{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:55:28Z","timestamp":1763499328439,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":66,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,13]],"date-time":"2022-11-13T00:00:00Z","timestamp":1668297600000},"content-version":"vor","delay-in-days":366,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["No.1910100,CNS 20-46726 CAR"],"award-info":[{"award-number":["No.1910100,CNS 20-46726 CAR"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3485258","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:33Z","timestamp":1636805133000},"page":"535-557","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["TSS: Transformation-Specific Smoothing for Robustness Certification"],"prefix":"10.1145","author":[{"given":"Linyi","family":"Li","sequence":"first","affiliation":[{"name":"University of Illinois, Urbana, IL, USA"}]},{"given":"Maurice","family":"Weber","sequence":"additional","affiliation":[{"name":"ETH Z\u00fcrich, Z\u00fcrich, Switzerland"}]},{"given":"Xiaojun","family":"Xu","sequence":"additional","affiliation":[{"name":"University of Illinois, Urbana, IL, USA"}]},{"given":"Luka","family":"Rimanic","sequence":"additional","affiliation":[{"name":"ETH Z\u00fcrich, Z\u00fcrich, Switzerland"}]},{"given":"Bhavya","family":"Kailkhura","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA, USA"}]},{"given":"Tao","family":"Xie","sequence":"additional","affiliation":[{"name":"Peking University, Beijing, China"}]},{"given":"Ce","family":"Zhang","sequence":"additional","affiliation":[{"name":"ETH Z\u00fcrich, Z\u00fcrich, Switzerland"}]},{"given":"Bo","family":"Li","sequence":"additional","affiliation":[{"name":"University of Illinois, Urbana, IL, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"2018 International Conference on Machine Learning (ICML). PMLR, 274--283","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In 2018 International Conference on Machine Learning (ICML). PMLR, 274--283."},{"volume-title":"Certifying Geometric Robustness of Neural Networks. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Balunovic Mislav","unstructured":"Mislav Balunovic, Maximilian Baader, Gagandeep Singh, Timon Gehr, and Martin Vechev. 2019. Certifying Geometric Robustness of Neural Networks. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 15287--15297.","key":"e_1_3_2_2_2_1"},{"key":"e_1_3_2_2_3_1","first-page":"1","article-title":"Random Smoothing Might be Unable to Certify $ell_infty$ Robustness for High-Dimensional Images","volume":"21","author":"Blum Avrim","year":"2020","unstructured":"Avrim Blum, Travis Dick, Naren Manoj, and Hongyang Zhang. 2020. Random Smoothing Might be Unable to Certify $ell_infty$ Robustness for High-Dimensional Images. Journal of Machine Learning Research (JMLR), Vol. 21, 211 (2020), 1--21.","journal-title":"Journal of Machine Learning Research (JMLR)"},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_4_1","DOI":"10.1109\/ACCESS.2020.3010274"},{"key":"e_1_3_2_2_5_1","volume-title":"Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 39--57","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 39--57."},{"volume-title":"Unlabeled Data Improves Adversarial Robustness. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Carmon Yair","unstructured":"Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, John C Duchi, and Percy S Liang. 2019. Unlabeled Data Improves Adversarial Robustness. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 11192--11203.","key":"e_1_3_2_2_6_1"},{"key":"e_1_3_2_2_7_1","volume-title":"2019 International Conference on Machine Learning (ICML). PMLR, 1310--1320","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified Adversarial Robustness via Randomized Smoothing. In 2019 International Conference on Machine Learning (ICML). PMLR, 1310--1320."},{"key":"e_1_3_2_2_8_1","volume-title":"RobustBench: A Standardized Adversarial Robustness Benchmark. arXiv preprint arXiv:2010.09670","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce, Maksym Andriushchenko, Vikash Sehwag, Nicolas Flammarion, Mung Chiang, Prateek Mittal, and Matthias Hein. 2020. RobustBench: A Standardized Adversarial Robustness Benchmark. arXiv preprint arXiv:2010.09670, Vol. 10 (2020)."