{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T15:42:47Z","timestamp":1781797367313,"version":"3.54.5"},"reference-count":161,"publisher":"Association for Computing Machinery (ACM)","issue":"14s","license":[{"start":{"date-parts":[[2023,7,17]],"date-time":"2023-07-17T00:00:00Z","timestamp":1689552000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2020AAA0107702"],"award-info":[{"award-number":["2020AAA0107702"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62006181, 62161160337, 62132011, U21B2018, U20A20177, 62206217"],"award-info":[{"award-number":["62006181, 62161160337, 62132011, U21B2018, U20A20177, 62206217"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Shaanxi Province Key Industry Innovation Program","award":["2023-ZDLGY-38, 2021ZD LGY01-02"],"award-info":[{"award-number":["2023-ZDLGY-38, 2021ZD LGY01-02"]}]},{"name":"Shaanxi Province Key Research and Development Program","award":["2022ZDLSF07-07"],"award-info":[{"award-number":["2022ZDLSF07-07"]}]},{"DOI":"10.13039\/501100002858","name":"China Postdoctoral Science Foundation","doi-asserted-by":"crossref","award":["2022M722530"],"award-info":[{"award-number":["2022M722530"]}],"id":[{"id":"10.13039\/501100002858","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100012226","name":"Fundamental Research Funds for the Central Universities","doi-asserted-by":"crossref","award":["xzy012022082"],"award-info":[{"award-number":["xzy012022082"]}],"id":[{"id":"10.13039\/501100012226","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2023,12,31]]},"abstract":"<jats:p>Deep learning technology is increasingly being applied in safety-critical scenarios but has recently been found to be susceptible to imperceptible adversarial perturbations. This raises a serious concern regarding the adversarial robustness of deep neural network (DNN)\u2013based applications. Accordingly, various adversarial attacks and defense approaches have been proposed. However, current studies implement different types of attacks and defenses with certain assumptions. There is still a lack of full theoretical understanding and interpretation of adversarial examples. Instead of reviewing technical progress in adversarial attacks and defenses, this article presents a framework consisting of three perspectives to discuss recent works focusing on theoretically explaining adversarial examples comprehensively. In each perspective, various hypotheses are further categorized and summarized into several subcategories and introduced systematically. To the best of our knowledge, this study is the first to concentrate on surveying existing research on adversarial examples and adversarial robustness from the interpretability perspective. By drawing on the reviewed literature, this survey characterizes current problems and challenges that need to be addressed and highlights potential future research directions to further investigate adversarial examples.<\/jats:p>","DOI":"10.1145\/3594869","type":"journal-article","created":{"date-parts":[[2023,4,28]],"date-time":"2023-04-28T11:57:44Z","timestamp":1682683064000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":86,"title":["Interpreting Adversarial Examples in Deep Learning: A Review"],"prefix":"10.1145","volume":"55","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8459-4701","authenticated-orcid":false,"given":"Sicong","family":"Han","sequence":"first","affiliation":[{"name":"Xi\u2019an Jiaotong University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6265-7345","authenticated-orcid":false,"given":"Chenhao","family":"Lin","sequence":"additional","affiliation":[{"name":"Xi\u2019an Jiaotong University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6959-0569","authenticated-orcid":false,"given":"Chao","family":"Shen","sequence":"additional","affiliation":[{"name":"Xi\u2019an Jiaotong University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8967-8525","authenticated-orcid":false,"given":"Qian","family":"Wang","sequence":"additional","affiliation":[{"name":"Wuhan University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8826-0362","authenticated-orcid":false,"given":"Xiaohong","family":"Guan","sequence":"additional","affiliation":[{"name":"Xi\u2019an Jiaotong University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,7,17]]},"reference":[{"key":"e_1_3_1_2_2","first-page":"7687","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Abusnaina Ahmed","year":"2021","unstructured":"Ahmed Abusnaina, Yuhang Wu, Sunpreet Arora, Yizhen Wang, Fei Wang, Hao Yang, and David Mohaisen. 2021. Adversarial example detection using latent neighborhood graph. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 7687\u20137696."},{"key":"e_1_3_1_3_2","volume-title":"2019 IEEE International Conference on Image Processing (ICIP)","author":"Agarwal Chirag","year":"2019","unstructured":"Chirag Agarwal, Anh Nguyen, and Dan Schonfeld. 2019. Improving robustness to adversarial examples by encouraging discriminative features. In 2019 IEEE International Conference on Image Processing (ICIP). IEEE, 3801\u20133505."},{"key":"e_1_3_1_4_2","first-page":"3389","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Akhtar Naveed","year":"2018","unstructured":"Naveed Akhtar, Jian Liu, and Ajmal Mian. 2018. Defense against universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 3389\u20133398."},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2807385"},{"key":"e_1_3_1_6_2","first-page":"274","volume-title":"International Conference on Machine Learning","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning. PMLR, 274\u2013283."},{"key":"e_1_3_1_7_2","article-title":"Calibration and consistency of adversarial surrogate losses","author":"Awasthi Pranjal","year":"2021","unstructured":"Pranjal Awasthi, Natalie Frank, Anqi Mao, Mehryar Mohri, and Yutao Zhong. 2021. Calibration and consistency of adversarial surrogate losses. arXiv preprint arXiv:2104.09658 (2021).","journal-title":"arXiv preprint arXiv:2104.09658"},{"key":"e_1_3_1_8_2","article-title":"Layer normalization","author":"Ba Jimmy Lei","year":"2016","unstructured":"Jimmy Lei Ba, Jamie Ryan Kiros, and Geoffrey E. Hinton. 2016. Layer normalization. arXiv preprint arXiv:1607.06450 (2016).","journal-title":"arXiv preprint arXiv:1607.06450"},{"key":"e_1_3_1_9_2","article-title":"Improving adversarial robustness via channel-wise activation suppressing","author":"Bai Yang","year":"2021","unstructured":"Yang Bai, Yuyuan Zeng, Yong Jiang, Shu-Tao Xia, Xingjun Ma, and Yisen Wang. 2021. Improving adversarial robustness via channel-wise activation suppressing. arXiv preprint arXiv:2103.08307 (2021).","journal-title":"arXiv preprint arXiv:2103.08307"},{"key":"e_1_3_1_10_2","article-title":"Adversarial examples in multi-layer random ReLU networks","author":"Bartlett Peter L.","year":"2021","unstructured":"Peter L. Bartlett, S\u00e9bastien Bubeck, and Yeshwanth Cherapanamjeri. 