{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T07:18:17Z","timestamp":1761808697841,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":110,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"China NSFC Grant","award":["61925109"],"award-info":[{"award-number":["61925109"]}]},{"DOI":"10.13039\/501100006374","name":"Ant Group","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3670395","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"3808-3822","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Alchemy: Data-Free Adversarial Training"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-9587-3528","authenticated-orcid":false,"given":"Yijie","family":"Bai","sequence":"first","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-9267-977X","authenticated-orcid":false,"given":"Zhongming","family":"Ma","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1382-0679","authenticated-orcid":false,"given":"Yanjiao","family":"Chen","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8262-7813","authenticated-orcid":false,"given":"Jiangyi","family":"Deng","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-7945-3987","authenticated-orcid":false,"given":"Shengyuan","family":"Pang","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6021-1358","authenticated-orcid":false,"given":"Yan","family":"Liu","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5043-9148","authenticated-orcid":false,"given":"Wenyuan","family":"Xu","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, Zhejiang, China"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Robustness to adversarial examples through an ensemble of specialists. arXiv preprint arXiv:1702.06856","author":"Abbasi Mahdieh","year":"2017","unstructured":"Mahdieh Abbasi and Christian Gagn\u00e9. 2017. Robustness to adversarial examples through an ensemble of specialists. arXiv preprint arXiv:1702.06856 (2017)."},{"key":"e_1_3_2_1_2_1","volume-title":"Advances in Neural Information Processing Systems","volume":"32","author":"Alayrac Jean-Baptiste","year":"2019","unstructured":"Jean-Baptiste Alayrac, Jonathan Uesato, Po-Sen Huang, Alhussein Fawzi, Robert Stanforth, and Pushmeet Kohli. 2019. Are labels required for improving adversarial robustness? Advances in Neural Information Processing Systems, Vol. 32 (2019)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3321707.3321749"},{"key":"e_1_3_2_1_4_1","volume-title":"On the robustness of the cvpr 2018 white-box adversarial example defenses. arXiv preprint arXiv:1804.03286","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye and Nicholas Carlini. 2018. On the robustness of the cvpr 2018 white-box adversarial example defenses. arXiv preprint arXiv:1804.03286 (2018)."},{"key":"e_1_3_2_1_5_1","volume-title":"International conference on machine learning. PMLR.","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning. PMLR."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00845"},{"key":"e_1_3_2_1_7_1","volume-title":"Recent advances in adversarial training for adversarial robustness. arXiv preprint arXiv:2102.01356","author":"Bai Tao","year":"2021","unstructured":"Tao Bai, Jinqi Luo, Jun Zhao, Bihan Wen, and Qian Wang. 2021. Recent advances in adversarial training for adversarial robustness. arXiv preprint arXiv:2102.01356 (2021)."},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining.","author":"Cristian","year":"2006","unstructured":"Cristian Bucilu?, Rich Caruana, and Alexandru Niculescu-Mizil. 2006. Model compression. In Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW50498.2020.00337"},{"key":"e_1_3_2_1_10_1","volume-title":"Leslie Rice, Mingjie Sun, and J Zico Kolter.","author":"Carlini Nicholas","year":"2022","unstructured":"Nicholas Carlini, Florian Tramer, Krishnamurthy Dj Dvijotham, Leslie Rice, Mingjie Sun, and J Zico Kolter. 2022. (Certified!!) adversarial robustness for free! arXiv preprint arXiv:2206.10550 (2022)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_13_1","volume-title":"Advances in Neural Information Processing Systems","volume":"32","author":"Carmon Yair","year":"2019","unstructured":"Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, John C Duchi, and Percy S Liang. 