},{"unstructured":"Sumanth Dathathri Krishnamurthy Dvijotham Alexey Kurakin Aditi Raghunathan Jonathan Uesato Rudy Bunel Shreya Shankar Jacob Steinhardt Ian Goodfellow Percy Liang et al. 2020. Enabling Certification of Verification-Agnostic Networks via Memory-Efficient Semidefinite Programming. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates Inc. 5318--5331.","key":"e_1_3_2_2_9_1"},{"key":"e_1_3_2_2_10_1","volume-title":"2020 International Conference on Learning Representations (ICLR). OpenReview.","author":"Dvijotham Krishnamurthy","year":"2020","unstructured":"Krishnamurthy Dvijotham, Jamie Hayes, Borja Balle, Zico Kolter, Chongli Qin, Andras Gyorgy, Kai Xiao, Sven Gowal, and Pushmeet Kohli. 2020. A Framework for Robustness Certification of Smoothed Classifiers using f-Divergences. In 2020 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_11_1","volume-title":"Exploring the Landscape of Spatial Robustness. In 2019 International Conference on Machine Learning (ICML). PMLR","author":"Engstrom Logan","year":"2019","unstructured":"Logan Engstrom, Brandon Tran, Dimitris Tsipras, Ludwig Schmidt, and Aleksander Madry. 2019. Exploring the Landscape of Spatial Robustness. In 2019 International Conference on Machine Learning (ICML). PMLR, 1802--1811."},{"key":"e_1_3_2_2_12_1","volume-title":"Robust Physical-World Attacks on Deep Learning Visual Classification. In 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 1625--1634","author":"Eykholt Kevin","year":"2018","unstructured":"Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. 2018. Robust Physical-World Attacks on Deep Learning Visual Classification. In 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 1625--1634."},{"volume-title":"Certified Defense to Image Transformations via Randomized Smoothing. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Fischer Marc","unstructured":"Marc Fischer, Maximilian Baader, and Martin Vechev. 2020. Certified Defense to Image Transformations via Randomized Smoothing. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 8404--8417.","key":"e_1_3_2_2_13_1"},{"key":"e_1_3_2_2_14_1","volume-title":"Breaking Certified Defenses: Semantic Adversarial Examples with Spoofed Robustness Certificates. In 2020 International Conference on Learning Representations (ICLR). OpenReview.","author":"Ghiasi Amin","year":"2020","unstructured":"Amin Ghiasi, Ali Shafahi, and Tom Goldstein. 2020. Breaking Certified Defenses: Semantic Adversarial Examples with Spoofed Robustness Certificates. In 2020 International Conference on Learning Representations (ICLR). OpenReview."},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_15_1","DOI":"10.1609\/aaai.v35i9.16927"},{"key":"e_1_3_2_2_16_1","volume-title":"Explaining and Harnessing Adversarial Examples. In 2015 International Conference on Learning Representations (ICLR). OpenReview.","author":"Goodfellow Ian J","year":"2015","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In 2015 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_17_1","volume-title":"Scalable Verified Training for Provably Robust Image Classification. In 2019 IEEE International Conference on Computer Vision (ICCV). IEEE, 4842--4851","author":"Gowal Sven","year":"2019","unstructured":"Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Relja Arandjelovic, Timothy Mann, and Pushmeet Kohli. 2019. Scalable Verified Training for Provably Robust Image Classification. In 2019 IEEE International Conference on Computer Vision (ICCV). IEEE, 4842--4851."},{"key":"e_1_3_2_2_18_1","volume-title":"Extensions and Limitations of Randomized Smoothing for Robustness Guarantees. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). IEEE, 3413--3421","author":"Hayes Jamie","year":"2020","unstructured":"Jamie Hayes. 2020. Extensions and Limitations of Randomized Smoothing for Robustness Guarantees. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). IEEE, 3413--3421."},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_19_1","DOI":"10.1109\/ICCV.2015.123"},{"key":"e_1_3_2_2_20_1","volume-title":"2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Hendrycks Dan","year":"2018","unstructured":"Dan Hendrycks and Thomas Dietterich. 