2021. Adversarial examples in multi-layer random ReLU networks. arXiv preprint arXiv:2106.12611 (2021).","journal-title":"arXiv preprint arXiv:2106.12611"},{"key":"e_1_3_1_11_2","first-page":"7818","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Benz Philipp","year":"2021","unstructured":"Philipp Benz, Chaoning Zhang, and In So Kweon. 2021. Batch normalization increases adversarial vulnerability and decreases adversarial transferability: A non-robust feature perspective. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 7818\u20137827."},{"key":"e_1_3_1_12_2","article-title":"Poisoning attacks against support vector machines","author":"Biggio Battista","year":"2012","unstructured":"Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389 (2012).","journal-title":"arXiv preprint arXiv:1206.6389"},{"key":"e_1_3_1_13_2","article-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models","author":"Brendel Wieland","year":"2017","unstructured":"Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 (2017).","journal-title":"arXiv preprint arXiv:1712.04248"},{"key":"e_1_3_1_14_2","article-title":"Adversarial patch","author":"Brown Tom B.","year":"2017","unstructured":"Tom B. Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017).","journal-title":"arXiv preprint arXiv:1712.09665"},{"key":"e_1_3_1_15_2","article-title":"A single gradient step finds adversarial examples on random two-layers neural networks","author":"Bubeck S\u00e9bastien","year":"2021","unstructured":"S\u00e9bastien Bubeck, Yeshwanth Cherapanamjeri, Gauthier Gidel, and R\u00e9mi Tachet des Combes. 2021. A single gradient step finds adversarial examples on random two-layers neural networks. arXiv preprint arXiv:2104.03863 (2021).","journal-title":"arXiv preprint arXiv:2104.03863"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_1_17_2","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1109\/SP.2017.49","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39\u201357."},{"key":"e_1_3_1_18_2","first-page":"3405","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"34","author":"Che Zhaohui","year":"2020","unstructured":"Zhaohui Che, Ali Borji, Guangtao Zhai, Suiyi Ling, Jing Li, and Patrick Le Callet. 2020. A new ensemble adversarial attack powered by long-term gradient memories. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34. 3405\u20133413."},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_1_20_2","article-title":"Query-efficient hard-label black-box attack: An optimization-based approach","author":"Cheng Minhao","year":"2018","unstructured":"Minhao Cheng, Thong Le, Pin-Yu Chen, Jinfeng Yi, Huan Zhang, and Cho-Jui Hsieh. 2018. Query-efficient hard-label black-box attack: An optimization-based approach. arXiv preprint arXiv:1807.04457 (2018).","journal-title":"arXiv preprint arXiv:1807.04457"},{"key":"e_1_3_1_21_2","first-page":"14453","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Cohen Gilad","year":"2020","unstructured":"Gilad Cohen, Guillermo Sapiro, and Raja Giryes. 2020. Detecting adversarial samples using influence functions and nearest neighbors. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 14453\u201314462."},{"key":"e_1_3_1_22_2","first-page":"1310","volume-title":"International Conference on Machine Learning","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310\u20131320."},{"key":"e_1_3_1_23_2","first-page":"4757","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Corneanu Ciprian A.","year":"2019","unstructured":"Ciprian A. Corneanu, Meysam Madadi, Sergio Escalera, and Aleix M. Martinez. 2019. What does it mean to learn in deep networks? And, how does one detect adversarial attacks?. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 4757\u20134766."},{"key":"e_1_3_1_24_2","article-title":"Intriguing properties of adversarial examples","author":"Cubuk Ekin D.","year":"2017","unstructured":"Ekin D. Cubuk, Barret Zoph, Samuel S. Schoenholz, and Quoc V. Le. 2017. Intriguing properties of adversarial examples. arXiv preprint arXiv:1711.02846 (2017).","journal-title":"arXiv preprint arXiv:1711.02846"},{"key":"e_1_3_1_25_2","article-title":"Most ReLU networks suffer from  \\(\\ell^{2}\\)  adversarial perturbations","author":"Daniely Amit","year":"2020","unstructured":"Amit Daniely and Hadas Schacham. 2020. Most ReLU networks suffer from \\(\\ell^{2}\\) adversarial perturbations. arXiv preprint arXiv:2010.14927 (2020).","journal-title":"arXiv preprint arXiv:2010.14927"},{"key":"e_1_3_1_26_2","article-title":"Simulating a primary visual cortex at the front of CNNs improves robustness to image perturbations","author":"Dapello Joel","year":"2020","unstructured":"Joel Dapello, Tiago Marques, Martin Schrimpf, Franziska Geiger, David D. Cox, and James J. DiCarlo. 2020. Simulating a primary visual cortex at the front of CNNs improves robustness to image perturbations. BioRxiv (2020).","journal-title":"BioRxiv"},{"key":"e_1_3_1_27_2","first-page":"2522","volume-title":"International Conference on Machine Learning","author":"Palma Giacomo De","year":"2021","unstructured":"Giacomo De Palma, Bobak Kiani, and Seth Lloyd. 2021. Adversarial robustness guarantees for random deep neural networks. In International Conference on Machine Learning. PMLR, 2522\u20132534."},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13042-020-01097-4"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.strusafe.2008.06.020"},{"key":"e_1_3_1_30_2","article-title":"Stochastic activation pruning for robust adversarial defense","author":"Dhillon Guneet S.","year":"2018","unstructured":"Guneet S. Dhillon, Kamyar Azizzadenesheli, Zachary C. Lipton, Jeremy Bernstein, Jean Kossaifi, Aran Khanna, and Anima Anandkumar. 2018. Stochastic activation pruning for robust adversarial defense. arXiv preprint arXiv:1803.01442 (2018).","journal-title":"arXiv preprint arXiv:1803.01442"},{"key":"e_1_3_1_31_2","article-title":"Adversarial risk and robustness: General definitions and implications for the uniform distribution","author":"Diochnos Dimitrios I.","year":"2018","unstructured":"Dimitrios I. Diochnos, Saeed Mahloujifar, and Mohammad Mahmoody. 2018. Adversarial risk and robustness: General definitions and implications for the uniform distribution. arXiv preprint arXiv:1810.12272 (2018).","journal-title":"arXiv preprint arXiv:1810.12272"},{"key":"e_1_3_1_32_2","article-title":"Limitations of adversarial robustness: Strong no free lunch theorem","author":"Dohmatob Elvis","year":"2018","unstructured":"Elvis Dohmatob. 