{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:24:20Z","timestamp":1750220660319,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,11,9]],"date-time":"2020-11-09T00:00:00Z","timestamp":1604880000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Hewlett Foundation"},{"name":"Berkeley Deep Drive project"},{"name":"Futurewei"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,11,13]]},"DOI":"10.1145\/3411508.3421382","type":"proceedings-article","created":{"date-parts":[[2020,11,2]],"date-time":"2020-11-02T21:16:40Z","timestamp":1604351800000},"page":"25-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["E-ABS"],"prefix":"10.1145","author":[{"given":"An","family":"Ju","sequence":"first","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Wagner","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,11,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"arXiv preprint arXiv:1701.07875","author":"Arjovsky Martin","year":"2017","unstructured":"Martin Arjovsky , Soumith Chintala , and L\u00e9on Bottou . 2017. Wasserstein GAN. arXiv preprint arXiv:1701.07875 ( 2017 ). Martin Arjovsky, Soumith Chintala, and L\u00e9on Bottou. 2017. Wasserstein GAN. arXiv preprint arXiv:1701.07875 (2017)."},{"key":"e_1_3_2_1_2_1","volume-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye , Nicholas Carlini , and David Wagner . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 ( 2018 ). Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018)."},{"key":"e_1_3_2_1_3_1","volume-title":"From optimal transport to generative modeling: the VEGAN cookbook. arXiv preprint arXiv:1705.07642","author":"Bousquet Olivier","year":"2017","unstructured":"Olivier Bousquet , Sylvain Gelly , Ilya Tolstikhin , Carl-Johann Simon-Gabriel , and Bernhard Schoelkopf . 2017. From optimal transport to generative modeling: the VEGAN cookbook. arXiv preprint arXiv:1705.07642 ( 2017 ). Olivier Bousquet, Sylvain Gelly, Ilya Tolstikhin, Carl-Johann Simon-Gabriel, and Bernhard Schoelkopf. 2017. From optimal transport to generative modeling: the VEGAN cookbook. arXiv preprint arXiv:1705.07642 (2017)."},{"key":"e_1_3_2_1_4_1","volume-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248","author":"Brendel Wieland","year":"2017","unstructured":"Wieland Brendel , Jonas Rauber , and Matthias Bethge . 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 ( 2017 ). Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 (2017)."},{"key":"e_1_3_2_1_5_1","volume-title":"Importance weighted autoencoders. arXiv preprint arXiv:1509.00519","author":"Burda Yuri","year":"2015","unstructured":"Yuri Burda , Roger Grosse , and Ruslan Salakhutdinov . 2015. Importance weighted autoencoders. arXiv preprint arXiv:1509.00519 ( 2015 ). Yuri Burda, Roger Grosse, and Ruslan Salakhutdinov. 2015. Importance weighted autoencoders. arXiv preprint arXiv:1509.00519 (2015)."},{"key":"e_1_3_2_1_6_1","volume-title":"On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini , Anish Athalye , Nicolas Papernot , Wieland Brendel , Jonas Rauber , Dimitris Tsipras , Ian Goodfellow , Aleksander Madry , and Alexey Kurakin . 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 ( 2019 ). Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas Rauber, Dimitris Tsipras, Ian Goodfellow, Aleksander Madry, and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 (2019)."},{"volume-title":"Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). 39--57","author":"Carlini N.","key":"e_1_3_2_1_7_1","unstructured":"N. Carlini and D. Wagner . 2017 . Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). 39--57 . N. Carlini and D. Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). 39--57."},{"key":"e_1_3_2_1_8_1","volume-title":"but why? Generative ensembles for robust anomaly detection. arXiv preprint arXiv:1810.01392","author":"Choi Hyunsun","year":"2018","unstructured":"Hyunsun Choi , Eric Jang , and Alexander A Alemi . 