2018. Benchmarking Neural Network Robustness to Common Corruptions and Perturbations. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_21_1","volume-title":"2020 International Conference on Learning Representations (ICLR). OpenReview.","author":"Hendrycks Dan","year":"2020","unstructured":"Dan Hendrycks, Norman Mu, Ekin Dogus Cubuk, Barret Zoph, Justin Gilmer, and Balaji Lakshminarayanan. 2020. AugMix: A Simple Data Processing Method to Improve Robustness and Uncertainty. In 2020 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_22_1","volume-title":"Semantic Adversarial Examples. In 2018 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). IEEE, 1614--1619","author":"Hosseini Hossein","year":"2018","unstructured":"Hossein Hosseini and Radha Poovendran. 2018. Semantic Adversarial Examples. In 2018 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). IEEE, 1614--1619."},{"key":"e_1_3_2_2_23_1","volume-title":"Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN. arXiv preprint arXiv:1702.05983","author":"Hu Weiwei","year":"2017","unstructured":"Weiwei Hu and Ying Tan. 2017. Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN. arXiv preprint arXiv:1702.05983, Vol. 02 (2017)."},{"volume-title":"Consistency Regularization for Certified Robustness of Smoothed Classifiers. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Jeong Jongheon","unstructured":"Jongheon Jeong and Jinwoo Shin. 2020. Consistency Regularization for Certified Robustness of Smoothed Classifiers. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 10558--10570.","key":"e_1_3_2_2_24_1"},{"key":"e_1_3_2_2_25_1","volume-title":"Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness. In 2020 International Conference on Machine Learning (ICML). PMLR, 5458--5467","author":"Kumar Aounon","year":"2020","unstructured":"Aounon Kumar, Alexander Levine, Tom Goldstein, and Soheil Feizi. 2020. Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness. In 2020 International Conference on Machine Learning (ICML). PMLR, 5458--5467."},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_26_1","DOI":"10.1109\/SP.2019.00044"},{"volume-title":"2019 a. Certified Adversarial Robustness with Additive Noise. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Li Bai","unstructured":"Bai Li, Changyou Chen, Wenlin Wang, and Lawrence Carin. 2019 a. Certified Adversarial Robustness with Additive Noise. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 9459--9469.","key":"e_1_3_2_2_27_1"},{"key":"e_1_3_2_2_28_1","volume-title":"2020 a. SoK: Certified Robustness for Deep Neural Networks. arXiv preprint arXiv:2009.04131","author":"Li Linyi","year":"2020","unstructured":"Linyi Li, Xiangyu Qi, Tao Xie, and Bo Li. 2020 a. SoK: Certified Robustness for Deep Neural Networks. arXiv preprint arXiv:2009.04131, Vol. 09 (2020)."},{"key":"e_1_3_2_2_29_1","volume-title":"2020 b. TSS: Transformation-Specific Smoothing for Robustness Certification. arXiv preprint arXiv:2002.12398","author":"Li Linyi","year":"2020","unstructured":"Linyi Li, Maurice Weber, Xiaojun Xu, Luka Rimanic, Tao Xie, Ce Zhang, and Bo Li. 2020 b. TSS: Transformation-Specific Smoothing for Robustness Certification. arXiv preprint arXiv:2002.12398, Vol. 02 (2020). https:\/\/arxiv.org\/abs\/2002.12398"},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_30_1","DOI":"10.24963\/ijcai.2019\/654"},{"key":"e_1_3_2_2_31_1","volume-title":"Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. In 2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Ma Xingjun","year":"2018","unstructured":"Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E Houle, and James Bailey. 2018. Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_32_1","volume-title":"2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_33_1","volume-title":"Differentiable Abstract Interpretation for Provably Robust Neural Networks. In 2018 International Conference on Machine Learning (ICML). PMLR, 3575--3583","author":"Mirman Matthew","year":"2018","unstructured":"Matthew Mirman, Timon Gehr, and Martin Vechev. 