{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,14]],"date-time":"2026-02-14T09:37:19Z","timestamp":1771061839414,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":95,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100006374","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2038995, CNS-2154930, CNS-2238635, CNS-2403758"],"award-info":[{"award-number":["CNS-2038995, CNS-2154930, CNS-2238635, CNS-2403758"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100006374","name":"Army Research Office","doi-asserted-by":"publisher","award":["W911NF-24-1-0155"],"award-info":[{"award-number":["W911NF-24-1-0155"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Intel"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690236","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"3853-3867","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["PhySense: Defending Physically Realizable Attacks for Autonomous Systems via Consistency Reasoning"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6196-7598","authenticated-orcid":false,"given":"Zhiyuan","family":"Yu","sequence":"first","affiliation":[{"name":"Washington University in St. Louis, St. Louis, United States"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9389-5442","authenticated-orcid":false,"given":"Ao","family":"Li","sequence":"additional","affiliation":[{"name":"Washington University in St. Louis, St. Louis, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-7338-4066","authenticated-orcid":false,"given":"Ruoyao","family":"Wen","sequence":"additional","affiliation":[{"name":"Washington University in St. Louis, St. Louis, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1554-7121","authenticated-orcid":false,"given":"Yijia","family":"Chen","sequence":"additional","affiliation":[{"name":"Washington University in St. Louis, St. Louis, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0670-2161","authenticated-orcid":false,"given":"Ning","family":"Zhang","sequence":"additional","affiliation":[{"name":"Washington University in St. Louis, St. Louis, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Lin (Eds.)","volume":"33","author":"Andriushchenko Maksym","year":"2020","unstructured":"Maksym Andriushchenko and Nicolas Flammarion. 2020. Understanding and Improving Fast Adversarial Training. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin (Eds.), Vol. 33. Curran Associates, Inc., 16048--16059."},{"key":"e_1_3_2_1_2_1","volume-title":"International conference on machine learning. PMLR, 284--293","author":"Anish","unstructured":"Anish Athalye et al. 2018. Synthesizing robust adversarial examples. In International conference on machine learning. PMLR, 284--293."},{"key":"e_1_3_2_1_3_1","volume-title":"NeurIPS 2020 Workshop on Pre-registration in Machine Learning. PMLR, 325--342","author":"Benz Philipp","year":"2021","unstructured":"Philipp Benz, Chaoning Zhang, Adil Karjauv, and In So Kweon. 2021. Robustness may be at odds with fairness: An empirical study on class-wise accuracy. In NeurIPS 2020 Workshop on Pre-registration in Machine Learning. PMLR, 325--342."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2016.7533003"},{"key":"e_1_3_2_1_5_1","volume-title":"Recognition-by-components: a theory of human image understanding. Psychological review","author":"Biederman Irving","year":"1987","unstructured":"Irving Biederman. 1987. Recognition-by-components: a theory of human image understanding. Psychological review, Vol. 94, 2 (1987), 115."},{"key":"e_1_3_2_1_6_1","first-page":"27599","article-title":"An introduction to the kalman filter","volume":"8","author":"Bishop Gary","year":"2001","unstructured":"Gary Bishop, Greg Welch, et al. 2001. An introduction to the kalman filter. Proc of SIGGRAPH, Course, Vol. 8, 27599--23175 (2001), 41.","journal-title":"Proc of SIGGRAPH, Course"},{"key":"e_1_3_2_1_7_1","unstructured":"Richard E Boyatzis. 1998. Transforming qualitative information: Thematic analysis and code development. sage."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01164"},{"key":"e_1_3_2_1_9_1","volume-title":"2021 IEEE Symposium on Security and Privacy (SP). IEEE, 176--194","author":"Yulong","unstructured":"Yulong Cao et al. 2021. Invisible for both camera and lidar: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 176--194."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3339815"},{"key":"e_1_3_2_1_11_1","volume-title":"Dynamic adversarial attacks on autonomous driving systems. arXiv preprint arXiv:2312.06701","author":"Chahe Amirhosein","year":"2023","unstructured":"Amirhosein Chahe, Chenan Wang, Abhishek Jeyapratap, Kaidi Xu, and Lifeng Zhou. 2023. Dynamic adversarial attacks on autonomous driving systems. arXiv preprint arXiv:2312.06701 (2023)."