2018. WAIC , but why? Generative ensembles for robust anomaly detection. arXiv preprint arXiv:1810.01392 ( 2018 ). Hyunsun Choi, Eric Jang, and Alexander A Alemi. 2018. WAIC, but why? Generative ensembles for robust anomaly detection. arXiv preprint arXiv:1810.01392 (2018)."},{"key":"e_1_3_2_1_9_1","volume-title":"Provable robustness of ReLu networks via maximization of linear regions. arXiv preprint arXiv:1810.07481","author":"Croce Francesco","year":"2018","unstructured":"Francesco Croce , Maksym Andriushchenko , and Matthias Hein . 2018. Provable robustness of ReLu networks via maximization of linear regions. arXiv preprint arXiv:1810.07481 ( 2018 ). Francesco Croce, Maksym Andriushchenko, and Matthias Hein. 2018. Provable robustness of ReLu networks via maximization of linear regions. arXiv preprint arXiv:1810.07481 (2018)."},{"key":"e_1_3_2_1_10_1","volume-title":"Diagnosing and enhancing VAE models. arXiv preprint arXiv:1903.05789","author":"Dai Bin","year":"2019","unstructured":"Bin Dai and David Wipf . 2019. Diagnosing and enhancing VAE models. arXiv preprint arXiv:1903.05789 ( 2019 ). Bin Dai and David Wipf. 2019. Diagnosing and enhancing VAE models. arXiv preprint arXiv:1903.05789 (2019)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"crossref","unstructured":"J. Deng W. Dong R. Socher L.-J. Li K. Li and L. Fei-Fei. 2009. ImageNet: A Large-Scale Hierarchical Image Database. In CVPR09.  J. Deng W. Dong R. Socher L.-J. Li K. Li and L. Fei-Fei. 2009. ImageNet: A Large-Scale Hierarchical Image Database. In CVPR09.","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_12_1","volume-title":"Approximate statistical tests for comparing supervised classification learning algorithms. Neural computation","author":"Dietterich Thomas G","year":"1998","unstructured":"Thomas G Dietterich . 1998. Approximate statistical tests for comparing supervised classification learning algorithms. Neural computation , Vol. 10 , 7 ( 1998 ), 1895--1923. Thomas G Dietterich. 1998. Approximate statistical tests for comparing supervised classification learning algorithms. Neural computation, Vol. 10, 7 (1998), 1895--1923."},{"key":"e_1_3_2_1_13_1","volume-title":"Density estimation using Real NVP. arXiv preprint arXiv:1605.08803","author":"Dinh Laurent","year":"2016","unstructured":"Laurent Dinh , Jascha Sohl-Dickstein , and Samy Bengio . 2016. Density estimation using Real NVP. arXiv preprint arXiv:1605.08803 ( 2016 ). Laurent Dinh, Jascha Sohl-Dickstein, and Samy Bengio. 2016. Density estimation using Real NVP. arXiv preprint arXiv:1605.08803 (2016)."},{"key":"e_1_3_2_1_14_1","unstructured":"Alhussein Fawzi Seyed-Mohsen Moosavi-Dezfooli and Pascal Frossard. 2016. Robustness of classifiers: from adversarial to random noise. In Advances in Neural Information Processing Systems. 1632--1640.  Alhussein Fawzi Seyed-Mohsen Moosavi-Dezfooli and Pascal Frossard. 2016. Robustness of classifiers: from adversarial to random noise. In Advances in Neural Information Processing Systems. 1632--1640."},{"key":"e_1_3_2_1_15_1","volume-title":"Understanding the limitations of conditional generative models. arXiv preprint arXiv:1906.01171","author":"Fetaya Ethan","year":"2019","unstructured":"Ethan Fetaya , J\u00f6rn-Henrik Jacobsen , Will Grathwohl , and Richard Zemel . 2019. Understanding the limitations of conditional generative models. arXiv preprint arXiv:1906.01171 ( 2019 ). Ethan Fetaya, J\u00f6rn-Henrik Jacobsen, Will Grathwohl, and Richard Zemel. 2019. Understanding the limitations of conditional generative models. arXiv preprint arXiv:1906.01171 (2019)."},{"key":"e_1_3_2_1_16_1","volume-title":"Controversial stimuli: pitting neural networks against each other as models of human recognition. arXiv preprint arXiv:1911.09288","author":"Golan Tal","year":"2019","unstructured":"Tal Golan , Prashant C Raju , and Nikolaus Kriegeskorte . 