{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T14:13:54Z","timestamp":1772547234684,"version":"3.50.1"},"reference-count":102,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2023,9,30]],"date-time":"2023-09-30T00:00:00Z","timestamp":1696032000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&D Program of China","doi-asserted-by":"crossref","award":["2022YFF0604501"],"award-info":[{"award-number":["2022YFF0604501"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"NSFC","doi-asserted-by":"crossref","award":["62272261, RGPIN-2021-02549, RGPAS-2021-00034, and DGECR-2021-00019"],"award-info":[{"award-number":["62272261, RGPIN-2021-02549, RGPAS-2021-00034, and DGECR-2021-00019"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100020959","name":"JST-Mirai Program","doi-asserted-by":"crossref","award":["JPMJMI20B8"],"award-info":[{"award-number":["JPMJMI20B8"]}],"id":[{"id":"10.13039\/501100020959","id-type":"DOI","asserted-by":"crossref"}]},{"name":"JSPS KAKENHI","award":["JP20H04168 and JP21H04877"],"award-info":[{"award-number":["JP20H04168 and JP21H04877"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2023,11,30]]},"abstract":"<jats:p>In the past few years, Transformer has been widely adopted in many domains and applications because of its impressive performance. Vision Transformer (ViT), a successful and well-known variant, attracts considerable attention from both industry and academia thanks to its record-breaking performance in various vision tasks. However, ViT is also highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial perturbations. This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios. How to improve the robustness of ViT is thus an urgent issue that needs to be addressed. Among all kinds of robustness, patch robustness is defined as giving a reliable output when a random patch in the input domain is perturbed. The perturbation could be natural corruption, such as part of the camera lens being blurred. It could also be a distribution shift, such as an object that does not exist in the training data suddenly appearing in the camera. And in the worst case, there could be a malicious adversarial patch attack that aims to fool the prediction of a machine learning model by arbitrarily modifying pixels within a restricted region of an input image. This kind of attack is also called physical attack, as it is believed to be more real than digital attack. Although there has been some work on patch robustness improvement of Convolutional Neural Network, related studies on its counterpart ViT are still at an early stage as ViT is usually much more complex with far more parameters. It is harder to assess and improve its robustness, not to mention to provide a provable guarantee.<\/jats:p>\n          <jats:p>In this work, we propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing. We try to provide a provable guarantee by considering the worst patch attack scenarios. Unlike empirical defenses against adversarial patches that may be adaptively breached, certified robust approaches can provide a certified accuracy against arbitrary attacks under certain conditions. However, existing robustness certifications are mostly based on robust training, which often requires substantial training efforts and the sacrifice of model performance on normal samples. To bridge the gap, PatchCensor seeks to improve the robustness of the whole system by detecting abnormal inputs instead of training a robust model and asking it to give reliable results for every input, which may inevitably compromise accuracy. Specifically, each input is tested by voting over multiple inferences with different mutated attention masks, where at least one inference is guaranteed to exclude the abnormal patch. This can be seen as complete-coverage testing, which could provide a statistical guarantee on inference at the test time. Our comprehensive evaluation demonstrates that PatchCensor is able to achieve high certified accuracy (e.g.,\u00a067.1% on ImageNet for 2%-pixel adversarial patches), significantly outperforming state-of-the-art techniques while achieving similar clean accuracy (81.8% on ImageNet). The clean accuracy is the same as vanilla ViT models. Meanwhile, our technique also supports flexible configurations to handle different adversarial patch sizes by simply changing the masking strategy.