{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:24:20Z","timestamp":1750220660428,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":35,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,11,9]],"date-time":"2020-11-09T00:00:00Z","timestamp":1604880000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,11,13]]},"DOI":"10.1145\/3411508.3421380","type":"proceedings-article","created":{"date-parts":[[2020,11,2]],"date-time":"2020-11-02T21:16:40Z","timestamp":1604351800000},"page":"1-12","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Where Does the Robustness Come from?"],"prefix":"10.1145","author":[{"given":"Chang","family":"Liao","sequence":"first","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yao","family":"Cheng","sequence":"additional","affiliation":[{"name":"Huawei International, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chengfang","family":"Fang","sequence":"additional","affiliation":[{"name":"Huawei International, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jie","family":"Shi","sequence":"additional","affiliation":[{"name":"Huawei International, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,11,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"5th International Conference on Learning Representations (ICLR) Workshop.","author":"Abbasi Mahdieh","year":"2017","unstructured":"Mahdieh Abbasi and Christian Gagn\u00e9 . 2017 . Robustness to Adversarial Examples through an Ensemble of Specialists . In 5th International Conference on Learning Representations (ICLR) Workshop. Mahdieh Abbasi and Christian Gagn\u00e9. 2017. Robustness to Adversarial Examples through an Ensemble of Specialists. In 5th International Conference on Learning Representations (ICLR) Workshop."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_3_1","volume-title":"Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner . 2017 . Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57 . Nicholas Carlini and David Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_2_1_5_1","unstructured":"Shuyu Cheng Yinpeng Dong Tianyu Pang Hang Su and Jun Zhu. 2019. Improving Black-box Adversarial Attacks with a Transfer-based Prior. In Advances in Neural Information Processing Systems. 10934--10944.  Shuyu Cheng Yinpeng Dong Tianyu Pang Hang Su and Jun Zhu. 2019. Improving Black-box Adversarial Attacks with a Transfer-based Prior. In Advances in Neural Information Processing Systems. 10934--10944."},{"key":"e_1_3_2_1_6_1","volume-title":"Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19)","author":"Demontis Ambra","year":"2019","unstructured":"Ambra Demontis , Marco Melis , Maura Pintor , Matthew Jagielski , Battista Biggio , Alina Oprea , Cristina Nita-Rotaru , and Fabio Roli . 2019 . Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19) . 321--338. Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. 2019. Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19). 321--338."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"volume-title":"Law of the Minimum","author":"Ebelhar S. A.","key":"e_1_3_2_1_8_1","unstructured":"S. A. Ebelhar , Ward Chesworth , and Quirino Paris . 2008. Law of the Minimum . Springer Netherlands , Dordrecht , 431--437. https:\/\/doi.org\/10.1007\/978-1-4020-3995-9_321 10.1007\/978-1-4020-3995-9_321 S. A. Ebelhar, Ward Chesworth, and Quirino Paris. 2008. Law of the Minimum. Springer Netherlands, Dordrecht, 431--437. https:\/\/doi.org\/10.1007\/978-1-4020-3995-9_321"},{"key":"e_1_3_2_1_9_1","volume-title":"Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations (ICLR).","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow , Jonathon Shlens , and Christian Szegedy . 2015 . Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations (ICLR). Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_10_1","volume-title":"11th USENIX Workshop on Offensive Technologies (WOOT).","author":"He Warren","year":"2017","unstructured":"Warren He , James Wei , Xinyun Chen , Nicholas Carlini , and Dawn Song . 2017 . Adversarial example defense: Ensembles of weak defenses are not strong . In 11th USENIX Workshop on Offensive Technologies (WOOT). Warren He, James Wei, Xinyun Chen, Nicholas Carlini, and Dawn Song. 2017. Adversarial example defense: Ensembles of weak defenses are not strong. In 11th USENIX Workshop on Offensive Technologies (WOOT)."},{"key":"e_1_3_2_1_11_1","volume-title":"Black-box Adversarial Attacks with Limited Queries and Information. In International Conference on Machine Learning. 2137--2146","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas , Logan Engstrom , Anish Athalye , and Jessy Lin . 2018 . Black-box Adversarial Attacks with Limited Queries and Information. In International Conference on Machine Learning. 2137--2146 . Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Black-box Adversarial Attacks with Limited Queries and Information. In International Conference on Machine Learning. 2137--2146."