2019. Unlabeled data improves adversarial robustness. Advances in Neural Information Processing Systems, Vol. 32 (2019)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00361"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIV.2022.3223131"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485365"},{"key":"e_1_3_2_1_18_1","volume-title":"Very deep vaes generalize autoregressive models and can outperform them on images. arXiv preprint arXiv:2011.10650","author":"Child Rewon","year":"2020","unstructured":"Rewon Child. 2020. Very deep vaes generalize autoregressive models and can outperform them on images. arXiv preprint arXiv:2011.10650 (2020)."},{"key":"e_1_3_2_1_19_1","volume-title":"International Conference on Machine Learning. PMLR.","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Minimally distorted adversarial examples with a fast adaptive boundary attack. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_20_1","volume-title":"International conference on machine learning. PMLR.","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning. PMLR."},{"key":"e_1_3_2_1_21_1","volume-title":"Cinic-10 is not imagenet or cifar-10. arXiv preprint arXiv:1810.03505","author":"Darlow Luke N","year":"2018","unstructured":"Luke N Darlow, Elliot J Crowley, Antreas Antoniou, and Amos J Storkey. 2018. Cinic-10 is not imagenet or cifar-10. arXiv preprint arXiv:1810.03505 (2018)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559357"},{"key":"e_1_3_2_1_23_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Deng Jiangyi","year":"2023","unstructured":"Jiangyi Deng, Fei Teng, Yanjiao Chen, Xiaofu Chen, Zhaohui Wang, and Wenyuan Xu. 2023. V-Cloak: Intelligibility-, naturalness- & timbre-preserving real-Time voice anonymization. In 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.2211477"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/PerCom45495.2020.9127389"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN.2017.8038465"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3507902"},{"key":"e_1_3_2_1_28_1","volume-title":"Contrastive model inversion for data-free knowledge distillation. arXiv preprint arXiv:2105.08584","author":"Fang Gongfan","year":"2021","unstructured":"Gongfan Fang, Jie Song, Xinchao Wang, Chengchao Shen, Xingen Wang, and Mingli Song. 2021. Contrastive model inversion for data-free knowledge distillation. arXiv preprint arXiv:2105.08584 (2021)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01855"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539173"},{"key":"e_1_3_2_1_31_1","volume-title":"Domain-adversarial training of neural networks. The journal of machine learning research","author":"Ganin Yaroslav","year":"2016","unstructured":"Yaroslav Ganin, Evgeniya Ustinova, Hana Ajakan, Pascal Germain, Hugo Larochelle, Franccois Laviolette, Mario Marchand, and Victor Lempitsky. 2016. Domain-adversarial training of neural networks. The journal of machine learning research, Vol. 17, 1 (2016), 2096--2030."},{"key":"e_1_3_2_1_32_1","volume-title":"Paraformer: Fast and accurate parallel transformer for non-autoregressive end-to-end speech recognition. arXiv preprint arXiv:2206.08317","author":"Gao Zhifu","year":"2022","unstructured":"Zhifu Gao, Shiliang Zhang, Ian McLoughlin, and Zhijie Yan. 2022. Paraformer: Fast and accurate parallel transformer for non-autoregressive end-to-end speech recognition. arXiv preprint arXiv:2206.08317 (2022)."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3422622"},{"key":"e_1_3_2_1_34_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-021-01453-z"},{"key":"e_1_3_2_1_36_1","volume-title":"On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017)."},{"key":"e_1_3_2_1_37_1","volume-title":"International Conference on Machine Learning. PMLR.","author":"Guo Chuan","year":"2019","unstructured":"Chuan Guo, Jacob Gardner, Yurong You, Andrew Gordon Wilson, and Kilian Weinberger. 2019. Simple black-box adversarial attacks. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_38_1","volume-title":"International Conference on Machine Learning. PMLR.","author":"G\u00fcrel Nezihe Merve","year":"2021","unstructured":"Nezihe Merve G\u00fcrel, Xiangyu Qi, Luka Rimanic, Ce Zhang, and Bo Li. 2021. Knowledge enhanced machine learning pipeline against diverse adversarial attacks. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_40_1","volume-title":"Advances in Neural Information Processing Systems","volume":"30","author":"Heusel Martin","year":"2017","unstructured":"Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, and Sepp Hochreiter. 2017. Gans trained by a two time-scale update rule converge to a local nash equilibrium. Advances in Neural Information Processing Systems, Vol. 30 (2017)."},{"key":"e_1_3_2_1_41_1","first-page":"6840","article-title":"Denoising diffusion probabilistic models","volume":"33","author":"Ho Jonathan","year":"2020","unstructured":"Jonathan Ho, Ajay Jain, and Pieter Abbeel. 2020. Denoising diffusion probabilistic models. Advances in Neural Information Processing Systems, Vol. 33 (2020), 6840--6851.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_42_1","volume-title":"Learning with a strong adversary. arXiv preprint arXiv:1511.03034","author":"Huang Ruitong","year":"2015","unstructured":"Ruitong Huang, Bing Xu, Dale Schuurmans, and Csaba Szepesv\u00e1ri. 2015. Learning with a strong adversary. arXiv preprint arXiv:1511.03034 (2015)."},{"key":"e_1_3_2_1_43_1","volume-title":"SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and 0.5 MB model size. arXiv preprint arXiv:1602.07360","author":"Iandola Forrest N","year":"2016","unstructured":"Forrest N Iandola, Song Han, Matthew W Moskewicz, Khalid Ashraf, William J Dally, and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and 0.5 MB model size. arXiv preprint arXiv:1602.07360 (2016)."},{"key":"e_1_3_2_1_44_1","volume-title":"International conference on machine learning. PMLR.","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Black-box adversarial attacks with limited queries and information. In International conference on machine learning. PMLR."},{"key":"e_1_3_2_1_45_1","volume-title":"Advances in Neural Information Processing Systems","volume":"32","author":"Ilyas Andrew","year":"2019","unstructured":"Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. 2019. Adversarial examples are not bugs, they are features. Advances in Neural Information Processing Systems, Vol. 32 (2019)."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01304"},{"key":"e_1_3_2_1_47_1","volume-title":"An empirical study of pre-trained model reuse in the hugging face deep learning model registry. arXiv preprint arXiv:2303.02552","author":"Jiang Wenxin","year":"2023","unstructured":"Wenxin Jiang, Nicholas Synovic, Matt Hyatt, Taylor R Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K Thiruvathukal, and James C Davis. 2023. An empirical study of pre-trained model reuse in the hugging face deep learning model registry. arXiv preprint arXiv:2303.02552 (2023)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Enkelejda Kasneci Kathrin Se\u00dfler Stefan K\u00fcchemann Maria Bannert Daryna Dementieva Frank Fischer Urs Gasser Georg Groh Stephan G\u00fcnnemann Eyke H\u00fcllermeier et al. 2023. ChatGPT for good? On opportunities and challenges of large language models for education. Learning and individual differences Vol. 103 (2023) 102274.","DOI":"10.1016\/j.lindif.2023.102274"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01426"},{"key":"e_1_3_2_1_50_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_51_1","volume-title":"Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533","author":"Kurakin Alexey","year":"2016","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)."},{"key":"e_1_3_2_1_52_1","volume-title":"Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236","author":"Kurakin Alexey","year":"2016","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016)."},{"key":"e_1_3_2_1_53_1","volume-title":"Modelscope-agent: Building your customizable agent system with open-source large language models. arXiv preprint arXiv:2309.00986","author":"Li Chenliang","year":"2023","unstructured":"Chenliang Li, Hehong Chen, Ming Yan, Weizhou Shen, Haiyang Xu, Zhikai Wu, Zhicheng Zhang, Wenmeng Zhou, Yingda Chen, Chen Cheng, et al. 2023. Modelscope-agent: Building your customizable agent system with open-source large language models. arXiv preprint arXiv:2309.00986 (2023)."