<\/jats:p>","DOI":"10.1145\/3591870","type":"journal-article","created":{"date-parts":[[2023,4,8]],"date-time":"2023-04-08T10:32:03Z","timestamp":1680949923000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing"],"prefix":"10.1145","volume":"32","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3666-4020","authenticated-orcid":false,"given":"Yuheng","family":"Huang","sequence":"first","affiliation":[{"name":"University of Alberta, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8621-2420","authenticated-orcid":false,"given":"Lei","family":"Ma","sequence":"additional","affiliation":[{"name":"University of Alberta, Canada and The University of Tokyo, Japan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1591-2526","authenticated-orcid":false,"given":"Yuanchun","family":"Li","sequence":"additional","affiliation":[{"name":"Institute for AI Industry Research (AIR), Tsinghua University, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,9,30]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00759"},{"key":"e_1_3_2_3_2","unstructured":"Accompanying Website of this Article. 2022. Retrieved from https:\/\/sites.google.com\/view\/patchcensor."},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01951"},{"key":"e_1_3_2_5_2","article-title":"Are transformers more robust than CNNs?","volume":"34","author":"Bai Yutong","year":"2021","unstructured":"Yutong Bai, Jieru Mei, Alan L. Yuille, and Cihang Xie. 2021. Are transformers more robust than CNNs? Adv. Neural Info. Process. Syst. 34 (2021).","journal-title":"Adv. Neural Info. Process. Syst."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01007"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10599-4_29"},{"key":"e_1_3_2_8_2","volume-title":"Proceedings of the 7th International Conference on Learning Representations (ICLR\u201919)","author":"Brendel Wieland","year":"2019","unstructured":"Wieland Brendel and Matthias Bethge. 2019. Approximating CNNs with bag-of-local-features models works surprisingly well on ImageNet. In Proceedings of the 7th International Conference on Learning Representations (ICLR\u201919)."},{"key":"e_1_3_2_9_2","volume-title":"Proceedings of the Conference on Neural Information Processing Systems Workshops (NeurIPS Workshops\u201917)","author":"Brown Tom B.","year":"2017","unstructured":"Tom B. Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. In Proceedings of the Conference on Neural Information Processing Systems Workshops (NeurIPS Workshops\u201917)."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_11_2","first-page":"0","volume-title":"Proceedings of the European Conference on Computer Vision (ECCV\u201918) Workshops","author":"Carrara Fabio","year":"2018","unstructured":"Fabio Carrara, Rudy Becarelli, Roberto Caldelli, Fabrizio Falchi, and Giuseppe Amato. 2018. Adversarial examples detection in features distance spaces. In Proceedings of the European Conference on Computer Vision (ECCV\u201918) Workshops. 0\u20130."},{"key":"e_1_3_2_12_2","first-page":"173","volume-title":"Proceedings of the Operating Systems Design and Implementation Conference (OSDI\u201999)","author":"Castro Miguel","year":"1999","unstructured":"Miguel Castro, Barbara Liskov, et\u00a0al. 1999. Practical byzantine fault tolerance. In Proceedings of the Operating Systems Design and Implementation Conference (OSDI\u201999). 173\u2013186."},{"key":"e_1_3_2_13_2","article-title":"Turning your strength against you: Detecting and mitigating robust and universal adversarial patch attack","author":"Chen Zitao","year":"2021","unstructured":"Zitao Chen, Pritam Dash, and Karthik Pattabiraman. 2021. Turning your strength against you: Detecting and mitigating robust and universal adversarial patch attack. Retrieved from https:\/\/arXiv:2108.05075.","journal-title":"Retrieved from https:\/\/arXiv:2108.05075"},{"key":"e_1_3_2_14_2","volume-title":"Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)","author":"Chiang Ping-Yeh","year":"2020","unstructured":"Ping-Yeh Chiang, Renkun Ni, Ahmed Abdelkader, Chen Zhu, Christoph Studor, and Tom Goldstein. 2020. Certified defenses for adversarial patches. In Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.218"},{"key":"e_1_3_2_17_2","first-page":"1310","volume-title":"Proceedings of the 36th International Conference on Machine Learning (ICML\u201919)","author":"Cohen Jeremy M.","year":"2019","unstructured":"Jeremy M. Cohen, Elan Rosenfeld, and J. Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In Proceedings of the 36th International Conference on Machine Learning (ICML\u201919). 1310\u20131320."