{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T02:40:03Z","timestamp":1755916803483,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":60,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,6]],"date-time":"2024-11-06T00:00:00Z","timestamp":1730851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Innovation, Science & Technology, Israel","award":["0603870071"],"award-info":[{"award-number":["0603870071"]}]},{"name":"Maof prize for outstanding young scientists"},{"name":"Len Blavatnik and the Blavatnik Family foundation"},{"DOI":"10.13039\/501100006374","name":"Tel Aviv University Center for AI and Data Science (TAD)","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Blavatnik Interdisciplinary Cyber Research Center (ICRC)"},{"DOI":"10.13039\/501100006374","name":"Intel Corporation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Nvidia"},{"DOI":"10.13039\/501100006374","name":"Israel Science Foundation","doi-asserted-by":"publisher","award":["1807\/23"],"award-info":[{"award-number":["1807\/23"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"KDDI Research Inc."},{"name":"United States-Israel Binational Science Foundation","award":["2023641"],"award-info":[{"award-number":["2023641"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,6]]},"DOI":"10.1145\/3689932.3694769","type":"proceedings-article","created":{"date-parts":[[2024,11,22]],"date-time":"2024-11-22T06:24:01Z","timestamp":1732256641000},"page":"113-124","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["The Ultimate Combo: Boosting Adversarial Example Transferability by Composing Data Augmentations"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-7554-9529","authenticated-orcid":false,"given":"Zebin","family":"Yun","sequence":"first","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1883-2403","authenticated-orcid":false,"given":"Achi-Or","family":"Weingarten","sequence":"additional","affiliation":[{"name":"Weizmann Institute of Science, Rehovot, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6013-7426","authenticated-orcid":false,"given":"Eyal","family":"Ronen","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7661-2220","authenticated-orcid":false,"given":"Mahmood","family":"Sharif","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}]}],"member":"320","published-online":{"date-parts":[[2024,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"crossref","unstructured":"Battista Biggio Igino Corona Davide Maiorca Blaine Nelson Nedim \u0160rndi\u0107 Pavel Laskov Giorgio Giacinto and Fabio Roli. 2013. Evasion attacks against machine learning at test time. In ECML.","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_2_1","unstructured":"Wieland Brendel Jonas Rauber and Matthias Bethge. 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In ICLR."},{"volume-title":"Towards evaluating the robustness of neural networks","author":"Carlini Nicholas","key":"e_1_3_2_1_3_1","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In IEEE S&P."},{"key":"e_1_3_2_1_4_1","unstructured":"Jeremy Cohen Elan Rosenfeld and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In ICML."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Ekin D Cubuk Barret Zoph Dandelion Mane Vijay Vasudevan and Quoc V Le. 2019. AutoAugment: Learning augmentation policies from data. In CVPR.","DOI":"10.1109\/CVPR.2019.00020"},{"key":"e_1_3_2_1_6_1","volume-title":"Improved regularization of convolutional neural networks with Cutout. arXiv","author":"DeVries Terrance","year":"2017","unstructured":"Terrance DeVries and Graham W Taylor. 2017. Improved regularization of convolutional neural networks with Cutout. arXiv (2017)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Fangzhou Liao Tianyu Pang Hang Su Jun Zhu Xiaolin Hu and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In CVPR.","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Tianyu Pang Hang Su and Jun Zhu. 2019. Evading defenses to transferable adversarial examples by translation-invariant attacks. In CVPR.","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_2_1_9_1","volume-title":"Words: Transformers for Image Recognition at Scale. In ICLR.","author":"Dosovitskiy Alexey","year":"2021","unstructured":"Alexey Dosovitskiy, Lucas Beyer, Alexander Kolesnikov, Dirk Weissenborn, Xiaohua Zhai, Thomas Unterthiner, Mostafa Dehghani, Matthias Minderer, Georg Heigold, Sylvain Gelly, et al. 2021. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In ICLR."