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.engappai.2022.104669"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1155\/2023\/8691095"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00095"},{"key":"e_1_3_2_1_57_1","volume-title":"Data-free knowledge distillation for deep neural networks. arXiv preprint arXiv:1710.07535","author":"Lopes Raphael Gontijo","year":"2017","unstructured":"Raphael Gontijo Lopes, Stefano Fenu, and Thad Starner. 2017. Data-free knowledge distillation for deep neural networks. arXiv preprint arXiv:1710.07535 (2017)."},{"key":"e_1_3_2_1_58_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_59_1","unstructured":"EGOR MALYKH. 2016. Tiny ResNet with keras. https:\/\/www.kaggle.com\/code\/meownoid\/tiny-resnet-with-keras-99--314."},{"key":"e_1_3_2_1_60_1","first-page":"33428","article-title":"Toward a realistic model of speech processing in the brain with self-supervised learning","volume":"35","author":"Millet Juliette","year":"2022","unstructured":"Juliette Millet, Charlotte Caucheteux, Yves Boubenec, Alexandre Gramfort, Ewan Dunbar, Christophe Pallier, Jean-Remi King, et al. 2022. Toward a realistic model of speech processing in the brain with self-supervised learning. Advances in Neural Information Processing Systems, Vol. 35 (2022), 33428--33443.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.5963"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_63_1","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y. Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011. http:\/\/ufldl.stanford.edu\/housenumbers\/nips2011_housenumbers.pdf"},{"key":"e_1_3_2_1_64_1","volume-title":"International Conference on Machine Learning. PMLR.","author":"Ouyang Yidong","year":"2023","unstructured":"Yidong Ouyang, Liyan Xie, and Guang Cheng. 2023. Improving adversarial robustness through the contrastive-guided diffusion process. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_65_1","volume-title":"ADI: Adversarial dominating inputs in vertical federated learning systems. arXiv preprint arXiv:2201.02775","author":"Pang Qi","year":"2022","unstructured":"Qi Pang, Yuanyuan Yuan, Shuai Wang, and Wenting Zheng. 2022. ADI: Adversarial dominating inputs in vertical federated learning systems. arXiv preprint arXiv:2201.02775 (2022)."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00894"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2022.108889"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2022.04.020"},{"key":"e_1_3_2_1_71_1","first-page":"4902","article-title":"Discovering and overcoming limitations of noise-engineered data-free knowledge distillation","volume":"35","author":"Raikwar Piyush","year":"2022","unstructured":"Piyush Raikwar and Deepak Mishra. 2022. Discovering and overcoming limitations of noise-engineered data-free knowledge distillation. Advances in Neural Information Processing Systems, Vol. 35 (2022), 4902--4912.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_72_1","volume-title":"Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946","author":"Rebuffi Sylvestre-Alvise","year":"2021","unstructured":"Sylvestre-Alvise Rebuffi, Sven Gowal, Dan A Calian, Florian Stimberg, Olivia Wiles, and Timothy Mann. 2021. Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946 (2021)."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01042"},{"key":"e_1_3_2_1_74_1","volume-title":"Proceedings of the 36th International Conference on Machine Learning. PMLR.","author":"Roth Kevin","year":"2019","unstructured":"Kevin Roth, Yannic Kilcher, and Thomas Hofmann. 2019. The odds are odd: A statistical test for detecting adversarial examples. In Proceedings of the 36th International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_75_1","first-page":"21945","article-title":"Denoised smoothing: A provable defense for pretrained classifiers","volume":"33","author":"Salman Hadi","year":"2020","unstructured":"Hadi Salman, Mingjie Sun, Greg Yang, Ashish Kapoor, and J Zico Kolter. 2020. Denoised smoothing: A provable defense for pretrained classifiers. Advances in Neural Information Processing Systems, Vol. 33 (2020), 21945--21957.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_76_1","volume-title":"Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein.","author":"Shafahi Ali","year":"2019","unstructured":"Ali Shafahi, Mahyar Najibi, Mohammad Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein. 2019. Adversarial training for free! Advances in Neural Information Processing Systems, Vol. 32 (2019)."