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/512950.512973"},{"key":"e_1_3_2_19_2","volume-title":"Proceedings of the 9th International Conference on Learning Representations (ICLR\u201921)","author":"Dosovitskiy Alexey","year":"2021","unstructured":"Alexey Dosovitskiy, Lucas Beyer, Alexander Kolesnikov, Dirk Weissenborn, Xiaohua Zhai, Thomas Unterthiner, Mostafa Dehghani, Matthias Minderer, Georg Heigold, Sylvain Gelly et\u00a0al. 2021. An image is worth 16 \\(\\times\\) 16 words: Transformers for image recognition at scale. In Proceedings of the 9th International Conference on Learning Representations (ICLR\u201921). Retrieved from https:\/\/openreview.net\/forum?id=YicbFdNTTy."},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338954"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_23_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Fu Yonggan","year":"2021","unstructured":"Yonggan Fu, Shunyao Zhang, Shang Wu, Cheng Wan, and Yingyan Lin. 2021. Patch-Fool: Are vision transformers always robust against adversarial perturbations? In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_24_2","first-page":"2151","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Geifman Yonatan","year":"2019","unstructured":"Yonatan Geifman and Ran El-Yaniv. 2019. Selectivenet: A deep neural network with an integrated reject option. In Proceedings of the International Conference on Machine Learning. PMLR, 2151\u20132159."},{"key":"e_1_3_2_25_2","article-title":"ImageNet-trained CNNs are biased toward texture; increasing shape bias improves accuracy and robustness","author":"Geirhos Robert","year":"2018","unstructured":"Robert Geirhos, Patricia Rubisch, Claudio Michaelis, Matthias Bethge, Felix A. Wichmann, and Wieland Brendel. 2018. ImageNet-trained CNNs are biased toward texture; increasing shape bias improves accuracy and robustness. Retrieved from https:\/\/arXiv:1811.12231.","journal-title":"Retrieved from https:\/\/arXiv:1811.12231"},{"key":"e_1_3_2_26_2","article-title":"Adversarial and clean data are not twins","author":"Gong Zhitao","year":"2017","unstructured":"Zhitao Gong, Wenlu Wang, and Wei-Shinn Ku. 2017. Adversarial and clean data are not twins. Retrieved from https:\/\/ arXiv:1704.04960.","journal-title":"Retrieved from https:\/\/ arXiv:1704.04960"},{"key":"e_1_3_2_27_2","volume-title":"Proceedings of the 3rd International Conference on Learning Representations (ICLR\u201915)","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In Proceedings of the 3rd International Conference on Learning Representations (ICLR\u201915)."},{"key":"e_1_3_2_28_2","article-title":"On the (statistical) detection of adversarial examples","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. Retrieved from https:\/\/arXiv:1702.06280.","journal-title":"Retrieved from https:\/\/arXiv:1702.06280"},{"key":"e_1_3_2_29_2","article-title":"Are vision transformers robust to patch perturbations?","author":"Gu Jindong","year":"2021","unstructured":"Jindong Gu, Volker Tresp, and Yao Qin. 2021. Are vision transformers robust to patch perturbations? Retrieved from https:\/\/arXiv:2111.10659.","journal-title":"Retrieved from https:\/\/arXiv:2111.10659"},{"key":"e_1_3_2_30_2","volume-title":"Proceedings of the International Conference on Machine Learning: Shift Happens Workshop (ICML\u201922)","author":"Gu Jindong","year":"2022","unstructured":"Jindong Gu, Volker Tresp, and Yao Qin. 2022. Evaluating model robustness to patch perturbations. In Proceedings of the International Conference on Machine Learning: Shift Happens Workshop (ICML\u201922)."},{"key":"e_1_3_2_31_2","article-title":"ScaleCert: Scalable certified defense against adversarial patches with sparse superficial layers","volume":"34","author":"Han Husheng","year":"2021","unstructured":"Husheng Han, Kaidi Xu, Xing Hu, Xiaobing Chen, Ling Liang, Zidong Du, Qi Guo, Yanzhi Wang, and Yunji Chen. 2021. ScaleCert: Scalable certified defense against adversarial patches with sparse superficial layers. Adv. Neural Info. Process. Syst. 34 (2021).","journal-title":"Adv. Neural Info. Process. Syst."},{"key":"e_1_3_2_32_2","article-title":"PartImageNet: A large, high-quality dataset of parts","author":"He Ju","year":"2021","unstructured":"Ju He, Shuo Yang, Shaokang Yang, Adam Kortylewski, Xiaoding Yuan, Jie-Neng Chen, Shuai Liu, Cheng Yang, and Alan Yuille. 2021. PartImageNet: A large, high-quality dataset of parts. Retrieved from https:\/\/arXiv:2112.00933.","journal-title":"Retrieved from https:\/\/arXiv:2112.00933"},{"key":"e_1_3_2_33_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Hendrycks Dan","year":"2018","unstructured":"Dan Hendrycks and Thomas Dietterich. 