Ilyas and Anish Athalye. 2018. Evaluating and Understanding the Robustness of Adversarial Logit Pairing. arXiv preprint arXiv:1807.10272 (2018)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Mark Everingham Luc Van Gool Christopher KI Williams John Winn and Andrew Zisserman. 2010. The pascal visual object classes (voc) challenge. International journal of computer vision Vol. 88 2 (2010) 303--338.  Mark Everingham Luc Van Gool Christopher KI Williams John Winn and Andrew Zisserman. 2010. The pascal visual object classes (voc) challenge. International journal of computer vision Vol. 88 2 (2010) 303--338.","DOI":"10.1007\/s11263-009-0275-4"},{"volume-title":"Robust Physical-World Attacks on Machine Learning Models. In IEEE conference on computer vision and pattern recognition.","year":"2018","author":"Evtimov Ivan","key":"e_1_3_2_1_22_1"},{"key":"e_1_3_2_1_23_1","unstructured":"Yonatan Geifman and Ran El-Yaniv. 2017. Selective classification for deep neural networks. NeurIPS. 4878--4887.  Yonatan Geifman and Ran El-Yaniv. 2017. Selective classification for deep neural networks. NeurIPS. 4878--4887."},{"key":"e_1_3_2_1_24_1","unstructured":"Ian Goodfellow Yoshua Bengio and Aaron Courville. 2016. Deep learning.MIT Press.  Ian Goodfellow Yoshua Bengio and Aaron Courville. 2016. Deep learning.MIT Press."},{"key":"e_1_3_2_1_25_1","unstructured":"Ian J Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR.  Ian J Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2017.85"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"volume-title":"11th USENIX Workshop on Offensive Technologies (WOOT 17)","year":"2017","author":"He Warren","key":"e_1_3_2_1_28_1"},{"key":"e_1_3_2_1_29_1","unstructured":"D. Hendrycks and K. Gimpel. 2017. A Baseline for Detecting Misclassified and Out-of-Distribution Examples in Neural Networks. In ICLR.  D. Hendrycks and K. Gimpel. 2017. A Baseline for Detecting Misclassified and Out-of-Distribution Examples in Neural Networks. In ICLR."},{"key":"e_1_3_2_1_30_1","unstructured":"Dan Hendrycks Mantas Mazeika and Thomas Dietterich. 2019. Deep Anomaly Detection with Outlier Exposure. In ICLR.  Dan Hendrycks Mantas Mazeika and Thomas Dietterich. 2019. Deep Anomaly Detection with Outlier Exposure. In ICLR."},{"key":"e_1_3_2_1_31_1","unstructured":"Andrew G. Howard Menglong Zhu Bo Chen Dmitry Kalenichenko Weijun Wang Tobias Weyand Marco Andreetto and Hartwig Adam. 2017. MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. CoRR Vol. abs\/1704.04861 (2017).  Andrew G. Howard Menglong Zhu Bo Chen Dmitry Kalenichenko Weijun Wang Tobias Weyand Marco Andreetto and Hartwig Adam. 2017. MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. CoRR Vol. abs\/1704.04861 (2017)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_3_2_1_34_1","unstructured":"Andrew Ilyas Logan Engstrom Anish Athalye and Jessy Lin. 2018. Black-box Adversarial Attacks with Limited Queries and Information. In ICML. 2142--2151.  Andrew Ilyas Logan Engstrom Anish Athalye and Jessy Lin. 2018. Black-box Adversarial Attacks with Limited Queries and Information. In ICML. 2142--2151."},{"key":"e_1_3_2_1_35_1","unstructured":"Heinrich Jiang Been Kim Melody Guan and Maya Gupta. 2018. To trust or not to trust a classifier. In NeurIPS. 5546--5557.  Heinrich Jiang Been Kim Melody Guan and Maya Gupta. 2018. To trust or not to trust a classifier. In NeurIPS. 5546--5557."},{"key":"e_1_3_2_1_36_1","unstructured":"Harini Kannan Alexey Kurakin and Ian Goodfellow. 2018. Adversarial Logit Pairing. arXiv preprint arXiv:1803.06373 (2018).  Harini Kannan Alexey Kurakin and Ian Goodfellow. 2018. Adversarial Logit Pairing. arXiv preprint arXiv:1803.06373 (2018)."},{"key":"e_1_3_2_1_37_1","unstructured":"J Zico Kolter and Eric Wong. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML.  J Zico Kolter and Eric Wong. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML."},{"key":"e_1_3_2_1_38_1","unstructured":"Alex Krizhevsky Vinod Nair and Geoffrey Hinton. 2014. The CIFAR-10 dataset. online: http:\/\/www.cs.toronto.edu\/kriz\/cifar.html (2014).  Alex Krizhevsky Vinod Nair and Geoffrey Hinton. 2014. The CIFAR-10 dataset. online: http:\/\/www.cs.toronto.edu\/kriz\/cifar.html (2014)."