2018. Limitations of adversarial robustness: Strong no free lunch theorem. arXiv preprint arXiv:1810.04065 (2018).","journal-title":"arXiv preprint arXiv:1810.04065"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00040"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_1_35_2","article-title":"Towards interpretable deep neural networks by leveraging adversarial examples","author":"Dong Yinpeng","year":"2017","unstructured":"Yinpeng Dong, Hang Su, Jun Zhu, and Fan Bao. 2017. Towards interpretable deep neural networks by leveraging adversarial examples. arXiv preprint arXiv:1708.05493 (2017).","journal-title":"arXiv preprint arXiv:1708.05493"},{"key":"e_1_3_1_36_2","first-page":"7506","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Duan Ranjie","year":"2021","unstructured":"Ranjie Duan, Yuefeng Chen, Dantong Niu, Yun Yang, A. Kai Qin, and Yuan He. 2021. AdvDrop: Adversarial attack to DNNs by dropping information. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 7506\u20137515."},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00108"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_1_39_2","article-title":"A study of the effect of JPG compression on adversarial images","author":"Dziugaite Gintare Karolina","year":"2016","unstructured":"Gintare Karolina Dziugaite, Zoubin Ghahramani, and Daniel M. Roy. 2016. A study of the effect of JPG compression on adversarial images. arXiv preprint arXiv:1608.00853 (2016).","journal-title":"arXiv preprint arXiv:1608.00853"},{"key":"e_1_3_1_40_2","article-title":"Robustness of classifiers: from adversarial to random noise","author":"Fawzi Alhussein","year":"2016","unstructured":"Alhussein Fawzi, Seyed-Mohsen Moosavi-Dezfooli, and Pascal Frossard. 2016. Robustness of classifiers: from adversarial to random noise. arXiv preprint arXiv:1608.08967 (2016).","journal-title":"arXiv preprint arXiv:1608.08967"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00396"},{"key":"e_1_3_1_42_2","first-page":"1","volume-title":"2020 International Joint Conference on Neural Networks (IJCNN)","author":"Fidel Gil","year":"2020","unstructured":"Gil Fidel, Ron Bitton, and Asaf Shabtai. 2020. When explainability meets adversarial learning: Detecting adversarial examples using SHAP signatures. In 2020 International Joint Conference on Neural Networks (IJCNN). IEEE, 1\u20138."},{"key":"e_1_3_1_43_2","article-title":"Adversarial examples are a natural consequence of test error in noise","author":"Ford Nic","year":"2019","unstructured":"Nic Ford, Justin Gilmer, Nicolas Carlini, and Dogus Cubuk. 2019. Adversarial examples are a natural consequence of test error in noise. arXiv preprint arXiv:1901.10513 (2019).","journal-title":"arXiv preprint arXiv:1901.10513"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1214\/aos\/1016218223"},{"key":"e_1_3_1_45_2","first-page":"1050","volume-title":"International Conference on Machine Learning","author":"Gal Yarin","year":"2016","unstructured":"Yarin Gal and Zoubin Ghahramani. 2016. Dropout as a Bayesian approximation: Representing model uncertainty in deep learning. In International Conference on Machine Learning. PMLR, 1050\u20131059."},{"key":"e_1_3_1_46_2","article-title":"Batch normalization is a cause of adversarial vulnerability","author":"Galloway Angus","year":"2019","unstructured":"Angus Galloway, Anna Golubeva, Thomas Tanay, Medhat Moussa, and Graham W. Taylor. 2019. Batch normalization is a cause of adversarial vulnerability. arXiv preprint arXiv:1905.02161 (2019).","journal-title":"arXiv preprint arXiv:1905.02161"},{"key":"e_1_3_1_47_2","first-page":"3564","volume-title":"International Conference on Machine Learning","author":"Gao Ruize","year":"2021","unstructured":"Ruize Gao, Feng Liu, Jingfeng Zhang, Bo Han, Tongliang Liu, Gang Niu, and Masashi Sugiyama. 2021. Maximum mean discrepancy test is aware of adversarial attacks. In International Conference on Machine Learning. PMLR, 3564\u20133575."},{"key":"e_1_3_1_48_2","article-title":"Adversarial spheres","author":"Gilmer Justin","year":"2018","unstructured":"Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S. Schoenholz, Maithra Raghu, Martin Wattenberg, and Ian Goodfellow. 2018. Adversarial spheres. arXiv preprint arXiv:1801.02774 (2018).","journal-title":"arXiv preprint arXiv:1801.02774"},{"key":"e_1_3_1_49_2","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow Ian J.","year":"2014","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).","journal-title":"arXiv preprint arXiv:1412.6572"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2018.07.040"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1007\/s001820050125"},{"key":"e_1_3_1_52_2","article-title":"On the (statistical) detection of adversarial examples","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017).","journal-title":"arXiv preprint arXiv:1702.06280"},{"key":"e_1_3_1_53_2","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).","journal-title":"arXiv preprint arXiv:1708.06733"},{"key":"e_1_3_1_54_2","article-title":"Low frequency adversarial perturbation","author":"Guo Chuan","year":"2018","unstructured":"Chuan Guo, Jared S. Frank, and Kilian Q. Weinberger. 2018. Low frequency adversarial perturbation. arXiv preprint arXiv:1809.08758 (2018).","journal-title":"arXiv preprint arXiv:1809.08758"},{"key":"e_1_3_1_55_2","article-title":"Countering adversarial images using input transformations","author":"Guo Chuan","year":"2017","unstructured":"Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens Van Der Maaten. 2017. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117 (2017).","journal-title":"arXiv preprint arXiv:1711.00117"},{"key":"e_1_3_1_56_2","first-page":"631","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Guo Minghao","year":"2020","unstructured":"Minghao Guo, Yuzhe Yang, Rui Xu, Ziwei Liu, and Dahua Lin. 2020. When NAS meets robustness: In search of robust architectures against adversarial attacks. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 631\u2013640."},{"key":"e_1_3_1_57_2","first-page":"73","volume-title":"Information and Communications Security: 23rd International Conference, ICICS 2021, Chongqing, China, November 19-21, 2021, Proceedings, Part II 23","author":"Han Sicong","year":"2021","unstructured":"Sicong Han, Chenhao Lin, Chao Shen, and Qian Wang. 2021. Rethinking adversarial examples exploiting frequency-based analysis. In Information and Communications Security: 23rd International Conference, ICICS 2021, Chongqing, China, November 19-21, 2021, Proceedings, Part II 23. Springer, 73\u201389."