},{"key":"e_1_3_2_1_12_1","volume-title":"Evasion and Hardening of Tree Ensemble Classifiers. In International Conference on Machine Learning. 2387--2396","author":"Kantchelian Alex","year":"2016","unstructured":"Alex Kantchelian , J Doug Tygar , and Anthony Joseph . 2016 . Evasion and Hardening of Tree Ensemble Classifiers. In International Conference on Machine Learning. 2387--2396 . Alex Kantchelian, J Doug Tygar, and Anthony Joseph. 2016. Evasion and Hardening of Tree Ensemble Classifiers. In International Conference on Machine Learning. 2387--2396."},{"key":"e_1_3_2_1_13_1","volume-title":"Adversarial Examples in the Physical World. International Conference on Learning Representations (ICLR) Workshop","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin , Ian Goodfellow , and Samy Bengio . 2017 . Adversarial Examples in the Physical World. International Conference on Learning Representations (ICLR) Workshop (2017). Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial Examples in the Physical World. International Conference on Learning Representations (ICLR) Workshop (2017)."},{"key":"e_1_3_2_1_14_1","unstructured":"Tencent Keen Security Leb. 2019. Experimental Security Research of Tesla Autopilot. https:\/\/keenlab.tencent.com\/en\/2019\/03\/29\/Tencent-Keen-Security-Lab-Experimental-Security-Research-of-Tesla-Autopilot\/  Tencent Keen Security Leb. 2019. Experimental Security Research of Tesla Autopilot. https:\/\/keenlab.tencent.com\/en\/2019\/03\/29\/Tencent-Keen-Security-Lab-Experimental-Security-Research-of-Tesla-Autopilot\/"},{"key":"e_1_3_2_1_15_1","volume-title":"MNIST Handwritten Digit Database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist","author":"LeCun Yann","year":"2010","unstructured":"Yann LeCun , Corinna Cortes , and CJ Burges . 2010. MNIST Handwritten Digit Database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist , Vol. 2 ( 2010 ). Yann LeCun, Corinna Cortes, and CJ Burges. 2010. MNIST Handwritten Digit Database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist, Vol. 2 (2010)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01234-2_23"},{"key":"e_1_3_2_1_17_1","volume-title":"International Conference on Learning Representations (ICLR).","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry , Aleksandar Makelov , Ludwig Schmidt , Dimitris Tsipras , and Adrian Vladu . 2018 . Towards Deep Learning Models Resistant to Adversarial Attacks . In International Conference on Learning Representations (ICLR). Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_18_1","unstructured":"Chengzhi Mao Ziyuan Zhong Junfeng Yang Carl Vondrick and Baishakhi Ray. 2019. Metric Learning for Adversarial Robustness. In Advances in Neural Information Processing Systems. 480--491.  Chengzhi Mao Ziyuan Zhong Junfeng Yang Carl Vondrick and Baishakhi Ray. 2019. Metric Learning for Adversarial Robustness. In Advances in Neural Information Processing Systems. 480--491."},{"key":"e_1_3_2_1_19_1","volume-title":"Is Deep Learning Safe for Robot Vision. Adversarial Examples Against the iCub Humanoid. CoRR, abs\/1708.06939","author":"Melis M","year":"2017","unstructured":"M Melis , A Demontis , B Biggio , G Brown , G Fumera , and F Roli . 2017. Is Deep Learning Safe for Robot Vision. Adversarial Examples Against the iCub Humanoid. CoRR, abs\/1708.06939 ( 2017 ). M Melis, A Demontis, B Biggio, G Brown, G Fumera, and F Roli. 2017. Is Deep Learning Safe for Robot Vision. Adversarial Examples Against the iCub Humanoid. CoRR, abs\/1708.06939 (2017)."},{"key":"e_1_3_2_1_20_1","volume-title":"Ensembles of Many Diverse Weak Defenses can be Strong: Defending Deep Neural Networks Against Adversarial Attacks. arXiv preprint arXiv:2001.00308","author":"Meng Ying","year":"2020","unstructured":"Ying Meng , Jianhai Su , Jason O'Kane , and Pooyan Jamshidi . 2020. Ensembles of Many Diverse Weak Defenses can be Strong: Defending Deep Neural Networks Against Adversarial Attacks. arXiv preprint arXiv:2001.00308 ( 2020 ). Ying Meng, Jianhai Su, Jason O'Kane, and Pooyan Jamshidi. 2020. Ensembles of Many Diverse Weak Defenses can be Strong: Defending Deep Neural Networks Against Adversarial Attacks. arXiv preprint arXiv:2001.00308 (2020)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_23_1","volume-title":"Proceedings of Machine Learning Research","volume":"97","author":"Pang Tianyu","year":"2019","unstructured":"Tianyu Pang , Kun Xu , Chao Du , Ning Chen , and Jun Zhu . 2019 . Improving Adversarial Robustness via Promoting Ensemble Diversity . In Proceedings of Machine Learning Research , Vol. 97 . PMLR, 4970--4979. Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. 2019. Improving Adversarial Robustness via Promoting Ensemble Diversity. In Proceedings of Machine Learning Research, Vol. 97. PMLR, 4970--4979."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_25_1","volume-title":"The Limitations of Deep Learning in Adversarial Settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372--387","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot , Patrick McDaniel , Somesh Jha , Matt Fredrikson , Z Berkay Celik , and Ananthram Swami . 