},{"key":"e_1_3_2_1_39_1","unstructured":"Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet classification with deep convolutional neural networks. In NeurIPS. 1097--1105.  Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet classification with deep convolutional neural networks. In NeurIPS. 1097--1105."},{"key":"e_1_3_2_1_40_1","unstructured":"Yann LeCun. 1998. The MNIST database of handwritten digits. http:\/\/yann lecun. com\/exdb\/mnist\/ (1998).  Yann LeCun. 1998. The MNIST database of handwritten digits. http:\/\/yann lecun. com\/exdb\/mnist\/ (1998)."},{"key":"e_1_3_2_1_41_1","unstructured":"Kimin Lee Honglak Lee Kibok Lee and Jinwoo Shin. 2018a. Training Confidence-calibrated Classifiers for Detecting Out-of-Distribution Samples. In ICLR.  Kimin Lee Honglak Lee Kibok Lee and Jinwoo Shin. 2018a. Training Confidence-calibrated Classifiers for Detecting Out-of-Distribution Samples. In ICLR."},{"key":"e_1_3_2_1_42_1","unstructured":"Kimin Lee Kibok Lee Honglak Lee and Jinwoo Shin. 2018b. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In NeurIPS. 7167--7177.  Kimin Lee Kibok Lee Honglak Lee and Jinwoo Shin. 2018b. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In NeurIPS. 7167--7177."},{"key":"e_1_3_2_1_43_1","unstructured":"S. Liang Y. Li and R. Srikant. 2018. Enhancing The Reliability of Out-of-distribution Image Detection in Neural Networks. In ICLR.  S. Liang Y. Li and R. Srikant. 2018. Enhancing The Reliability of Out-of-distribution Image Detection in Neural Networks. In ICLR."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Geert Litjens Thijs Kooi Babak Ehteshami Bejnordi Arnaud Arindra Adiyoso Setio Francesco Ciompi Mohsen Ghafoorian Jeroen Awm Van Der Laak Bram Van Ginneken and Clara I S\u00e1nchez. 2017. A survey on deep learning in medical image analysis. Medical image analysis Vol. 42 (2017) 60--88.  Geert Litjens Thijs Kooi Babak Ehteshami Bejnordi Arnaud Arindra Adiyoso Setio Francesco Ciompi Mohsen Ghafoorian Jeroen Awm Van Der Laak Bram Van Ginneken and Clara I S\u00e1nchez. 2017. A survey on deep learning in medical image analysis. Medical image analysis Vol. 42 (2017) 60--88.","DOI":"10.1016\/j.media.2017.07.005"},{"key":"e_1_3_2_1_45_1","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR.  Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR."},{"volume-title":"Background Class Defense Against Adversarial Examples. In 2018 IEEE Security and Privacy Workshops (SPW). 96--102","year":"2018","author":"McCoyd Michael","key":"e_1_3_2_1_46_1"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_1_48_1","unstructured":"Margi Murphy. 2017. Artificial intelligence will detect child abuse images to save police from trauma. https:\/\/www.telegraph.co.uk\/technology\/2017\/12\/18\/artificial-intelligence-will-detect-child-abuse-images-save\/. (2017).  Margi Murphy. 2017. Artificial intelligence will detect child abuse images to save police from trauma. https:\/\/www.telegraph.co.uk\/technology\/2017\/12\/18\/artificial-intelligence-will-detect-child-abuse-images-save\/. (2017)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298640"},{"key":"e_1_3_2_1_50_1","first-page":"6","article-title":"Deep face recognition","volume":"1","author":"Parkhi Omkar M","year":"2015","journal-title":"BMVC"},{"key":"e_1_3_2_1_51_1","unstructured":"Aditi Raghunathan Jacob Steinhardt and Percy Liang. 2018. Certified defenses against adversarial examples. ICLR.  Aditi Raghunathan Jacob Steinhardt and Percy Liang. 2018. Certified defenses against adversarial examples. ICLR."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/LRA.2018.2857402"},{"key":"e_1_3_2_1_53_1","unstructured":"Pouya Samangouei Maya Kabkab and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In ICLR.  Pouya Samangouei Maya Kabkab and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In ICLR."},{"key":"e_1_3_2_1_54_1","unstructured":"Vikash Sehwag Arjun Nitin Bhagoji Liwei Song Chawin Sitawarin Daniel Cullina Mung Chiang and Prateek Mittal. 2019. Better the Devil you Know: An Analysis of Evasion Attacks using Out-of-Distribution Adversarial Examples. arXiv preprint arXiv:1905.01726 (2019).  