2019. Controversial stimuli: pitting neural networks against each other as models of human recognition. arXiv preprint arXiv:1911.09288 ( 2019 ). Tal Golan, Prashant C Raju, and Nikolaus Kriegeskorte. 2019. Controversial stimuli: pitting neural networks against each other as models of human recognition. arXiv preprint arXiv:1911.09288 (2019)."},{"key":"e_1_3_2_1_17_1","unstructured":"Ian Goodfellow Jean Pouget-Abadie Mehdi Mirza Bing Xu David Warde-Farley Sherjil Ozair Aaron Courville and Yoshua Bengio. 2014. Generative adversarial nets. In Advances in neural information processing systems. 2672--2680.  Ian Goodfellow Jean Pouget-Abadie Mehdi Mirza Bing Xu David Warde-Farley Sherjil Ozair Aaron Courville and Yoshua Bengio. 2014. Generative adversarial nets. In Advances in neural information processing systems. 2672--2680."},{"key":"e_1_3_2_1_18_1","volume-title":"When NAS Meets Robustness: In Search of Robust Architectures against Adversarial Attacks. arXiv preprint arXiv:1911.10695","author":"Guo Minghao","year":"2019","unstructured":"Minghao Guo , Yuzhe Yang , Rui Xu , and Ziwei Liu . 2019. When NAS Meets Robustness: In Search of Robust Architectures against Adversarial Attacks. arXiv preprint arXiv:1911.10695 ( 2019 ). Minghao Guo, Yuzhe Yang, Rui Xu, and Ziwei Liu. 2019. When NAS Meets Robustness: In Search of Robust Architectures against Adversarial Attacks. arXiv preprint arXiv:1911.10695 (2019)."},{"key":"e_1_3_2_1_19_1","volume-title":"Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606","author":"Hendrycks Dan","year":"2018","unstructured":"Dan Hendrycks , Mantas Mazeika , and Thomas Dietterich . 2018. Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606 ( 2018 ). Dan Hendrycks, Mantas Mazeika, and Thomas Dietterich. 2018. Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606 (2018)."},{"key":"e_1_3_2_1_20_1","first-page":"6","article-title":"beta-VAE: Learning basic visual concepts with a constrained variational framework","volume":"2","author":"Higgins Irina","year":"2017","unstructured":"Irina Higgins , Loic Matthey , Arka Pal , Christopher Burgess , Xavier Glorot , Matthew Botvinick , Shakir Mohamed , and Alexander Lerchner . 2017 . beta-VAE: Learning basic visual concepts with a constrained variational framework . ICLR , Vol. 2 , 5 (2017), 6 . Irina Higgins, Loic Matthey, Arka Pal, Christopher Burgess, Xavier Glorot, Matthew Botvinick, Shakir Mohamed, and Alexander Lerchner. 2017. beta-VAE: Learning basic visual concepts with a constrained variational framework. ICLR, Vol. 2, 5 (2017), 6.","journal-title":"ICLR"},{"key":"e_1_3_2_1_21_1","volume-title":"Batch normalization: Accelerating deep network training by reducing internal covariate shift. arXiv preprint arXiv:1502.03167","author":"Ioffe Sergey","year":"2015","unstructured":"Sergey Ioffe and Christian Szegedy . 2015. Batch normalization: Accelerating deep network training by reducing internal covariate shift. arXiv preprint arXiv:1502.03167 ( 2015 ). Sergey Ioffe and Christian Szegedy. 2015. Batch normalization: Accelerating deep network training by reducing internal covariate shift. arXiv preprint arXiv:1502.03167 (2015)."},{"key":"e_1_3_2_1_22_1","volume-title":"The robust manifold defense: Adversarial training using generative models. arXiv preprint arXiv:1712.09196","author":"Jalal Ajil","year":"2017","unstructured":"Ajil Jalal , Andrew Ilyas , Constantinos Daskalakis , and Alexandros G Dimakis . 2017. The robust manifold defense: Adversarial training using generative models. arXiv preprint arXiv:1712.09196 ( 2017 ). Ajil Jalal, Andrew Ilyas, Constantinos Daskalakis, and Alexandros G Dimakis. 2017. The robust manifold defense: Adversarial training using generative models. arXiv preprint arXiv:1712.09196 (2017)."},{"key":"e_1_3_2_1_23_1","volume-title":"Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980","author":"Kingma Diederik P","year":"2014","unstructured":"Diederik P Kingma and Jimmy Ba . 