},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2018.00210"},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_1_60_2","article-title":"Benchmarking neural network robustness to common corruptions and surface variations","author":"Hendrycks Dan","year":"2018","unstructured":"Dan Hendrycks and Thomas G. Dietterich. 2018. Benchmarking neural network robustness to common corruptions and surface variations. arXiv preprint arXiv:1807.01697 (2018).","journal-title":"arXiv preprint arXiv:1807.01697"},{"key":"e_1_3_1_61_2","volume-title":"35th Conference on Neural Information Processing Systems","author":"Huang Hanxun","year":"2021","unstructured":"Hanxun Huang, Yisen Wang, Sarah Monazam Erfani, Quanquan Gu, James Bailey, and Xingjun Ma. 2021. Exploring architectural ingredients of adversarially robust deep neural networks. In 35th Conference on Neural Information Processing Systems."},{"key":"e_1_3_1_62_2","first-page":"15883","article-title":"On relating explanations and adversarial examples","volume":"32","author":"Ignatiev Alexey","year":"2019","unstructured":"Alexey Ignatiev, Nina Narodytska, and Joao Marques-Silva. 2019. On relating explanations and adversarial examples. Advances in Neural Information Processing Systems 32 (2019), 15883\u201315893.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_63_2","article-title":"Adversarial examples are not bugs, they are features","author":"Ilyas Andrew","year":"2019","unstructured":"Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. 2019. Adversarial examples are not bugs, they are features. arXiv preprint arXiv:1905.02175 (2019).","journal-title":"arXiv preprint arXiv:1905.02175"},{"key":"e_1_3_1_64_2","first-page":"448","volume-title":"International Conference on Machine Learning","author":"Ioffe Sergey","year":"2015","unstructured":"Sergey Ioffe and Christian Szegedy. 2015. Batch normalization: Accelerating deep network training by reducing internal covariate shift. In International Conference on Machine Learning. PMLR, 448\u2013456."},{"key":"e_1_3_1_65_2","article-title":"Can we mitigate backdoor attack using adversarial detection methods?","author":"Jin Kaidi","year":"2022","unstructured":"Kaidi Jin, Tianwei Zhang, Chao Shen, Yufei Chen, Ming Fan, Chenhao Lin, and Ting Liu. 2022. Can we mitigate backdoor attack using adversarial detection methods? IEEE Transactions on Dependable and Secure Computing (2022).","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_1_66_2","article-title":"Can we have it all? On the trade-off between spatial and adversarial robustness of neural networks","volume":"34","author":"Kamath Sandesh","year":"2021","unstructured":"Sandesh Kamath, Amit Deshpande, Subrahmanyam Kambhampati Venkata, and Vineeth N. Balasubramanian. 2021. Can we have it all? On the trade-off between spatial and adversarial robustness of neural networks. Advances in Neural Information Processing Systems 34 (2021).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_67_2","article-title":"Nonlinear systems, 1996","author":"Khalil Hassan K.","year":"1996","unstructured":"Hassan K. Khalil. 1996. Nonlinear systems, 1996. Department of Electrical and Computer Engineering, Michigan State University, New Jersey (1996).","journal-title":"Department of Electrical and Computer Engineering, Michigan State University, New Jersey"},{"key":"e_1_3_1_68_2","article-title":"Distilling robust and non-robust features in adversarial examples by information bottleneck","volume":"34","author":"Kim Junho","year":"2021","unstructured":"Junho Kim, Byung-Kwan Lee, and Yong Man Ro. 2021. Distilling robust and non-robust features in adversarial examples by information bottleneck. Advances in Neural Information Processing Systems 34 (2021).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_69_2","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)."},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"e_1_3_1_71_2","doi-asserted-by":"crossref","first-page":"656","DOI":"10.1109\/SP.2019.00044","volume-title":"2019 IEEE Symposium on Security and Privacy (SP)","author":"Lecuyer Mathias","year":"2019","unstructured":"Mathias Lecuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, and Suman Jana. 2019. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 656\u2013672."},{"key":"e_1_3_1_72_2","first-page":"6465","article-title":"(De) randomized smoothing for certifiable defense against patch attacks","volume":"33","author":"Levine Alexander","year":"2020","unstructured":"Alexander Levine and Soheil Feizi. 2020. (De) randomized smoothing for certifiable defense against patch attacks. Advances in Neural Information Processing Systems 33 (2020), 6465\u20136475.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM42981.2021.9488754"},{"key":"e_1_3_1_74_2","first-page":"6750","volume-title":"2020 25th International Conference on Pattern Recognition (ICPR)","author":"Li Honglin","year":"2021","unstructured":"Honglin Li, Yifei Fan, Frieder Ganz, Anthony Yezzi, and Payam Barnaghi. 2021. Verifying the causes of adversarial examples. In 2020 25th International Conference on Pattern Recognition (ICPR). IEEE, 6750\u20136757."},{"key":"e_1_3_1_75_2","article-title":"Understanding neural networks through representation erasure","author":"Li Jiwei","year":"2016","unstructured":"Jiwei Li, Will Monroe, and Dan Jurafsky. 2016. Understanding neural networks through representation erasure. arXiv preprint arXiv:1612.08220 (2016).","journal-title":"arXiv preprint arXiv:1612.08220"},{"key":"e_1_3_1_76_2","first-page":"753","volume-title":"European Conference on Computer Vision","author":"Li Yueru","year":"2020","unstructured":"Yueru Li, Shuyu Cheng, Hang Su, and Jun Zhu. 2020. Defense against adversarial attacks via controlling gradient leaking on embedded manifolds. In European Conference on Computer Vision. Springer, 753\u2013769."},{"key":"e_1_3_1_77_2","first-page":"3866","volume-title":"International Conference on Machine Learning","author":"Li Yandong","year":"2019","unstructured":"Yandong Li, Lijun Li, Liqiang Wang, Tong Zhang, and Boqing Gong. 2019. Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In International Conference on Machine Learning. PMLR, 3866\u20133876."},{"key":"e_1_3_1_78_2","volume-title":"35th Conference on Neural Information Processing Systems","author":"Li Yanxi","year":"2021","unstructured":"Yanxi Li, Zhaohui Yang, Yunhe Wang, and Chang Xu. 2021. Neural architecture dilation for adversarial robustness. In 35th Conference on Neural Information Processing Systems."},{"key":"e_1_3_1_79_2","first-page":"6577","volume-title":"International Conference on Machine Learning","author":"Liang Kaizhao","year":"2021","unstructured":"Kaizhao Liang, Jacky Y. Zhang, Boxin Wang, Zhuolin Yang, Sanmi Koyejo, and Bo Li. 2021. Uncovering the connections between adversarial transferability and knowledge transferability. In International Conference on Machine Learning. PMLR, 6577\u20136587."