Vikash Sehwag Arjun Nitin Bhagoji Liwei Song Chawin Sitawarin Daniel Cullina Mung Chiang and Prateek Mittal. 2019. Better the Devil you Know: An Analysis of Evasion Attacks using Out-of-Distribution Adversarial Examples. arXiv preprint arXiv:1905.01726 (2019)."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"e_1_3_2_1_56_1","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional networks for large-scale image recognition. ICLR (2015).  Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional networks for large-scale image recognition. ICLR (2015)."},{"key":"e_1_3_2_1_57_1","unstructured":"Chawin Sitawarin Arjun Nitin Bhagoji Arsalan Mosenia Prateek Mittal and Mung Chiang. 2018. Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos. In DLS (IEEE SP).  Chawin Sitawarin Arjun Nitin Bhagoji Arsalan Mosenia Prateek Mittal and Mung Chiang. 2018. Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos. In DLS (IEEE SP)."},{"key":"e_1_3_2_1_58_1","unstructured":"Jost Tobias Springenberg Alexey Dosovitskiy Thomas Brox and Martin Riedmiller. 2015. Striving for simplicity: The all convolutional net. ICLR (2015).  Jost Tobias Springenberg Alexey Dosovitskiy Thomas Brox and Martin Riedmiller. 2015. Striving for simplicity: The all convolutional net. ICLR (2015)."},{"key":"e_1_3_2_1_59_1","unstructured":"Robert Stanforth Alhussein Fawzi Pushmeet Kohli et almbox. 2019. Are Labels Required for Improving Adversarial Robustness? arXiv:1905.13725 (2019).  Robert Stanforth Alhussein Fawzi Pushmeet Kohli et almbox. 2019. Are Labels Required for Improving Adversarial Robustness? arXiv:1905.13725 (2019)."},{"key":"e_1_3_2_1_60_1","unstructured":"Yi Sun Ding Liang Xiaogang Wang and Xiaoou Tang. 2015. Deepid3: Face recognition with very deep neural networks. arXiv:1502.00873 (2015).  Yi Sun Ding Liang Xiaogang Wang and Xiaoou Tang. 2015. Deepid3: Face recognition with very deep neural networks. arXiv:1502.00873 (2015)."},{"key":"e_1_3_2_1_61_1","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR.  Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2011.5995347"},{"key":"e_1_3_2_1_63_1","unstructured":"Florian Tram\u00e8r Alexey Kurakin Nicolas Papernot Dan Boneh and Patrick McDaniel. 2018. Ensemble Adversarial Training: Attacks and Defenses. In ICLR.  Florian Tram\u00e8r Alexey Kurakin Nicolas Papernot Dan Boneh and Patrick McDaniel. 2018. Ensemble Adversarial Training: Attacks and Defenses. In ICLR."},{"key":"e_1_3_2_1_64_1","unstructured":"Eric Wong Frank Schmidt Jan Hendrik Metzen and J Zico Kolter. 2018. Scaling provable adversarial defenses. NeurIPS (2018).  Eric Wong Frank Schmidt Jan Hendrik Metzen and J Zico Kolter. 2018. Scaling provable adversarial defenses. NeurIPS (2018)."},{"key":"e_1_3_2_1_65_1","unstructured":"Han Xiao Kashif Rasul and Roland Vollgraf. 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017).  Han Xiao Kashif Rasul and Roland Vollgraf. 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 501--509","author":"Xie Cihang","key":"e_1_3_2_1_66_1"},{"volume-title":"Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In NDSS.","year":"2018","author":"Xu Weilin","key":"e_1_3_2_1_67_1"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"crossref","unstructured":"Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. BMVC.  Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. BMVC.","DOI":"10.5244\/C.30.87"}],"event":{"name":"CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"London United Kingdom","acronym":"CCS '19"},"container-title":["Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338501.3357372","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3338501.3357372","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:12:49Z","timestamp":1750201969000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338501.3357372"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,11]]},"references-count":68,"alternative-id":["10.1145\/3338501.3357372","10.1145\/3338501"],"URL":"https:\/\/doi.org\/10.1145\/3338501.3357372","relation":{},"subject":[],"published":{"date-parts":[[2019,11,11]]},"assertion":[{"value":"2019-11-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}