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2018.04.027"},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01611"},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00924"},{"key":"e_1_3_2_1_80_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Song Ruoyu","year":"2023","unstructured":"Ruoyu Song, Muslum Ozgur Ozmen, Hyungsub Kim, Raymond Muller, Z Berkay Celik, and Antonio Bianchi. 2023. Discovering adversarial driving maneuvers against autonomous vehicles. In 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_1_81_1","volume-title":"Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)."},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.3390\/computers12050091"},{"key":"e_1_3_2_1_83_1","volume-title":"Proceedings of the 39th International Conference on Machine Learning. PMLR.","author":"Tramer Florian","year":"2022","unstructured":"Florian Tramer. 2022. Detecting adversarial examples Is (nearly) as hard as Classifying Them. In Proceedings of the 39th International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_84_1","first-page":"1633","article-title":"On adaptive attacks to adversarial example defenses","volume":"33","author":"Tramer Florian","year":"2020","unstructured":"Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. Advances in Neural Information Processing Systems, Vol. 33 (2020), 1633--1645.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_85_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"volume-title":"Proceedings of the 35th International Conference on Machine Learning. PMLR.","author":"Uesato Jonathan","key":"e_1_3_2_1_86_1","unstructured":"Jonathan Uesato, Brendan O'Donoghue, Pushmeet Kohli, and Aaron van den Oord. 2018. Adversarial risk and the dangers of evaluating against weak attacks. In Proceedings of the 35th International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_87_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Vaishnavi Pratik","year":"2022","unstructured":"Pratik Vaishnavi, Kevin Eykholt, and Amir Rahmati. 2022. Transferring adversarial robustness through robust representation matching. In 31st USENIX Security Symposium (USENIX Security 22)."},{"key":"e_1_3_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3092646"},{"key":"e_1_3_2_1_89_1","volume-title":"Knowledge distillation and student-teacher learning for visual intelligence: A review and new outlooks","author":"Wang Lin","year":"2021","unstructured":"Lin Wang and Kuk-Jin Yoon. 2021. Knowledge distillation and student-teacher learning for visual intelligence: A review and new outlooks. IEEE transactions on pattern analysis and machine intelligence, Vol. 44, 6 (2021), 3048--3068."},{"key":"e_1_3_2_1_90_1","volume-title":"On the convergence and robustness of adversarial training. arXiv preprint arXiv:2112.08304","author":"Wang Yisen","year":"2021","unstructured":"Yisen Wang, Xingjun Ma, James Bailey, Jinfeng Yi, Bowen Zhou, and Quanquan Gu. 2021. On the convergence and robustness of adversarial training. arXiv preprint arXiv:2112.08304 (2021)."},{"key":"e_1_3_2_1_91_1","volume-title":"International Conference on Learning Representations.","author":"Wang Yisen","year":"2020","unstructured":"Yisen Wang, Difan Zou, Jinfeng Yi, James Bailey, Xingjun Ma, and Quanquan Gu. 2020. Improving adversarial robustness requires revisiting misclassified examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_92_1","volume-title":"Better diffusion models further improve adversarial training. arXiv preprint arXiv:2302.04638","author":"Wang Zekai","year":"2023","unstructured":"Zekai Wang, Tianyu Pang, Chao Du, Min Lin, Weiwei Liu, and Shuicheng Yan. 2023. Better diffusion models further improve adversarial training. arXiv preprint arXiv:2302.04638 (2023)."},{"key":"e_1_3_2_1_93_1","first-page":"2958","article-title":"Adversarial weight perturbation helps robust generalization","volume":"33","author":"Wu Dongxian","year":"2020","unstructured":"Dongxian Wu, Shu-Tao Xia, and Yisen Wang. 2020. Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems, Vol. 33 (2020), 2958--2969.