2018. Differentiable Abstract Interpretation for Provably Robust Neural Networks. In 2018 International Conference on Machine Learning (ICML). PMLR, 3575--3583."},{"key":"e_1_3_2_2_34_1","volume-title":"Hidden Cost of Randomized Smoothing. In 2021 International Conference on Artificial Intelligence and Statistics (AISTATS). PMLR, 4033--4041","author":"Mohapatra Jeet","year":"2021","unstructured":"Jeet Mohapatra, Ching-Yun Ko, Lily Weng, Pin-Yu Chen, Sijia Liu, and Luca Daniel. 2021. Hidden Cost of Randomized Smoothing. In 2021 International Conference on Artificial Intelligence and Statistics (AISTATS). PMLR, 4033--4041."},{"key":"e_1_3_2_2_35_1","volume-title":"Towards Verifying Robustness of Neural Networks Against A Family of Semantic Perturbations. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 244--252","author":"Mohapatra Jeet","year":"2020","unstructured":"Jeet Mohapatra, Tsui-Wei Weng, Pin-Yu Chen, Sijia Liu, and Luca Daniel. 2020. Towards Verifying Robustness of Neural Networks Against A Family of Semantic Perturbations. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 244--252."},{"key":"e_1_3_2_2_36_1","volume-title":"Science","volume":"356","author":"Matej Moravvc","year":"2017","unstructured":"Matej Moravvc 'ik, Martin Schmid, Neil Burch, Viliam Lis\u1ef3, Dustin Morrill, Nolan Bard, Trevor Davis, Kevin Waugh, Michael Johanson, and Michael Bowling. 2017. DeepStack: Expert-Level Artificial Intelligence in Heads-Up No-Limit Poker. Science, Vol. 356, 6337 (2017), 508--513."},{"unstructured":"OpenCV. 2020. OpenCV: Transformations of Images. https:\/\/docs.opencv.org\/master\/dd\/d52\/tutorial_js_geometric_transformations.html .","key":"e_1_3_2_2_37_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_38_1","DOI":"10.1145\/3132747.3132785"},{"key":"e_1_3_2_2_39_1","volume-title":"Towards Practical Verification of Machine Learning: The Case of Computer Vision Systems. arXiv preprint: arXiv:1712.01785","author":"Pei Kexin","year":"2017","unstructured":"Kexin Pei, Yinzhi Cao, Junfeng Yang, and Suman Jana. 2017b. Towards Practical Verification of Machine Learning: The Case of Computer Vision Systems. arXiv preprint: arXiv:1712.01785, Vol. 12 (2017)."},{"unstructured":"PyTorch. 2021. torchvision.models - Torchvison 0.10.0 documentation. https:\/\/pytorch.org\/vision\/stable\/models.html .","key":"e_1_3_2_2_40_1"},{"volume-title":"Semidefinite Relaxations for Certifying Robustness to Adversarial Examples. In 2018 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Raghunathan Aditi","unstructured":"Aditi Raghunathan, Jacob Steinhardt, and Percy S Liang. 2018. Semidefinite Relaxations for Certifying Robustness to Adversarial Examples. In 2018 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 10877--10887.","key":"e_1_3_2_2_41_1"},{"volume-title":"2019 a. Provably Robust Deep Learning via Adversarially Trained Smoothed Classifiers. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Salman Hadi","unstructured":"Hadi Salman, Jerry Li, Ilya Razenshteyn, Pengchuan Zhang, Huan Zhang, Sebastien Bubeck, and Greg Yang. 2019 a. Provably Robust Deep Learning via Adversarially Trained Smoothed Classifiers. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 11289--11300.","key":"e_1_3_2_2_42_1"},{"volume-title":"2019 b. A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Salman Hadi","unstructured":"Hadi Salman, Greg Yang, Huan Zhang, Cho-Jui Hsieh, and Pengchuan Zhang. 2019 b. A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 9835--9846.","key":"e_1_3_2_2_43_1"},{"key":"e_1_3_2_2_44_1","volume-title":"Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In 2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_45_1","volume-title":"Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein.","author":"Shafahi Ali","year":"2019","unstructured":"Ali Shafahi, Mahyar Najibi, Mohammad Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein. 2019. Adversarial Training for Free!. In 2019 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 3358--3369."