},{"key":"e_1_3_1_80_2","article-title":"Large norms of CNN layers do not hurt adversarial robustness","author":"Liang Youwei","year":"2020","unstructured":"Youwei Liang and Dong Huang. 2020. Large norms of CNN layers do not hurt adversarial robustness. arXiv preprint arXiv:2009.08435 (2020).","journal-title":"arXiv preprint arXiv:2009.08435"},{"key":"e_1_3_1_81_2","article-title":"Feature prioritization and regularization improve standard accuracy and adversarial robustness","author":"Liu Chihuang","year":"2018","unstructured":"Chihuang Liu and Joseph JaJa. 2018. Feature prioritization and regularization improve standard accuracy and adversarial robustness. arXiv preprint arXiv:1810.02424 (2018).","journal-title":"arXiv preprint arXiv:1810.02424"},{"key":"e_1_3_1_82_2","first-page":"834","volume-title":"2021 IEEE International Conference on Big Data (Big Data)","author":"Liu Guanxiong","year":"2021","unstructured":"Guanxiong Liu, Issa Khalil, Abdallah Khreishah, and NhatHai Phan. 2021. A synergetic attack against neural network classifiers combining backdoor and adversarial examples. In 2021 IEEE International Conference on Big Data (Big Data). IEEE, 834\u2013846."},{"key":"e_1_3_1_83_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00303"},{"key":"e_1_3_1_84_2","article-title":"On the limitation of local intrinsic dimensionality for characterizing the subspaces of adversarial examples","author":"Lu Pei-Hsuan","year":"2018","unstructured":"Pei-Hsuan Lu, Pin-Yu Chen, and Chia-Mu Yu. 2018. On the limitation of local intrinsic dimensionality for characterizing the subspaces of adversarial examples. arXiv preprint arXiv:1803.09638 (2018).","journal-title":"arXiv preprint arXiv:1803.09638"},{"key":"e_1_3_1_85_2","article-title":"A unified approach to interpreting model predictions","volume":"30","author":"Lundberg Scott M.","year":"2017","unstructured":"Scott M. Lundberg and Su-In Lee. 2017. A unified approach to interpreting model predictions. Advances in Neural Information Processing Systems 30 (2017).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_86_2","article-title":"Foveation-based mechanisms alleviate adversarial examples","author":"Luo Yan","year":"2015","unstructured":"Yan Luo, Xavier Boix, Gemma Roig, Tomaso Poggio, and Qi Zhao. 2015. Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292 (2015).","journal-title":"arXiv preprint arXiv:1511.06292"},{"key":"e_1_3_1_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2015.84"},{"key":"e_1_3_1_88_2","article-title":"Characterizing adversarial subspaces using local intrinsic dimensionality","author":"Ma Xingjun","year":"2018","unstructured":"Xingjun Ma, Bo Li, Yisen Wang, Sarah M. Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E. Houle, and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv preprint arXiv:1801.02613 (2018).","journal-title":"arXiv preprint arXiv:1801.02613"},{"key":"e_1_3_1_89_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2020.107332"},{"key":"e_1_3_1_90_2","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).","journal-title":"arXiv preprint arXiv:1706.06083"},{"key":"e_1_3_1_91_2","article-title":"Empirically measuring concentration: Fundamental limits on intrinsic robustness","author":"Mahloujifar Saeed","year":"2019","unstructured":"Saeed Mahloujifar, Xiao Zhang, Mohammad Mahmoody, and David Evans. 2019. Empirically measuring concentration: Fundamental limits on intrinsic robustness. arXiv preprint arXiv:1905.12202 (2019).","journal-title":"arXiv preprint arXiv:1905.12202"},{"key":"e_1_3_1_92_2","article-title":"Metric learning for adversarial robustness","author":"Mao Chengzhi","year":"2019","unstructured":"Chengzhi Mao, Ziyuan Zhong, Junfeng Yang, Carl Vondrick, and Baishakhi Ray. 2019. Metric learning for adversarial robustness. arXiv preprint arXiv:1909.00900 (2019).","journal-title":"arXiv preprint arXiv:1909.00900"},{"key":"e_1_3_1_93_2","first-page":"12322","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Mok Jisoo","year":"2021","unstructured":"Jisoo Mok, Byunggook Na, Hyeokjun Choe, and Sungroh Yoon. 2021. AdvRush: Searching for adversarially robust neural architectures. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 12322\u201312332."},{"key":"e_1_3_1_94_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"e_1_3_1_95_2","first-page":"arXiv\u20131705","article-title":"Analysis of universal adversarial perturbations","author":"Moosavi-Dezfooli Seyed-Mohsen","year":"2017","unstructured":"Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, Pascal Frossard, and Stefano Soatto. 2017. Analysis of universal adversarial perturbations. ArXiv E-prints (2017), arXiv\u20131705.","journal-title":"ArXiv E-prints"},{"key":"e_1_3_1_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_1_97_2","volume-title":"ICML 2021 Workshop on Uncertainty and Robustness in Deep Learning","author":"Mu Norman","year":"2021","unstructured":"Norman Mu and David Wagner. 2021. Defending against adversarial patches with robust self-attention. In ICML 2021 Workshop on Uncertainty and Robustness in Deep Learning."},{"key":"e_1_3_1_98_2","first-page":"3385","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Mustafa Aamir","year":"2019","unstructured":"Aamir Mustafa, Salman Khan, Munawar Hayat, Roland Goecke, Jianbing Shen, and Ling Shao. 2019. Adversarial defense by restricting the hidden space of deep neural networks. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 3385\u20133394."},{"key":"e_1_3_1_99_2","article-title":"Cross-entropy loss and low-rank features have responsibility for adversarial examples","author":"Nar Kamil","year":"2019","unstructured":"Kamil Nar, Orhan Ocal, S. Shankar Sastry, and Kannan Ramchandran. 2019. Cross-entropy loss and low-rank features have responsibility for adversarial examples. arXiv preprint arXiv:1901.08360 (2019).","journal-title":"arXiv preprint arXiv:1901.08360"},{"key":"e_1_3_1_100_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417253"},{"key":"e_1_3_1_101_2","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_1_102_2","first-page":"14358","volume":"34","year":"2021","unstructured":"Yao Qin, Xuezhi Wang, Alex Beutel, et al. 2021. Improving calibration through the relationship with adversarial robustness. Advances in Neural Information Processing Systems 34 (2021), 14358-14369.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_103_2","first-page":"4777","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Qiu Yuxian","year":"2019","unstructured":"Yuxian Qiu, Jingwen Leng, Cong Guo, Quan Chen, Chao Li, Minyi Guo, and Yuhao Zhu. 2019. Adversarial defense through network profiling based path extraction. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 4777\u20134786."},{"key":"e_1_3_1_104_2","article-title":"Certified defenses against adversarial examples","author":"Raghunathan Aditi","year":"2018","unstructured":"Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. 2018. Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344 (2018).","journal-title":"arXiv preprint arXiv:1801.09344"},{"key":"e_1_3_1_105_2","first-page":"8178","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Rahnama Arash","year":"2020","unstructured":"Arash Rahnama, Andre T. Nguyen, and Edward Raff. 2020. Robust design of deep neural networks against adversarial attacks based on Lyapunov theory. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 8178\u20138187."},{"key":"e_1_3_1_106_2","article-title":"Biologically inspired mechanisms for adversarial robustness","author":"Reddy Manish V.","year":"2020","unstructured":"Manish V. Reddy, Andrzej Banburski, Nishka Pant, and Tomaso Poggio. 2020. Biologically inspired mechanisms for adversarial robustness. arXiv preprint arXiv:2006.16427 (2020).","journal-title":"arXiv preprint arXiv:2006.16427"},{"key":"e_1_3_1_107_2","doi-asserted-by":"publisher","DOI":"10.1016\/0004-3702(87)90062-2"},{"key":"e_1_3_1_108_2","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939778"},{"key":"e_1_3_1_109_2","volume-title":"32nd AAAI Conference on Artificial Intelligence","author":"Ross Andrew Slavin","year":"2018","unstructured":"Andrew Slavin Ross and Finale Doshi-Velez. 2018. Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In 32nd AAAI Conference on Artificial Intelligence."},{"key":"e_1_3_1_110_2","doi-asserted-by":"crossref","first-page":"227","DOI":"10.1109\/ICMLA.2016.0045","volume-title":"2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA)","author":"Rozsa Andras","year":"2016","unstructured":"Andras Rozsa, Manuel G\u00fcnther, and Terrance E. Boult. 2016. Are accuracy and robustness correlated. In 2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA). IEEE, 227\u2013232."},{"key":"e_1_3_1_111_2","article-title":"Towards robust deep neural networks with BANG","author":"Rozsa Andras","year":"2016","unstructured":"Andras Rozsa, Manuel Gunther, and Terrance E. Boult. 2016. Towards robust deep neural networks with BANG. arXiv preprint arXiv:1612.00138 (2016).","journal-title":"arXiv preprint arXiv:1612.00138"},{"key":"e_1_3_1_112_2","doi-asserted-by":"publisher","DOI":"10.1007\/BF01530750"},{"key":"e_1_3_1_113_2","first-page":"14666","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Sayles Athena","year":"2021","unstructured":"Athena Sayles, Ashish Hooda, Mohit Gupta, Rahul Chatterjee, and Earlence Fernandes. 2021. Invisible perturbations: Physical adversarial examples exploiting the rolling shutter effect. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 14666\u201314675."},{"key":"e_1_3_1_114_2","article-title":"Adversarially robust generalization requires more data","author":"Schmidt Ludwig","year":"2018","unstructured":"Ludwig Schmidt, Shibani Santurkar, Dimitris Tsipras, Kunal Talwar, and Aleksander Madry. 2018. Adversarially robust generalization requires more data. arXiv preprint arXiv:1804.11285 (2018).","journal-title":"arXiv preprint arXiv:1804.11285"},{"key":"e_1_3_1_115_2","article-title":"Are adversarial examples inevitable?","author":"Shafahi Ali","year":"2018","unstructured":"Ali Shafahi, W. Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. 2018. Are adversarial examples inevitable? arXiv preprint arXiv:1809.02104 (2018).","journal-title":"arXiv preprint arXiv:1809.02104"},{"key":"e_1_3_1_116_2","article-title":"Adversarial training for free!","author":"Shafahi Ali","year":"2019","unstructured":"Ali Shafahi, Mahyar Najibi, Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S. Davis, Gavin Taylor, and Tom Goldstein. 2019. Adversarial training for free! arXiv preprint arXiv:1904.12843 (2019).","journal-title":"arXiv preprint arXiv:1904.12843"},{"key":"e_1_3_1_117_2","article-title":"A simple explanation for the existence of adversarial examples with small hamming distance","author":"Shamir Adi","year":"2019","unstructured":"Adi Shamir, Itay Safran, Eyal Ronen, and Orr Dunkelman. 2019. A simple explanation for the existence of adversarial examples with small hamming distance. arXiv preprint arXiv:1901.10861 (2019).","journal-title":"arXiv preprint arXiv:1901.10861"},{"key":"e_1_3_1_118_2","first-page":"5809","volume-title":"International Conference on Machine Learning","author":"Simon-Gabriel Carl-Johann","year":"2019","unstructured":"Carl-Johann Simon-Gabriel, Yann Ollivier, Leon Bottou, Bernhard Sch\u00f6lkopf, and David Lopez-Paz. 2019. First-order adversarial vulnerability of neural networks and input dimension. In International Conference on Machine Learning. PMLR, 5809\u20135817."},{"key":"e_1_3_1_119_2","first-page":"16423","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Singla Vasu","year":"2021","unstructured":"Vasu Singla, Sahil Singla, Soheil Feizi, and David Jacobs. 2021. Low curvature activations reduce overfitting in adversarial training. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 16423\u201316433."},{"key":"e_1_3_1_120_2","article-title":"Robust local features for improving the generalization of adversarial training","author":"Song Chuanbiao","year":"2019","unstructured":"Chuanbiao Song, Kun He, Jiadong Lin, Liwei Wang, and John E. Hopcroft. 2019. Robust local features for improving the generalization of adversarial training. arXiv preprint arXiv:1909.10147 (2019).","journal-title":"arXiv preprint arXiv:1909.10147"},{"key":"e_1_3_1_121_2","article-title":"PixelDefend: Leveraging generative models to understand and defend against adversarial examples","author":"Song Yang","year":"2017","unstructured":"Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2017. PixelDefend: Leveraging generative models to understand and defend against adversarial examples. arXiv preprint arXiv:1710.10766 (2017).","journal-title":"arXiv preprint arXiv:1710.10766"},{"key":"e_1_3_1_122_2","first-page":"6976","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Stutz David","year":"2019","unstructured":"David Stutz, Matthias Hein, and Bernt Schiele. 2019. Disentangling adversarial robustness and generalization. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 6976\u20136987."},{"key":"e_1_3_1_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"e_1_3_1_124_2","first-page":"11447","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Sun Bo","year":"2019","unstructured":"Bo Sun, Nian-hsuan Tsai, Fangchen Liu, Ronald Yu, and Hao Su. 2019. Adversarial defense by stratified convolutional sparse coding. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 11447\u201311456."},{"key":"e_1_3_1_125_2","first-page":"7526","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Sun Mingjie","year":"2021","unstructured":"Mingjie Sun, Zichao Li, Chaowei Xiao, Haonan Qiu, Bhavya Kailkhura, Mingyan Liu, and Bo Li. 2021. Can shape structure features improve model robustness under diverse adversarial settings?. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 7526\u20137535."},{"key":"e_1_3_1_126_2","article-title":"Intriguing properties of neural networks","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).","journal-title":"arXiv preprint arXiv:1312.6199"},{"key":"e_1_3_1_127_2","first-page":"11340","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Taghanaki Saeid Asgari","year":"2019","unstructured":"Saeid Asgari Taghanaki, Kumar Abhishek, Shekoofeh Azizi, and Ghassan Hamarneh. 2019. A kernelized manifold mapping to diminish the effect of adversarial perturbations. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 11340\u201311349."},{"key":"e_1_3_1_128_2","article-title":"A boundary tilting perspective on the phenomenon of adversarial examples","author":"Tanay Thomas","year":"2016","unstructured":"Thomas Tanay and Lewis Griffin. 2016. A boundary tilting perspective on the phenomenon of adversarial examples. arXiv preprint arXiv:1608.07690 (2016).","journal-title":"arXiv preprint arXiv:1608.07690"},{"key":"e_1_3_1_129_2","article-title":"Attacks meet interpretability: Attribute-steered detection of adversarial samples","author":"Tao Guanhong","year":"2018","unstructured":"Guanhong Tao, Shiqing Ma, Yingqi Liu, and Xiangyu Zhang. 2018. Attacks meet interpretability: Attribute-steered detection of adversarial samples. arXiv preprint arXiv:1810.11580 (2018).","journal-title":"arXiv preprint arXiv:1810.11580"},{"key":"e_1_3_1_130_2","article-title":"Detecting adversarial examples from sensitivity inconsistency of spatial-transform domain","author":"Tian Jinyu","year":"2021","unstructured":"Jinyu Tian, Jiantao Zhou, Yuanman Li, and Jia Duan. 2021. Detecting adversarial examples from sensitivity inconsistency of spatial-transform domain. arXiv preprint arXiv:2103.04302 (2021).","journal-title":"arXiv preprint arXiv:2103.04302"},{"key":"e_1_3_1_131_2","article-title":"The space of transferable adversarial examples","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. The space of transferable adversarial examples. arXiv preprint arXiv:1704.03453 (2017).","journal-title":"arXiv preprint arXiv:1704.03453"},{"key":"e_1_3_1_132_2","first-page":"954","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"34","author":"Tsai Tzungyu","year":"2020","unstructured":"Tzungyu Tsai, Kaichen Yang, Tsung-Yi Ho, and Yier Jin. 2020. Robust adversarial objects against deep learning models. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34. 954\u2013962."},{"key":"e_1_3_1_133_2","article-title":"Robustness may be at odds with accuracy","author":"Tsipras Dimitris","year":"2018","unstructured":"Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. 2018. Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152 (2018).","journal-title":"arXiv preprint arXiv:1805.12152"},{"key":"e_1_3_1_134_2","first-page":"1","volume-title":"2020 International Joint Conference on Neural Networks (IJCNN)","author":"Tyukin Ivan Y.","year":"2020","unstructured":"Ivan Y. Tyukin, Desmond J. Higham, and Alexander N. Gorban. 2020. On adversarial examples and stealth attacks in artificial intelligence systems. In 2020 International Joint Conference on Neural Networks (IJCNN). IEEE, 1\u20136."},{"issue":"11","key":"e_1_3_1_135_2","article-title":"Visualizing data using t-SNE.","volume":"9","author":"Maaten Laurens Van der","year":"2008","unstructured":"Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of Machine Learning Research 9, 11 (2008).","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_1_136_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00871"},{"key":"e_1_3_1_137_2","first-page":"1095","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Wang Xin","year":"2021","unstructured":"Xin Wang, Shuyun Lin, Hao Zhang, Yufei Zhu, and Quanshi Zhang. 2021. Interpreting attributions and interactions of adversarial attacks. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 1095\u20131104."},{"key":"e_1_3_1_138_2","article-title":"A unified approach to interpreting and boosting adversarial transferability","author":"Wang Xin","year":"2020","unstructured":"Xin Wang, Jie Ren, Shuyun Lin, Xiangming Zhu, Yisen Wang, and Quanshi Zhang. 2020. A unified approach to interpreting and boosting adversarial transferability. arXiv preprint arXiv:2010.04055 (2020).","journal-title":"arXiv preprint arXiv:2010.04055"},{"key":"e_1_3_1_139_2","first-page":"5133","volume-title":"International Conference on Machine Learning","author":"Wang Yizhen","year":"2018","unstructured":"Yizhen Wang, Somesh Jha, and Kamalika Chaudhuri. 2018. Analyzing the robustness of nearest neighbors to adversarial examples. In International Conference on Machine Learning. PMLR, 5133\u20135142."},{"key":"e_1_3_1_140_2","article-title":"Towards frequency-based explanation for robust CNN","author":"Wang Zifan","year":"2020","unstructured":"Zifan Wang, Yilin Yang, Ankit Shrivastava, Varun Rawal, and Zihao Ding. 2020. Towards frequency-based explanation for robust CNN. arXiv preprint arXiv:2005.03141 (2020).","journal-title":"arXiv preprint arXiv:2005.03141"},{"key":"e_1_3_1_141_2","first-page":"11973","article-title":"On the trade-off between adversarial and backdoor robustness","volume":"33","author":"Weng Cheng-Hsin","year":"2020","unstructured":"Cheng-Hsin Weng, Yan-Ting Lee, and Shan-Hung Brandon Wu. 2020. On the trade-off between adversarial and backdoor robustness. Advances in Neural Information Processing Systems 33 (2020), 11973\u201311983.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_142_2","article-title":"Evaluating the robustness of neural networks: An extreme value theory approach","author":"Weng Tsui-Wei","year":"2018","unstructured":"Tsui-Wei Weng, Huan Zhang, Pin-Yu Chen, Jinfeng Yi, Dong Su, Yupeng Gao, Cho-Jui Hsieh, and Luca Daniel. 