2016 a. The Limitations of Deep Learning in Adversarial Settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372--387 . Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016a. The Limitations of Deep Learning in Adversarial Settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372--387."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2996758.2996771"},{"key":"e_1_3_2_1_28_1","volume-title":"EMPIR: Ensembles of Mixed Precision Deep Networks for Increased Robustness Against Adversarial Attacks. In International Conference on Learning Representations.","author":"Sen Sanchari","year":"2020","unstructured":"Sanchari Sen , Balaraman Ravindran , and Anand Raghunathan . 2020 . EMPIR: Ensembles of Mixed Precision Deep Networks for Increased Robustness Against Adversarial Attacks. In International Conference on Learning Representations. Sanchari Sen, Balaraman Ravindran, and Anand Raghunathan. 2020. EMPIR: Ensembles of Mixed Precision Deep Networks for Increased Robustness Against Adversarial Attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_29_1","volume-title":"Error-Correcting Neural Network. arxiv","author":"Song Yang","year":"1912","unstructured":"Yang Song , Qiyu Kang , and Wee Peng Tay . 2019. Error-Correcting Neural Network. arxiv : 1912 .00181 [cs.LG] Yang Song, Qiyu Kang, and Wee Peng Tay. 2019. Error-Correcting Neural Network. arxiv: 1912.00181 [cs.LG]"},{"key":"e_1_3_2_1_30_1","volume-title":"Intriguing Properties of Neural Networks. arXiv preprint arXiv:1312.6199","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian Goodfellow , and Rob Fergus . 2013. Intriguing Properties of Neural Networks. arXiv preprint arXiv:1312.6199 ( 2013 ). Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing Properties of Neural Networks. arXiv preprint arXiv:1312.6199 (2013)."},{"key":"e_1_3_2_1_31_1","volume-title":"On Adaptive Attacks to Adversarial Example Defenses. arxiv","author":"Tramer Florian","year":"2002","unstructured":"Florian Tramer , Nicholas Carlini , Wieland Brendel , and Aleksander Madry . 2020. On Adaptive Attacks to Adversarial Example Defenses. arxiv : 2002 .08347 [cs.LG] Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On Adaptive Attacks to Adversarial Example Defenses. arxiv: 2002.08347 [cs.LG]"},{"volume-title":"Advances in Neural Information Processing Systems 32. Curran Associates","author":"Verma Gunjan","key":"e_1_3_2_1_32_1","unstructured":"Gunjan Verma and Ananthram Swami . 2019. Error Correcting Output Codes Improve Probability Estimation and Adversarial Robustness of Deep Neural Networks . In Advances in Neural Information Processing Systems 32. Curran Associates , Inc ., 8646--8656. Gunjan Verma and Ananthram Swami. 2019. Error Correcting Output Codes Improve Probability Estimation and Adversarial Robustness of Deep Neural Networks. In Advances in Neural Information Processing Systems 32. Curran Associates, Inc., 8646--8656."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Eric Wallace Shi Feng Nikhil Kandpal Matt Gardner and Sameer Singh. 2019. Universal Trigger Sequences for Attacking and Analyzing NLP. In Empirical Methods in Natural Language Processing (EMNLP).  Eric Wallace Shi Feng Nikhil Kandpal Matt Gardner and Sameer Singh. 2019. Universal Trigger Sequences for Attacking and Analyzing NLP. In Empirical Methods in Natural Language Processing (EMNLP).","DOI":"10.18653\/v1\/D19-1221"},{"key":"e_1_3_2_1_34_1","volume-title":"Fashion-mnist: A Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao , Kashif Rasul , and Roland Vollgraf . 2017 . Fashion-mnist: A Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747 (2017). Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-mnist: A Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_35_1","volume-title":"Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018","author":"Xu Weilin","year":"2018","unstructured":"Weilin Xu , David Evans , and Yanjun Qi . 2018 . Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018 , San Diego, California, USA , February 18-21, 2018. The Internet Society. Weilin Xu, David Evans, and Yanjun Qi. 2018. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society."}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event USA","acronym":"CCS '20"},"container-title":["Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421380","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3411508.3421380","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:38Z","timestamp":1750197758000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421380"}},"subtitle":["A Study of the Transformation-based Ensemble Defence"],"short-title":[],"issued":{"date-parts":[[2020,11,9]]},"references-count":35,"alternative-id":["10.1145\/3411508.3421380","10.1145\/3411508"],"URL":"https:\/\/doi.org\/10.1145\/3411508.3421380","relation":{},"subject":[],"published":{"date-parts":[[2020,11,9]]},"assertion":[{"value":"2020-11-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}