},{"key":"e_1_3_2_2_46_1","volume-title":"Nature","volume":"550","author":"Silver David","year":"2017","unstructured":"David Silver, Julian Schrittwieser, Karen Simonyan, Ioannis Antonoglou, Aja Huang, Arthur Guez, Thomas Hubert, Lucas Baker, Matthew Lai, Adrian Bolton, et al. 2017. Mastering the Game of Go without Human Knowledge. Nature, Vol. 550, 7676 (2017), 354--359."},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_47_1","DOI":"10.1145\/3290354"},{"key":"e_1_3_2_2_48_1","volume-title":"Intriguing Properties of Neural Networks. In 2014 International Conference on Learning Representations (ICLR). OpenReview.","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing Properties of Neural Networks. In 2014 International Conference on Learning Representations (ICLR). OpenReview."},{"unstructured":"Jiaye Teng Guang-He Lee and Yang Yuan. 2020. $ell_1$ Adversarial Robustness Certificates: A Randomized Smoothing Approach. https:\/\/openreview.net\/forum?id=H1lQIgrFDS","key":"e_1_3_2_2_49_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_2_50_1","DOI":"10.1145\/3180155.3180220"},{"key":"e_1_3_2_2_51_1","volume-title":"Evaluating Robustness of Neural Networks with Mixed Integer Programming. In 2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Tjeng Vincent","year":"2018","unstructured":"Vincent Tjeng, Kai Y Xiao, and Russ Tedrake. 2018. Evaluating Robustness of Neural Networks with Mixed Integer Programming. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_52_1","volume-title":"2019 USENIX Conference on Security Symposium (USENIX Security). USENIX Association, 285--302","author":"Tong Liang","year":"2019","unstructured":"Liang Tong, Bo Li, Chen Hajaj, Chaowei Xiao, Ning Zhang, and Yevgeniy Vorobeychik. 2019. Improving Robustness of ML Classifiers against Realizable Evasion Attacks Using Conserved Features. In 2019 USENIX Conference on Security Symposium (USENIX Security). USENIX Association, 285--302."},{"volume-title":"On Adaptive Attacks to Adversarial Example Defenses. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Tram\u00e8r Florian","unstructured":"Florian Tram\u00e8r, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On Adaptive Attacks to Adversarial Example Defenses. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 1633--1645.","key":"e_1_3_2_2_53_1"},{"key":"e_1_3_2_2_54_1","volume-title":"Ensemble Adversarial Training: Attacks and Defenses. In 2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Tram\u00e8r Florian","year":"2018","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2018. Ensemble Adversarial Training: Attacks and Defenses. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"key":"e_1_3_2_2_55_1","volume-title":"Evading PDF Malware Classifiers with Generative Adversarial Network. In 2019 International Symposium on Cyberspace Safety and Security (CSS). Springer International Publishing, 374--387","author":"Wang Yaxiao","year":"2019","unstructured":"Yaxiao Wang, Yuanzhang Li, Quanxin Zhang, Jingjing Hu, and Xiaohui Kuang. 2019. Evading PDF Malware Classifiers with Generative Adversarial Network. In 2019 International Symposium on Cyberspace Safety and Security (CSS). Springer International Publishing, 374--387."},{"key":"e_1_3_2_2_56_1","volume-title":"Towards Fast Computation of Certified Robustness for ReLU Networks. In 2018 International Conference on Machine Learning (ICML). PMLR, 5276--5285","author":"Weng Lily","year":"2018","unstructured":"Lily Weng, Huan Zhang, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Luca Daniel, Duane Boning, and Inderjit Dhillon. 2018. Towards Fast Computation of Certified Robustness for ReLU Networks. In 2018 International Conference on Machine Learning (ICML). PMLR, 5276--5285."},{"key":"e_1_3_2_2_57_1","volume-title":"2018 International Conference on Machine Learning (ICML). PMLR, 5286--5295","author":"Wong Eric","year":"2018","unstructured":"Eric Wong and Zico Kolter. 2018. Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope. In 2018 International Conference on Machine Learning (ICML). PMLR, 5286--5295."},{"key":"e_1_3_2_2_58_1","volume-title":"Jan Hendrik Metzen, and J Zico Kolter","author":"Wong Eric","year":"2018","unstructured":"Eric Wong, Frank Schmidt, Jan Hendrik Metzen, and J Zico Kolter. 