2018. Evaluating the robustness of neural networks: An extreme value theory approach. arXiv preprint arXiv:1801.10578 (2018).","journal-title":"arXiv preprint arXiv:1801.10578"},{"key":"e_1_3_1_143_2","article-title":"Skip connections matter: On the transferability of adversarial examples generated with ResNets","author":"Wu Dongxian","year":"2020","unstructured":"Dongxian Wu, Yisen Wang, Shu-Tao Xia, James Bailey, and Xingjun Ma. 2020. Skip connections matter: On the transferability of adversarial examples generated with ResNets. arXiv preprint arXiv:2002.05990 (2020).","journal-title":"arXiv preprint arXiv:2002.05990"},{"key":"e_1_3_1_144_2","article-title":"Defending against physically realizable attacks on image classification","author":"Wu Tong","year":"2019","unstructured":"Tong Wu, Liang Tong, and Yevgeniy Vorobeychik. 2019. Defending against physically realizable attacks on image classification. arXiv preprint arXiv:1909.09552 (2019).","journal-title":"arXiv preprint arXiv:1909.09552"},{"key":"e_1_3_1_145_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01261-8_1"},{"key":"e_1_3_1_146_2","article-title":"Mitigating adversarial effects through randomization","author":"Xie Cihang","year":"2017","unstructured":"Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan Yuille. 2017. Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991 (2017).","journal-title":"arXiv preprint arXiv:1711.01991"},{"key":"e_1_3_1_147_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00059"},{"key":"e_1_3_1_148_2","article-title":"Feature squeezing: Detecting adversarial examples in deep neural networks","author":"Xu Weilin","year":"2017","unstructured":"Weilin Xu, David Evans, and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017).","journal-title":"arXiv preprint arXiv:1704.01155"},{"key":"e_1_3_1_149_2","article-title":"CIFS: Improving adversarial robustness of CNNs via channel-wise importance-based feature selection","author":"Yan Hanshu","year":"2021","unstructured":"Hanshu Yan, Jingfeng Zhang, Gang Niu, Jiashi Feng, Vincent Y. F. Tan, and Masashi Sugiyama. 2021. CIFS: Improving adversarial robustness of CNNs via channel-wise importance-based feature selection. arXiv preprint arXiv:2102.05311 (2021).","journal-title":"arXiv preprint arXiv:2102.05311"},{"key":"e_1_3_1_150_2","article-title":"Subspace attack: Exploiting promising subspaces for query-efficient black-box attacks","author":"Yan Ziang","year":"2019","unstructured":"Ziang Yan, Yiwen Guo, and Changshui Zhang. 2019. Subspace attack: Exploiting promising subspaces for query-efficient black-box attacks. arXiv preprint arXiv:1906.04392 (2019).","journal-title":"arXiv preprint arXiv:1906.04392"},{"key":"e_1_3_1_151_2","first-page":"6639","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"34","author":"Yang Puyudi","year":"2020","unstructured":"Puyudi Yang, Jianbo Chen, Cho-Jui Hsieh, Jane-Ling Wang, and Michael Jordan. 2020. ML-LOO: Detecting adversarial examples with feature attribution. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34. 6639\u20136647."},{"key":"e_1_3_1_152_2","article-title":"Interpreting and evaluating neural network robustness","author":"Yu Fuxun","year":"2019","unstructured":"Fuxun Yu, Zhuwei Qin, Chenchen Liu, Liang Zhao, Yanzhi Wang, and Xiang Chen. 2019. Interpreting and evaluating neural network robustness. arXiv preprint arXiv:1905.04270 (2019).","journal-title":"arXiv preprint arXiv:1905.04270"},{"key":"e_1_3_1_153_2","first-page":"14521","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Zhang Chaoning","year":"2020","unstructured":"Chaoning Zhang, Philipp Benz, Tooba Imtiaz, and In So Kweon. 2020. Understanding adversarial examples from the mutual influence of images and perturbations. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 14521\u201314530."},{"key":"e_1_3_1_154_2","first-page":"7868","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Zhang Chaoning","year":"2021","unstructured":"Chaoning Zhang, Philipp Benz, Adil Karjauv, and In So Kweon. 2021. Data-free universal adversarial perturbation and black-box attack. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 7868\u20137877."},{"key":"e_1_3_1_155_2","article-title":"Universal adversarial perturbations through the lens of deep steganography: Towards a Fourier perspective","author":"Zhang Chaoning","year":"2021","unstructured":"Chaoning Zhang, Philipp Benz, Adil Karjauv, and In So Kweon. 2021. Universal adversarial perturbations through the lens of deep steganography: Towards a Fourier perspective. arXiv preprint arXiv:2102.06479 (2021).","journal-title":"arXiv preprint arXiv:2102.06479"},{"key":"e_1_3_1_156_2","article-title":"You only propagate once: Accelerating adversarial training via maximal principle","author":"Zhang Dinghuai","year":"2019","unstructured":"Dinghuai Zhang, Tianyuan Zhang, Yiping Lu, Zhanxing Zhu, and Bin Dong. 2019. You only propagate once: Accelerating adversarial training via maximal principle. arXiv preprint arXiv:1905.00877 (2019).","journal-title":"arXiv preprint arXiv:1905.00877"},{"key":"e_1_3_1_157_2","first-page":"7472","volume-title":"International Conference on Machine Learning","author":"Zhang Hongyang","year":"2019","unstructured":"Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning. PMLR, 7472\u20137482."},{"key":"e_1_3_1_158_2","first-page":"7502","volume-title":"International Conference on Machine Learning","author":"Zhang Tianyuan","year":"2019","unstructured":"Tianyuan Zhang and Zhanxing Zhu. 2019. Interpreting adversarially trained convolutional neural networks. In International Conference on Machine Learning. PMLR, 7502\u20137511."},{"key":"e_1_3_1_159_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2020.2975918"},{"key":"e_1_3_1_160_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10599-4_7"},{"key":"e_1_3_1_161_2","first-page":"5869","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"33","author":"Zhao Chenxiao","year":"2019","unstructured":"Chenxiao Zhao, P. Thomas Fletcher, Mixue Yu, Yaxin Peng, Guixu Zhang, and Chaomin Shen. 2019. The adversarial attack and detection under the Fisher information metric. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 33. 5869\u20135876."},{"key":"e_1_3_1_162_2","doi-asserted-by":"publisher","DOI":"10.5555\/3327757.3327888"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3594869","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3594869","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:08Z","timestamp":1750182548000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3594869"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,17]]},"references-count":161,"journal-issue":{"issue":"14s","published-print":{"date-parts":[[2023,12,31]]}},"alternative-id":["10.1145\/3594869"],"URL":"https:\/\/doi.org\/10.1145\/3594869","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,17]]},"assertion":[{"value":"2022-06-23","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-04-13","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-07-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}