2014 . Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014). Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)."},{"key":"e_1_3_2_1_24_1","volume-title":"Glow: Generative flow with invertible 1x1 convolutions. In Advances in Neural Information Processing Systems. 10215--10224.","author":"Kingma Durk P","year":"2018","unstructured":"Durk P Kingma and Prafulla Dhariwal . 2018 . Glow: Generative flow with invertible 1x1 convolutions. In Advances in Neural Information Processing Systems. 10215--10224. Durk P Kingma and Prafulla Dhariwal. 2018. Glow: Generative flow with invertible 1x1 convolutions. In Advances in Neural Information Processing Systems. 10215--10224."},{"key":"e_1_3_2_1_25_1","volume-title":"Auto-encoding variational Bayes. arXiv preprint arXiv:1312.6114","author":"Kingma Diederik P","year":"2013","unstructured":"Diederik P Kingma and Max Welling . 2013. Auto-encoding variational Bayes. arXiv preprint arXiv:1312.6114 ( 2013 ). Diederik P Kingma and Max Welling. 2013. Auto-encoding variational Bayes. arXiv preprint arXiv:1312.6114 (2013)."},{"key":"e_1_3_2_1_26_1","volume-title":"et almbox","author":"Krizhevsky Alex","year":"2009","unstructured":"Alex Krizhevsky , Geoffrey Hinton , et almbox . 2009 . Learning multiple layers of features from tiny images. (2009). Alex Krizhevsky, Geoffrey Hinton, et almbox. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_27_1","volume-title":"Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533","author":"Kurakin Alexey","year":"2016","unstructured":"Alexey Kurakin , Ian Goodfellow , and Samy Bengio . 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 ( 2016 ). Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)."},{"key":"e_1_3_2_1_28_1","unstructured":"Yann LeCun and Corinna Cortes. 2010. MNIST handwritten digit database. http:\/\/yann.lecun.com\/exdb\/mnist\/. (2010). http:\/\/yann.lecun.com\/exdb\/mnist\/  Yann LeCun and Corinna Cortes. 2010. MNIST handwritten digit database. http:\/\/yann.lecun.com\/exdb\/mnist\/. (2010). http:\/\/yann.lecun.com\/exdb\/mnist\/"},{"key":"e_1_3_2_1_29_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry , Aleksandar Makelov , Ludwig Schmidt , Dimitris Tsipras , and Adrian Vladu . 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 ( 2017 ). Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_30_1","volume-title":"Adversarial autoencoders. arXiv preprint arXiv:1511.05644","author":"Makhzani Alireza","year":"2015","unstructured":"Alireza Makhzani , Jonathon Shlens , Navdeep Jaitly , Ian Goodfellow , and Brendan Frey . 2015. Adversarial autoencoders. arXiv preprint arXiv:1511.05644 ( 2015 ). Alireza Makhzani, Jonathon Shlens, Navdeep Jaitly, Ian Goodfellow, and Brendan Frey. 2015. Adversarial autoencoders. arXiv preprint arXiv:1511.05644 (2015)."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.5555\/3104322.3104425"},{"key":"e_1_3_2_1_33_1","volume-title":"Dilan Gorur, and Balaji Lakshminarayanan.","author":"Nalisnick Eric","year":"2018","unstructured":"Eric Nalisnick , Akihiro Matsukawa , Yee Whye Teh , Dilan Gorur, and Balaji Lakshminarayanan. 2018 . Do de ep generative models know what they don't know? arXiv preprint arXiv:1810.09136 (2018). Eric Nalisnick, Akihiro Matsukawa, Yee Whye Teh, Dilan Gorur, and Balaji Lakshminarayanan. 2018. Do deep generative models know what they don't know? arXiv preprint arXiv:1810.09136 (2018)."},{"key":"e_1_3_2_1_34_1","volume-title":"Yee Whye Teh, and Balaji Lakshminarayanan","author":"Nalisnick Eric","year":"2019","unstructured":"Eric Nalisnick , Akihiro Matsukawa , Yee Whye Teh, and Balaji Lakshminarayanan . 2019 . Detecting out-of-distribution inputs to deep generative models using a test for typicality. arXiv preprint arXiv:1906.02994 (2019). Eric Nalisnick, Akihiro Matsukawa, Yee Whye Teh, and Balaji Lakshminarayanan. 