},{"key":"e_1_3_2_1_12_1","unstructured":"Tianqi Chen Tong He Michael Benesty Vadim Khotilovich Yuan Tang Hyunsu Cho Kailong Chen Rory Mitchell Ignacio Cano Tianyi Zhou et al. 2015. Xgboost: extreme gradient boosting. R package version 0.4--2 Vol. 1 4 (2015) 1--4."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.23055"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.236"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01211"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582816"},{"key":"e_1_3_2_1_17_1","volume-title":"international conference on machine learning. PMLR, 1310--1320","author":"Jeremy","unstructured":"Jeremy Cohen et al. 2019. Certified adversarial robustness via randomized smoothing. In international conference on machine learning. PMLR, 1310--1320."},{"key":"e_1_3_2_1_18_1","unstructured":"Ben Dickson. 2021. Tesla AI chief explains why self-driving cars don't need lidar. https:\/\/bdtechtalks.com\/2021\/06\/28\/tesla-computer-vision-autonomous-driving\/."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250760"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01258-8_23"},{"key":"e_1_3_2_1_21_1","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision (ICCV). 9710--9719","author":"Scott","unstructured":"Scott Ettinger et al. 2021. Large Scale Interactive Motion Forecasting for Autonomous Driving: The Waymo Open Motion Dataset. In Proceedings of the IEEE\/CVF International Conference on Computer Vision (ICCV). 9710--9719."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_23_1","volume-title":"Proceedings of the IEEE international conference on computer vision. 3038--3046","author":"Christoph","unstructured":"Christoph Feichtenhofer et al. 2017. Detect to track and track to detect. In Proceedings of the IEEE international conference on computer vision. 3038--3046."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/2354409.2354978"},{"key":"e_1_3_2_1_25_1","volume-title":"7th International Conference on Learning Representations, ICLR","author":"Robert","year":"2019","unstructured":"Robert Geirhos et al. 2019. ImageNet-trained CNNs are biased towards texture; increasing shape bias improves accuracy and robustness. In 7th International Conference on Learning Representations, ICLR 2019."},{"key":"e_1_3_2_1_26_1","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision. 9803--9812","author":"Harshayu","unstructured":"Harshayu Girase et al. 2021. LOKI: Long Term and Key Intentions for Trajectory Prediction. In Proceedings of the IEEE\/CVF International Conference on Computer Vision. 9803--9812."},{"key":"e_1_3_2_1_27_1","volume-title":"Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations, ICLR","author":"Ian","year":"2015","unstructured":"Ian J. Goodfellow et al. 2015. Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations, ICLR 2015."},{"key":"e_1_3_2_1_28_1","unstructured":"Shahar Hoory et al. 2020. Dynamic adversarial patch for evading object detection models. arXiv preprint arXiv:2010.13070 (2020)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.imavis.2023.104861"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3168781"},{"key":"e_1_3_2_1_31_1","unstructured":"Andrew Ilyas et al. 2019. Adversarial examples are not bugs they are features. Advances in neural information processing systems Vol. 32 (2019)."},{"key":"e_1_3_2_1_32_1","volume-title":"Autonomous Vehicle Market Size & Share Analysis - Growth Trends & Forecasts (2023 -","author":"Intelligence Mordor","year":"2028","unstructured":"Mordor Intelligence. 2023. Autonomous Vehicle Market Size & Share Analysis - Growth Trends & Forecasts (2023 - 2028). https:\/\/www.mordorintelligence.com\/industry-reports\/autonomous-driverless-cars-market-potential-estimation."},{"key":"e_1_3_2_1_33_1","unstructured":"Mohamed Isse. 2020. How Mobileye and Tesla are Tackling 3D Perception. https:\/\/www.autovision-news.com\/whitepaper\/multiple-computer-vision-engines-how-mobileye-and-tesla-are-tackling-3d-perception\/."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00624"},{"key":"e_1_3_2_1_35_1","unstructured":"Rachyl Jones. 2024. Mercedes becomes the first automaker to sell autonomous cars in the U.S. that don't come with a requirement that drivers watch the road. https:\/\/fortune.com\/2024\/04\/18\/mercedes-self-driving-autonomous-cars-california-nevada-level-3-drive-pilot\/."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"crossref","unstructured":"Rudolph Emil Kalman. 1960. A new approach to linear filtering and prediction problems. (1960).","DOI":"10.1115\/1.3662552"},{"key":"e_1_3_2_1_37_1","volume-title":"The Hungarian method for the assignment problem. Naval research logistics quarterly","author":"Kuhn Harold W","year":"1955","unstructured":"Harold W Kuhn. 1955. The Hungarian method for the assignment problem. Naval research logistics quarterly, Vol. 2, 1--2 (1955), 83--97."