2018. Benchmarking neural network robustness to common corruptions and perturbations. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_34_2","article-title":"Coverage-guided testing for recurrent neural networks","author":"Huang Wei","year":"2021","unstructured":"Wei Huang, Youcheng Sun, Xingyu Zhao, James Sharp, Wenjie Ruan, Jie Meng, and Xiaowei Huang. 2021. Coverage-guided testing for recurrent neural networks. IEEE Trans. Reliabil. (2021).","journal-title":"IEEE Trans. Reliabil."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464825"},{"key":"e_1_3_2_36_2","first-page":"2512","volume-title":"Proceedings of the 35th International Conference on Machine Learning (ICML\u201918)","author":"Karmon Danny","year":"2018","unstructured":"Danny Karmon, Daniel Zoran, and Yoav Goldberg. 2018. LaVAN: Localized and visible adversarial noise. In Proceedings of the 35th International Conference on Machine Learning (ICML\u201918). 2512\u20132520."},{"key":"e_1_3_2_37_2","article-title":"Generalization in deep learning","author":"Kawaguchi Kenji","year":"2017","unstructured":"Kenji Kawaguchi, Leslie Pack Kaelbling, and Yoshua Bengio. 2017. Generalization in deep learning. Retrieved from https:\/\/arXiv:1710.05468.","journal-title":"Retrieved from https:\/\/arXiv:1710.05468"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00108"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR48806.2021.9412236"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01426"},{"key":"e_1_3_2_41_2","article-title":"Learning multiple layers of features from tiny images","author":"Krizhevsky Alex","year":"2009","unstructured":"Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images. Retrieved from https:\/\/www.cs.toronto.edu\/ kriz\/learning-features-2009-TR.pdf.","journal-title":"https:\/\/www.cs.toronto.edu\/ kriz\/learning-features-2009-TR.pdf"},{"key":"e_1_3_2_42_2","first-page":"1106","volume-title":"Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201912)","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201912). 1106\u20131114."},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"e_1_3_2_44_2","volume-title":"Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201920)","author":"Levine Alexander","year":"2020","unstructured":"Alexander Levine and Soheil Feizi. 2020. (De)Randomized smoothing for certifiable defense against patch attacks. In Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201920)."},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409696"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3219819.3220027"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464829"},{"key":"e_1_3_2_48_2","article-title":"Swin transformer: Hierarchical vision transformer using shifted windows","author":"Liu Ze","year":"2021","unstructured":"Ze Liu, Yutong Lin, Yue Cao, Han Hu, Yixuan Wei, Zheng Zhang, Stephen Lin, and Baining Guo. 2021. Swin transformer: Hierarchical vision transformer using shifted windows. Retrieved from https:\/\/arXiv:2103.14030.","journal-title":"Retrieved from https:\/\/arXiv:2103.14030"},{"key":"e_1_3_2_49_2","article-title":"No need to worry about adversarial examples in object detection in autonomous vehicles","author":"Lu Jiajun","year":"2017","unstructured":"Jiajun Lu, Hussein Sibai, Evan Fabry, and David Forsyth. 2017. No need to worry about adversarial examples in object detection in autonomous vehicles. Retrieved from https:\/\/arXiv:1707.03501.","journal-title":"Retrieved from https:\/\/arXiv:1707.03501"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2019.8668044"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238202"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2018.00021"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3417330"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00774"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-61638-0_31"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_57_2","volume-title":"Proceedings of the 5th International Conference on Learning Representations (ICLR\u201917)","author":"Metzen Jan Hendrik","year":"2017","unstructured":"Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. 2017. On detecting adversarial perturbations. In Proceedings of the 5th International Conference on Learning Representations (ICLR\u201917)."