2019. Detecting out-of-distribution inputs to deep generative models using a test for typicality. arXiv preprint arXiv:1906.02994 (2019)."},{"key":"e_1_3_2_1_35_1","unstructured":"Yuval Netzer Tao Wang Adam Coates Alessandro Bissacco Bo Wu and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. (2011).  Yuval Netzer Tao Wang Adam Coates Alessandro Bissacco Bo Wu and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. (2011)."},{"key":"e_1_3_2_1_36_1","volume-title":"Adversarial robustness of flow-based generative models. arXiv preprint arXiv:1911.08654","author":"Pope Phillip","year":"2019","unstructured":"Phillip Pope , Yogesh Balaji , and Soheil Feizi . 2019. Adversarial robustness of flow-based generative models. arXiv preprint arXiv:1911.08654 ( 2019 ). Phillip Pope, Yogesh Balaji, and Soheil Feizi. 2019. Adversarial robustness of flow-based generative models. arXiv preprint arXiv:1911.08654 (2019)."},{"key":"e_1_3_2_1_37_1","volume-title":"Foolbox: A Python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131","author":"Rauber Jonas","year":"2017","unstructured":"Jonas Rauber , Wieland Brendel , and Matthias Bethge . 2017 . Foolbox: A Python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131 (2017). arxiv: 1707.04131 http:\/\/arxiv.org\/abs\/1707.04131 Jonas Rauber, Wieland Brendel, and Matthias Bethge. 2017. Foolbox: A Python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131 (2017). arxiv: 1707.04131 http:\/\/arxiv.org\/abs\/1707.04131"},{"key":"e_1_3_2_1_38_1","volume-title":"Stochastic backpropagation and approximate inference in deep generative models. arXiv preprint arXiv:1401.4082","author":"Rezende Danilo Jimenez","year":"2014","unstructured":"Danilo Jimenez Rezende , Shakir Mohamed , and Daan Wierstra . 2014. Stochastic backpropagation and approximate inference in deep generative models. arXiv preprint arXiv:1401.4082 ( 2014 ). Danilo Jimenez Rezende, Shakir Mohamed, and Daan Wierstra. 2014. Stochastic backpropagation and approximate inference in deep generative models. arXiv preprint arXiv:1401.4082 (2014)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00445"},{"key":"e_1_3_2_1_40_1","volume-title":"Distribution matching in variational inference. arXiv preprint arXiv:1802.06847","author":"Rosca Mihaela","year":"2018","unstructured":"Mihaela Rosca , Balaji Lakshminarayanan , and Shakir Mohamed . 2018. Distribution matching in variational inference. arXiv preprint arXiv:1802.06847 ( 2018 ). Mihaela Rosca, Balaji Lakshminarayanan, and Shakir Mohamed. 2018. Distribution matching in variational inference. arXiv preprint arXiv:1802.06847 (2018)."},{"key":"e_1_3_2_1_41_1","volume-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei , Maya Kabkab , and Rama Chellappa . 2018. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605 ( 2018 ). Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605 (2018)."},{"key":"e_1_3_2_1_42_1","volume-title":"Towards the first adversarially robust neural network model on MNIST. arXiv preprint arXiv:1805.09190","author":"Schott Lukas","year":"2018","unstructured":"Lukas Schott , Jonas Rauber , Matthias Bethge , and Wieland Brendel . 2018. Towards the first adversarially robust neural network model on MNIST. arXiv preprint arXiv:1805.09190 ( 2018 ). Lukas Schott, Jonas Rauber, Matthias Bethge, and Wieland Brendel. 2018. Towards the first adversarially robust neural network model on MNIST. arXiv preprint arXiv:1805.09190 (2018)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2670313"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2012.02.016"},{"key":"e_1_3_2_1_45_1","volume-title":"Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian Goodfellow , and Rob Fergus . 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 ( 2013 ). Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)."