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/53990.54022"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1977.229904"},{"key":"e_1_3_2_1_40_1","first-page":"6465","article-title":"(De) Randomized smoothing for certifiable defense against patch attacks","volume":"33","author":"Levine Alexander","year":"2020","unstructured":"Alexander Levine and Soheil Feizi. 2020. (De) Randomized smoothing for certifiable defense against patch attacks. Advances in Neural Information Processing Systems, Vol. 33 (2020), 6465--6475.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/RTSS55097.2022.00028"},{"key":"e_1_3_2_1_42_1","volume-title":"International Conference on Machine Learning. PMLR, 3896--3904","author":"Li Juncheng","year":"2019","unstructured":"Juncheng Li, Frank Schmidt, and Zico Kolter. 2019. Adversarial camera stickers: A physical camera-based attack on deep learning systems. In International Conference on Machine Learning. PMLR, 3896--3904."},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings, Part I 14","author":"Liu Wei","year":"2016","unstructured":"Wei Liu, Dragomir Anguelov, Dumitru Erhan, Christian Szegedy, Scott Reed, Cheng-Yang Fu, and Alexander C Berg. 2016. Ssd: Single shot multibox detector. In Computer Vision--ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11--14, 2016, Proceedings, Part I 14. Springer, 21--37."},{"key":"e_1_3_2_1_44_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21). 1865","author":"Giulio","year":"1882","unstructured":"Giulio Lovisotto et al. 2021. SLAP: Improving physical adversarial examples with Short-Lived adversarial perturbations. In 30th USENIX Security Symposium (USENIX Security 21). 1865--1882."},{"key":"e_1_3_2_1_45_1","volume-title":"6th International Conference on Learning Representations, ICLR","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In 6th International Conference on Learning Representations, ICLR 2018."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Topi M\u00e4enp\u00e4\u00e4 and Matti Pietik\u00e4inen. 2005. Texture analysis with local binary patterns. In Handbook of pattern recognition and computer vision. World Scientific.","DOI":"10.1142\/9789812775320_0011"},{"key":"e_1_3_2_1_47_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Yanmao","unstructured":"Yanmao Man et al. 2023. That person moves like a car: Misclassification attack detection for autonomous systems using spatiotemporal consistency. In 32nd USENIX Security Symposium (USENIX Security 23). 6929--6946."},{"key":"e_1_3_2_1_48_1","volume-title":"USENIX Security Symposium Poster Session.","author":"Man Yanmao","year":"2022","unstructured":"Yanmao Man, Raymond Muller, Ming Li, Z Berkay Celik, and Ryan Gerdes. 2022. Evaluating perception attacks on prediction and planning of autonomous vehicles. In USENIX Security Symposium Poster Session."},{"key":"e_1_3_2_1_49_1","series-title":"Series B. Biological Sciences","volume-title":"Representation and recognition of the spatial organization of three-dimensional shapes. Proceedings of the Royal Society of London","author":"Marr David","year":"1978","unstructured":"David Marr and Herbert Keith Nishihara. 1978. Representation and recognition of the spatial organization of three-dimensional shapes. Proceedings of the Royal Society of London. Series B. Biological Sciences, Vol. 200, 1140 (1978), 269--294."},{"key":"e_1_3_2_1_50_1","volume-title":"ICML 2021 Workshop on Adversarial Machine Learning. https:\/\/openreview.net\/forum?id=sePThSlRHr","author":"Metzen Jan Hendrik","year":"2021","unstructured":"Jan Hendrik Metzen, Nicole Finnie, and Robin Hutmacher. 2021. Meta Adversarial Training against Universal Patches. In ICML 2021 Workshop on Adversarial Machine Learning. https:\/\/openreview.net\/forum?id=sePThSlRHr"},{"key":"e_1_3_2_1_51_1","volume-title":"International journal of scientific and research publications","author":"Mohanaiah P","year":"2013","unstructured":"P Mohanaiah, P Sathyanarayana, and L GuruKumar. 2013. Image texture feature extraction using GLCM approach. International journal of scientific and research publications, Vol. 3, 5 (2013), 1--5."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/autosec.2022.23032"},{"key":"e_1_3_2_1_53_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Muller Raymond","unstructured":"Raymond Muller, Yanmao Man, Ming Li, Ryan Gerdes, Jonathan Petit, and Z. Berkay Celik. 2024. VOGUES: Validation of Object Guise using Estimated Components. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 6327--6344. https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/muller"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2019.00143"},{"key":"e_1_3_2_1_55_1","volume-title":"Diffusion Models for Adversarial Purification. In International Conference on Machine Learning (ICML).","author":"Nie Weili","year":"2022","unstructured":"Weili Nie, Brandon Guo, Yujia Huang, Chaowei Xiao, Arash Vahdat, and Anima Anandkumar. 