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00874"},{"key":"e_1_3_2_1_95_1","volume-title":"VLAttack: Multimodal adversarial attacks on vision-language tasks via pre-trained models. arXiv preprint arXiv:2310.04655","author":"Yin Ziyi","year":"2023","unstructured":"Ziyi Yin, Muchao Ye, Tianrong Zhang, Tianyu Du, Jinguo Zhu, Han Liu, Jinghui Chen, Ting Wang, and Fenglong Ma. 2023. VLAttack: Multimodal adversarial attacks on vision-language tasks via pre-trained models. arXiv preprint arXiv:2310.04655 (2023)."},{"key":"e_1_3_2_1_96_1","volume-title":"International Conference on Machine Learning. PMLR.","author":"Yu Chaojian","year":"2022","unstructured":"Chaojian Yu, Bo Han, Li Shen, Jun Yu, Chen Gong, Mingming Gong, and Tongliang Liu. 2022. Understanding robust overfitting of adversarial training and beyond. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_97_1","volume-title":"Proceedings of the 39th International Conference on Machine Learning. PMLR.","author":"Yu Chaojian","year":"2022","unstructured":"Chaojian Yu, Bo Han, Li Shen, Jun Yu, Chen Gong, Mingming Gong, and Tongliang Liu. 2022. Understanding robust overfitting of adversarial training and beyond. In Proceedings of the 39th International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.02324"},{"key":"e_1_3_2_1_99_1","volume-title":"Adversarial examples: Attacks and defenses for deep learning","author":"Yuan Xiaoyong","year":"2019","unstructured":"Xiaoyong Yuan, Pan He, Qile Zhu, and Xiaolin Li. 2019. Adversarial examples: Attacks and defenses for deep learning. IEEE transactions on neural networks and learning systems, Vol. 30, 9 (2019), 2805--2824."},{"key":"e_1_3_2_1_100_1","volume-title":"Wide residual networks. arXiv preprint arXiv:1605.07146","author":"Zagoruyko Sergey","year":"2016","unstructured":"Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv preprint arXiv:1605.07146 (2016)."},{"key":"e_1_3_2_1_101_1","volume-title":"International conference on machine learning. PMLR.","author":"Zhang Hongyang","year":"2019","unstructured":"Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning. PMLR."},{"key":"e_1_3_2_1_102_1","volume-title":"Paddlespeech: An easy-to-use all-in-one speech toolkit. arXiv preprint arXiv:2205.12007","author":"Zhang Hui","year":"2022","unstructured":"Hui Zhang, Tian Yuan, Junkun Chen, Xintong Li, Renjie Zheng, Yuxin Huang, Xiaojie Chen, Enlei Gong, Zeyu Chen, Xiaoguang Hu, et al. 2022. Paddlespeech: An easy-to-use all-in-one speech toolkit. arXiv preprint arXiv:2205.12007 (2022)."},{"key":"e_1_3_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.1109\/SaTML54575.2023.00043"},{"key":"e_1_3_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2021.3092582"},{"key":"e_1_3_2_1_105_1","unstructured":"Wayne Xin Zhao Kun Zhou Junyi Li Tianyi Tang Xiaolei Wang Yupeng Hou Yingqian Min Beichen Zhang Junjie Zhang Zican Dong et al. 2023. A survey of large language models. arXiv preprint arXiv:2303.18223 (2023)."},{"key":"e_1_3_2_1_106_1","volume-title":"Generating natural adversarial examples. arXiv preprint arXiv:1710.11342","author":"Zhao Zhengli","year":"2017","unstructured":"Zhengli Zhao, Dheeru Dua, and Sameer Singh. 2017. Generating natural adversarial examples. arXiv preprint arXiv:1710.11342 (2017)."},{"key":"e_1_3_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00581"},{"key":"e_1_3_2_1_108_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179473"},{"key":"e_1_3_2_1_109_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW59228.2023.00236"},{"key":"e_1_3_2_1_110_1","volume-title":"Adversarial mask: Real-world adversarial attack against face recognition models. arXiv preprint arXiv:2111.10759","author":"Zolfi Alon","year":"2021","unstructured":"Alon Zolfi, Shai Avidan, Yuval Elovici, and Asaf Shabtai. 2021. Adversarial mask: Real-world adversarial attack against face recognition models. arXiv preprint arXiv:2111.10759 (2021)."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Salt Lake City UT USA","acronym":"CCS '24"},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670395","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3670395","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:01:54Z","timestamp":1755842514000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670395"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":110,"alternative-id":["10.1145\/3658644.3670395","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3670395","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}