},{"key":"e_1_3_2_1_46_1","volume-title":"Deep Learning for Large-Scale Traffic-Sign Detection and Recognition","author":"Tabernik Domen","year":"2019","unstructured":"Domen Tabernik and Danijel Skovc aj. 2019. Deep Learning for Large-Scale Traffic-Sign Detection and Recognition . IEEE Transactions on Intelligent Transportation Systems ( 2019 ). Domen Tabernik and Danijel Skovc aj. 2019. Deep Learning for Large-Scale Traffic-Sign Detection and Recognition. IEEE Transactions on Intelligent Transportation Systems (2019)."},{"key":"e_1_3_2_1_47_1","volume-title":"A note on the evaluation of generative models. arXiv preprint arXiv:1511.01844","author":"Theis Lucas","year":"2015","unstructured":"Lucas Theis , A\u00e4ron van den Oord , and Matthias Bethge . 2015. A note on the evaluation of generative models. arXiv preprint arXiv:1511.01844 ( 2015 ). Lucas Theis, A\u00e4ron van den Oord, and Matthias Bethge. 2015. A note on the evaluation of generative models. arXiv preprint arXiv:1511.01844 (2015)."},{"key":"e_1_3_2_1_48_1","volume-title":"Multi-view traffic sign detection, recognition, and 3D localisation. Machine vision and applications","author":"Timofte Radu","year":"2014","unstructured":"Radu Timofte , Karel Zimmermann , and Luc Van Gool . 2014. Multi-view traffic sign detection, recognition, and 3D localisation. Machine vision and applications , Vol. 25 , 3 ( 2014 ), 633--647. Radu Timofte, Karel Zimmermann, and Luc Van Gool. 2014. Multi-view traffic sign detection, recognition, and 3D localisation. Machine vision and applications, Vol. 25, 3 (2014), 633--647."},{"key":"e_1_3_2_1_49_1","unstructured":"Ilya Tolstikhin Olivier Bousquet Sylvain Gelly and Bernhard Schoelkopf. 2017. Wasserstein auto-encoders. arXiv preprint arXiv:1711.0155(2017).  Ilya Tolstikhin Olivier Bousquet Sylvain Gelly and Bernhard Schoelkopf. 2017. Wasserstein auto-encoders. arXiv preprint arXiv:1711.0155(2017)."},{"key":"e_1_3_2_1_50_1","volume-title":"On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347","author":"Tramer Florian","year":"2020","unstructured":"Florian Tramer , Nicholas Carlini , Wieland Brendel , and Aleksander Madry . 2020. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347 ( 2020 ). Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347 (2020)."},{"key":"e_1_3_2_1_51_1","volume-title":"Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao , Kashif Rasul , and Roland Vollgraf . 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747 ( 2017 ). Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_52_1","volume-title":"Empirical evaluation of rectified activations in convolutional network. arXiv preprint arXiv:1505.00853","author":"Xu Bing","year":"2015","unstructured":"Bing Xu , Naiyan Wang , Tianqi Chen , and Mu Li. 2015. Empirical evaluation of rectified activations in convolutional network. arXiv preprint arXiv:1505.00853 ( 2015 ). Bing Xu, Naiyan Wang, Tianqi Chen, and Mu Li. 2015. Empirical evaluation of rectified activations in convolutional network. arXiv preprint arXiv:1505.00853 (2015)."}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event USA","acronym":"CCS '20"},"container-title":["Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421382","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3411508.3421382","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:38Z","timestamp":1750197758000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421382"}},"subtitle":["Extending the Analysis-By-Synthesis Robust Classification Model to More Complex Image Domains"],"short-title":[],"issued":{"date-parts":[[2020,11,9]]},"references-count":52,"alternative-id":["10.1145\/3411508.3421382","10.1145\/3411508"],"URL":"https:\/\/doi.org\/10.1145\/3411508.3421382","relation":{},"subject":[],"published":{"date-parts":[[2020,11,9]]},"assertion":[{"value":"2020-11-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}