2022. Diffusion Models for Adversarial Purification. In International Conference on Machine Learning (ICML)."},{"key":"e_1_3_2_1_56_1","unstructured":"Byeongjoon Noh and Hwasoo Yeo. 2022. A novel method of predictive collision risk area estimation for proactive pedestrian accident prevention system in urban surveillance infrastructure. Transportation research part C: emerging technologies."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-69905-7_27"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68238-5_32"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.91"},{"key":"e_1_3_2_1_60_1","volume-title":"Yolov3: An incremental improvement. arXiv preprint arXiv:1804.02767","author":"Redmon Joseph","year":"2018","unstructured":"Joseph Redmon and Ali Farhadi. 2018. Yolov3: An incremental improvement. arXiv preprint arXiv:1804.02767 (2018)."},{"key":"e_1_3_2_1_61_1","volume-title":"Faster r-cnn: Towards real-time object detection with region proposal networks. Advances in neural information processing systems","author":"Ren Shaoqing","year":"2015","unstructured":"Shaoqing Ren, Kaiming He, Ross Girshick, and Jian Sun. 2015. Faster r-cnn: Towards real-time object detection with region proposal networks. Advances in neural information processing systems, Vol. 28 (2015)."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11831-019-09321-3"},{"key":"e_1_3_2_1_63_1","volume-title":"Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations.","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/78.650093"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/BigData47090.2019.9005997"},{"key":"e_1_3_2_1_66_1","volume-title":"12th USENIX workshop on offensive technologies (WOOT 18)","author":"Dawn","unstructured":"Dawn Song et al. 2018. Physical adversarial examples for object detectors. In 12th USENIX workshop on offensive technologies (WOOT 18)."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"crossref","unstructured":"Lynn KA S\u00f6rensen et al. 2023. Mechanisms of human dynamic object recognition revealed by sequential deep neural networks. PLOS Computational Biology (2023).","DOI":"10.1101\/2022.04.06.487259"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.02086"},{"key":"e_1_3_2_1_69_1","unstructured":"Trisha Thadani. 2024. Waymo robotaxis can hit California highways after state approval. https:\/\/www.washingtonpost.com\/technology\/2024\/03\/01\/waymo-expands-california-los-angeles-highways\/."},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"crossref","unstructured":"Kalibinuer Tiliwalidi. 2023. Adversarial Camera Patch: An Effective and Robust Physical-World Attack on Object Detectors. arXiv preprint arXiv:2312.06163.","DOI":"10.34190\/iccws.19.1.2044"},{"key":"e_1_3_2_1_71_1","volume-title":"International Conference on Learning Representations.","author":"Tsipras Dimitris","year":"2019","unstructured":"Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. 2019. Robustness May Be at Odds with Accuracy. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_72_1","volume-title":"Sebastian Jochen Denzler, and Walter Roland Gruber","author":"Van Dyck Leonard Elia","year":"2021","unstructured":"Leonard Elia Van Dyck, Roland Kwitt, Sebastian Jochen Denzler, and Walter Roland Gruber. 2021. Comparing object recognition in humans and deep convolutional neural networks?an eye tracking study. Frontiers in Neuroscience (2021)."},{"key":"e_1_3_2_1_73_1","volume-title":"Attention is all you need. Advances in neural information processing systems","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems, Vol. 30 (2017)."},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/RTSS59052.2023.00016"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58621-8_7"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49357.2023.10095895"},{"key":"e_1_3_2_1_77_1","volume-title":"International Conference on Learning Representations.","author":"Wong Eric","unstructured":"Eric Wong, Leslie Rice, and J. Zico Kolter. 2020. Fast is better than free: Revisiting adversarial training. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_78_1","volume-title":"Defending Against Physically Realizable Attacks on Image Classification. In International Conference on Learning Representations.","author":"Wu Tong","year":"2020","unstructured":"Tong Wu, Liang Tong, and Yevgeniy Vorobeychik. 2020. Defending Against Physically Realizable Attacks on Image Classification. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_79_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Xiang Chong","year":"2022","unstructured":"Chong Xiang, Saeed Mahloujifar, and Prateek Mittal. 