},{"key":"e_1_3_2_58_2","volume-title":"Proceedings of the 9th International Conference on Learning Representations (ICLR\u201921)","author":"Metzen Jan Hendrik","year":"2021","unstructured":"Jan Hendrik Metzen and Maksym Yatsura. 2021. Efficient certified defenses against patch attacks on image classifiers. In Proceedings of the 9th International Conference on Learning Representations (ICLR\u201921). Retrieved from https:\/\/openreview.net\/forum?id=hr-3PMvDpil."},{"key":"e_1_3_2_59_2","volume-title":"Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201922)","author":"Moayeri Mazda","year":"2022","unstructured":"Mazda Moayeri, Kiarash Banihashem, and Soheil Feizi. 2022. Explicit tradeoffs between adversarial and natural distributional robustness. In Proceedings of the Conference on Neural Information Processing Systems (NeurIPS\u201922)."},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2019.00143"},{"key":"e_1_3_2_61_2","article-title":"Intriguing properties of vision transformers","volume":"34","author":"Naseer Muhammad Muzammal","year":"2021","unstructured":"Muhammad Muzammal Naseer, Kanchana Ranasinghe, Salman H. Khan, Munawar Hayat, Fahad Shahbaz Khan, and Ming-Hsuan Yang. 2021. Intriguing properties of vision transformers. Adv. Neural Info. Process. Syst. 34 (2021).","journal-title":"Adv. Neural Info. Process. Syst."},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"e_1_3_2_63_2","article-title":"Vision transformers are robust learners","author":"Paul Sayak","year":"2021","unstructured":"Sayak Paul and Pin-Yu Chen. 2021. Vision transformers are robust learners. Retrieved from https:\/\/arXiv:2105.07581.","journal-title":"Retrieved from https:\/\/arXiv:2105.07581"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132785"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68238-5_32"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678764"},{"key":"e_1_3_2_67_2","article-title":"On the real-world adversarial robustness of real-time semantic segmentation models for autonomous driving","author":"Rossolini Giulio","year":"2022","unstructured":"Giulio Rossolini, Federico Nesti, Gianluca D\u2019Amico, Saasha Nair, Alessandro Biondi, and Giorgio Buttazzo. 2022. On the real-world adversarial robustness of real-time semantic segmentation models for autonomous driving. Retrieved from https:\/\/arXiv:2201.01850.","journal-title":"Retrieved from https:\/\/arXiv:2201.01850"},{"key":"e_1_3_2_68_2","article-title":"Certified patch robustness via smoothed vision transformers","author":"Salman Hadi","year":"2021","unstructured":"Hadi Salman, Saachi Jain, Eric Wong, and Aleksander M\u0105dry. 2021. Certified patch robustness via smoothed vision transformers. Retrieved from https:\/\/arXiv:2110.07719.","journal-title":"Retrieved from https:\/\/arXiv:2110.07719"},{"key":"e_1_3_2_69_2","article-title":"Defense-gan: Protecting classifiers against adversarial attacks using generative models","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-gan: Protecting classifiers against adversarial attacks using generative models. Retrieved from https:\/\/arXiv:1805.06605.","journal-title":"Retrieved from https:\/\/arXiv:1805.06605"},{"key":"e_1_3_2_70_2","first-page":"3309","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921)","author":"Sato Takami","year":"2021","unstructured":"Takami Sato, Junjie Shen, Ningfei Wang, Yunhan Jia, Xue Lin, and Qi Alfred Chen. 2021. Dirty road can attack: Security of deep learning based automated lane centering under Physical-World attack. In Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921). 3309\u20133326."},{"key":"e_1_3_2_71_2","volume-title":"Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT\u201918)","author":"Song Dawn","year":"2018","unstructured":"Dawn Song, Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Florian Tramer, Atul Prakash, and Tadayoshi Kohno. 2018. Physical adversarial examples for object detectors. In Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT\u201918)."},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2011.6033395"},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380353"},{"key":"e_1_3_2_74_2","volume-title":"Proceedings of the Workshops at the 26th AAAI Conference on Artificial Intelligence","author":"Su Hao","year":"2012","unstructured":"Hao Su, Jia Deng, and Li Fei-Fei. 2012. Crowdsourcing annotations for visual object detection. In Proceedings of the Workshops at the 26th AAAI Conference on Artificial Intelligence."