2018. Scaling Provable Adversarial Defenses. In 2018 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 8400--8409."},{"key":"e_1_3_2_2_59_1","volume-title":"Warren He, Mingyan Liu, and Dawn Song.","author":"Xiao Chaowei","year":"2018","unstructured":"Chaowei Xiao, Bo Li, Jun Yan Zhu, Warren He, Mingyan Liu, and Dawn Song. 2018a. Generating Adversarial Examples with Adversarial Networks. In 2018 International Joint Conference on Artificial Intelligence (IJCAI). International Joint Conferences on Artificial Intelligence Organization, 3905--3911."},{"key":"e_1_3_2_2_60_1","volume-title":"Spatially Transformed Adversarial Examples. In 2018 International Conference on Learning Representations (ICLR). OpenReview.","author":"Xiao Chaowei","year":"2018","unstructured":"Chaowei Xiao, Jun-Yan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. 2018b. Spatially Transformed Adversarial Examples. In 2018 International Conference on Learning Representations (ICLR). OpenReview."},{"volume-title":"Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Xu Kaidi","unstructured":"Kaidi Xu, Zhouxing Shi, Huan Zhang, Yihan Wang, Kai-Wei Chang, Minlie Huang, Bhavya Kailkhura, Xue Lin, and Cho-Jui Hsieh. 2020. Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 1129--1141.","key":"e_1_3_2_2_61_1"},{"key":"e_1_3_2_2_62_1","volume-title":"Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers. In 2016 Network and Distributed Systems Symposium (NDSS)","volume":"10","author":"Xu Weilin","year":"2016","unstructured":"Weilin Xu, Yanjun Qi, and David Evans. 2016. Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers. In 2016 Network and Distributed Systems Symposium (NDSS), Vol. 10. Internet Society."},{"key":"e_1_3_2_2_63_1","volume-title":"Randomized Smoothing of All Shapes and Sizes. In 2020 International Conference on Machine Learning (ICML). PMLR, 10693--10705","author":"Yang Greg","year":"2020","unstructured":"Greg Yang, Tony Duan, J. Edward Hu, Hadi Salman, Ilya Razenshteyn, and Jerry Li. 2020. Randomized Smoothing of All Shapes and Sizes. In 2020 International Conference on Machine Learning (ICML). PMLR, 10693--10705."},{"key":"e_1_3_2_2_64_1","volume-title":"2020 International Conference on Learning Representations (ICLR). OpenReview.","author":"Zhai Runtian","year":"2020","unstructured":"Runtian Zhai, Chen Dan, Di He, Huan Zhang, Boqing Gong, Pradeep Ravikumar, Cho-Jui Hsieh, and Liwei Wang. 2020. MACER: Attack-Free and Scalable Robust Training via Maximizing Certified Radius. In 2020 International Conference on Learning Representations (ICLR). OpenReview."},{"volume-title":"2020 b. Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates","author":"Zhang Dinghuai","unstructured":"Dinghuai Zhang, Mao Ye, Chengyue Gong, Zhanxing Zhu, and Qiang Liu. 2020 b. Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework. In 2020 Advances in Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2316--2326.","key":"e_1_3_2_2_65_1"},{"key":"e_1_3_2_2_66_1","volume-title":"Towards Stable and Efficient Training of Verifiably Robust Neural Networks. In 2020 International Conference on Learning Representations (ICLR). OpenReview.","author":"Zhang Huan","year":"2020","unstructured":"Huan Zhang, Hongge Chen, Chaowei Xiao, Sven Gowal, Robert Stanforth, Bo Li, Duane Boning, and Cho-Jui Hsieh. 2020 a. Towards Stable and Efficient Training of Verifiably Robust Neural Networks. In 2020 International Conference on Learning Representations (ICLR). OpenReview."}],"event":{"sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"acronym":"CCS '21","name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea"},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485258","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3485258","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3485258","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:49:50Z","timestamp":1763498990000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485258"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":66,"alternative-id":["10.1145\/3460120.3485258","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3485258","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}