2022. PatchCleanser: Certifiably robust defense against adversarial patches for any image classifier. In 31st USENIX Security Symposium (USENIX Security 22). 2065--2082."},{"key":"e_1_3_2_1_80_1","volume-title":"DensePure: Understanding Diffusion Models for Adversarial Robustness. In The Eleventh International Conference on Learning Representations.","author":"Xiao Chaowei","year":"2023","unstructured":"Chaowei Xiao, Zhongzhu Chen, Kun Jin, Jiongxiao Wang, Weili Nie, Mingyan Liu, Anima Anandkumar, Bo Li, and Dawn Song. 2023. DensePure: Understanding Diffusion Models for Adversarial Robustness. In The Eleventh International Conference on Learning Representations."},{"key":"e_1_3_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00026"},{"key":"e_1_3_2_1_82_1","volume-title":"International Conference on Machine Learning. PMLR, 12062--12072","author":"Yoon Jongmin","year":"2021","unstructured":"Jongmin Yoon, Sung Ju Hwang, and Juho Lee. 2021. Adversarial purification with score-based generative models. In International Conference on Machine Learning. PMLR, 12062--12072."},{"key":"e_1_3_2_1_83_1","volume-title":"SMACK: Semantically Meaningful Adversarial Audio Attack. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Yu Zhiyuan","year":"2023","unstructured":"Zhiyuan Yu, Yuanhaur Chang, Ning Zhang, and Chaowei Xiao. 2023. SMACK: Semantically Meaningful Adversarial Audio Attack. In 32nd USENIX Security Symposium (USENIX Security 23). 3799--3816."},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3081450"},{"key":"e_1_3_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623209"},{"key":"e_1_3_2_1_86_1","volume-title":"Light can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Spot Light. Computers & Security","author":"Yufeng LI","year":"2023","unstructured":"LI Yufeng, YANG Fengyu, LIU Qi, LI Jiangtao, and CAO Chenhong. 2023. Light can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Spot Light. Computers & Security (2023), 103345."},{"key":"e_1_3_2_1_87_1","unstructured":"Wei Zhan et al. 2019. INTERACTION Dataset: An INTERnational Adversarial and Cooperative moTION Dataset in Interactive Driving Scenarios with Semantic Maps. arXiv:1910.03088 [cs eess] (Sept. 2019)."},{"key":"e_1_3_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/IROS40897.2019.8967724"},{"key":"e_1_3_2_1_89_1","volume-title":"Advances in Neural Information Processing Systems, H. Wallach, H. Larochelle, A. Beygelzimer, F. dtextquotesingle Alch\u00e9-Buc","author":"Zhang Dinghuai","unstructured":"Dinghuai Zhang, Tianyuan Zhang, Yiping Lu, Zhanxing Zhu, and Bin Dong. 2019. You Only Propagate Once: Accelerating Adversarial Training via Maximal Principle. In Advances in Neural Information Processing Systems, H. Wallach, H. Larochelle, A. Beygelzimer, F. dtextquotesingle Alch\u00e9-Buc, E. Fox, and R. Garnett (Eds.), Vol. 32. Curran Associates, Inc."},{"key":"e_1_3_2_1_90_1","volume-title":"Syed Afaq Ali Shah, and Mohammed Bennamoun","author":"Zhang Liang","year":"2018","unstructured":"Liang Zhang, Guangming Zhu, Lin Mei, Peiyi Shen, Syed Afaq Ali Shah, and Mohammed Bennamoun. 2018. Attention in convolutional LSTM for gesture recognition. Advances in neural information processing systems, Vol. 31 (2018)."},{"key":"e_1_3_2_1_91_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Zhang Shibo","year":"2023","unstructured":"Shibo Zhang, Yushi Cheng, Wenjun Zhu, Xiaoyu Ji, and Wenyuan Xu. 2023. CAPatch: Physical Adversarial Patch against Image Captioning Systems. In 32nd USENIX Security Symposium (USENIX Security 23). 679--696."},{"key":"e_1_3_2_1_92_1","volume-title":"Humans can decipher adversarial images. Nature communications","author":"Zhou Zhenglong","year":"2019","unstructured":"Zhenglong Zhou and Chaz Firestone. 2019. Humans can decipher adversarial images. Nature communications, Vol. 10, 1 (2019), 1334."},{"key":"e_1_3_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179473"},{"key":"e_1_3_2_1_94_1","volume-title":"TPatch: A Triggered Physical Adversarial Patch. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Zhu Wenjun","year":"2023","unstructured":"Wenjun Zhu, Xiaoyu Ji, Yushi Cheng, Shibo Zhang, and Wenyuan Xu. 2023. TPatch: A Triggered Physical Adversarial Patch. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 661--678."},{"key":"e_1_3_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01498"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690236","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690236","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:07:17Z","timestamp":1755842837000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690236"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":95,"alternative-id":["10.1145\/3658644.3690236","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690236","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}