},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.525"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298594"},{"key":"e_1_3_2_77_2","volume-title":"Proceedings of the 2nd International Conference on Learning Representations (ICLR\u201914)","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations (ICLR\u201914)."},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2019.00012"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180220"},{"key":"e_1_3_2_80_2","volume-title":"The Nature of Statistical Learning Theory","author":"Vapnik Vladimir","year":"1999","unstructured":"Vladimir Vapnik. 1999. The Nature of Statistical Learning Theory. Springer Science & Business Media."},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.5555\/3295222.3295349"},{"key":"e_1_3_2_82_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380379"},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00126"},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMM.2021.3050057"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3416584"},{"key":"e_1_3_2_86_2","article-title":"Enhanced object detection with deep convolutional neural networks for advanced driving assistance","author":"Wei Jian","year":"2019","unstructured":"Jian Wei, Jianhua He, Yi Zhou, Kai Chen, Zuoyin Tang, and Zhiliang Xiong. 2019. Enhanced object detection with deep convolutional neural networks for advanced driving assistance. IEEE Trans. Intell. Transport. Syst. (2019).","journal-title":"IEEE Trans. Intell. Transport. Syst."},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.4414861"},{"key":"e_1_3_2_88_2","first-page":"5286","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Wong Eric","year":"2018","unstructured":"Eric Wong and Zico Kolter. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proceedings of the International Conference on Machine Learning. PMLR, 5286\u20135295."},{"key":"e_1_3_2_89_2","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)","author":"Xiang Chong","year":"2021","unstructured":"Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2021. PatchGuard: A provably robust defense against adversarial patches via small receptive fields and masking. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/xiang."},{"key":"e_1_3_2_90_2","article-title":"PatchGuard++: Efficient provable attack detection against adversarial patches","author":"Xiang Chong","year":"2021","unstructured":"Chong Xiang and Prateek Mittal. 2021. PatchGuard++: Efficient provable attack detection against adversarial patches. Retrieved from https:\/\/arXiv:2104.12609.","journal-title":"Retrieved from https:\/\/arXiv:2104.12609"},{"key":"e_1_3_2_91_2","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330579"},{"key":"e_1_3_2_92_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"e_1_3_2_93_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.6140"},{"key":"e_1_3_2_94_2","unstructured":"Hao Zhang Feng Li Shilong Liu Lei Zhang Hang Su Jun Zhu Lionel M. Ni and Heung-Yeung Shum. 2022. DINO: DETR with Improved DeNoising Anchor Boxes for End-to-End Object Detection. Retrieved from https:\/\/arXiv:2203.03605."},{"key":"e_1_3_2_95_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238187"},{"key":"e_1_3_2_96_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377812.3382160"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380368"},{"key":"e_1_3_2_98_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409676"},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00149"},{"key":"e_1_3_2_100_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00026"},{"key":"e_1_3_2_101_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01595"},{"key":"e_1_3_2_102_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464822"},{"key":"e_1_3_2_103_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380422"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3591870","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3591870","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:45Z","timestamp":1750178265000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3591870"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,30]]},"references-count":102,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2023,11,30]]}},"alternative-id":["10.1145\/3591870"],"URL":"https:\/\/doi.org\/10.1145\/3591870","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,30]]},"assertion":[{"value":"2022-09-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-02-15","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-09-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}