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Kevin Eykholt Ivan Evtimov Earlence Fernandes Bo Li Amir Rahmati Chaowei Xiao Atul Prakash Tadayoshi Kohno and Dawn Song. 2018. Robust physical-world attacks on deep learning visual classification. In CVPR.","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_11_1","volume-title":"A neural algorithm of artistic style. arXiv","author":"Gatys Leon A","year":"2015","unstructured":"Leon A Gatys, Alexander S Ecker, and Matthias Bethge. 2015. A neural algorithm of artistic style. arXiv (2015)."},{"key":"e_1_3_2_1_12_1","unstructured":"Ian J Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR."},{"key":"e_1_3_2_1_13_1","unstructured":"Google Brain. 2017. NeurIPS 2017: Adversarial Learning Development Set. https:\/\/bit.ly\/3fq4pN6."},{"key":"e_1_3_2_1_14_1","unstructured":"Chuan Guo Mayank Rana Moustapha Cisse and Laurens Van Der Maaten. 2018. Countering adversarial images using input transformations. In ICLR."},{"key":"e_1_3_2_1_15_1","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2016. Identity mappings in deep residual networks. In ECCV."},{"key":"e_1_3_2_1_16_1","first-page":"5149","article-title":"Meta-learning in neural networks: A survey","volume":"44","author":"Hospedales Timothy","year":"2021","unstructured":"Timothy Hospedales, Antreas Antoniou, Paul Micaelli, and Amos Storkey. 2021. Meta-learning in neural networks: A survey. IEEE PAMI, Vol. 44, 9 (2021), 5149--5169.","journal-title":"IEEE PAMI"},{"key":"e_1_3_2_1_17_1","volume-title":"Laurens Van Der Maaten, and Kilian Q Weinberger","author":"Huang Gao","year":"2017","unstructured":"Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In CVPR."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Qian Huang Isay Katsman Horace He Zeqi Gu Serge Belongie and Ser-Nam Lim. 2019. Enhancing adversarial example transferability with an intermediate level attack. In ICCV.","DOI":"10.1109\/ICCV.2019.00483"},{"key":"e_1_3_2_1_19_1","unstructured":"Andrew Ilyas Logan Engstrom and Aleksander Madry. 2019. Prior convictions: Black-box adversarial attacks with bandits and priors. In ICLR."},{"key":"e_1_3_2_1_20_1","unstructured":"Alexander Jung and Vicram Rajagopalan. 2020. imgaug. https:\/\/imgaug.readthedocs.io. Accessed on 2024-04-19."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-020-10139-6"},{"key":"e_1_3_2_1_22_1","unstructured":"Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images. Technical Report. University of Toronto."},{"key":"e_1_3_2_1_23_1","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2017. Adversarial machine learning at scale. In ICLR."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Alexey Kurakin Ian J Goodfellow and Samy Bengio. 2017. Adversarial examples in the physical world. In ICLRW.","DOI":"10.1201\/9781351251389-8"},{"key":"e_1_3_2_1_25_1","unstructured":"Qizhang Li Yiwen Guo Wangmeng Zuo and Hao Chen. 2023. Towards Evaluating Transfer-based Attacks Systematically Practically and Fairly. In NeurIPS."},{"key":"e_1_3_2_1_26_1","unstructured":"Jiadong Lin Chuanbiao Song Kun He Liwei Wang and John E Hopcroft. 2020. Nesterov accelerated gradient and scale invariance for adversarial attacks. In ICLR."},{"key":"e_1_3_2_1_27_1","unstructured":"Yanpei Liu Xinyun Chen Chang Liu and Dawn Song. 2017. Delving into transferable adversarial examples and black-box attacks. In ICLR."},{"volume-title":"Transfer attacks revisited: A large-scale empirical study in real computer vision settings","author":"Mao Yuhao","key":"e_1_3_2_1_28_1","unstructured":"Yuhao Mao, Chong Fu, Saizhuo Wang, Shouling Ji, Xuhong Zhang, Zhenguang Liu, Jun Zhou, Alex X Liu, Raheem Beyah, and Ting Wang. 2022. Transfer attacks revisited: A large-scale empirical study in real computer vision settings. In IEEE S&P."},{"key":"e_1_3_2_1_29_1","volume-title":"Fahad Shahbaz Khan, and Fatih Porikli","author":"Naseer Muzammal","year":"2020","unstructured":"Muzammal Naseer, Salman Khan, Munawar Hayat, Fahad Shahbaz Khan, and Fatih Porikli. 2020. A self-supervised approach for adversarial robustness. In CVPR."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Nicolas Papernot Patrick McDaniel Somesh Jha Matt Fredrikson Z Berkay Celik and Ananthram Swami. 2016. The limitations of deep learning in adversarial settings. In Euro S&P.","DOI":"10.1109\/EuroSP.2016.36"},{"volume-title":"PyTorch models trained on CIFAR-10. https:\/\/github.com\/huyvnphan\/PyTorch_CIFAR10","author":"Phan Huy","key":"e_1_3_2_1_31_1","unstructured":"Huy Phan, David Widmann, Zafar, and Heon Song. [n.,d.]. PyTorch models trained on CIFAR-10. https:\/\/github.com\/huyvnphan\/PyTorch_CIFAR10."},{"key":"e_1_3_2_1_32_1","unstructured":"PyTorch Core Team. [n. d.]. Torchvision. https:\/\/pytorch.org\/vision."},{"key":"e_1_3_2_1_33_1","unstructured":"Hadi Salman Jerry Li Ilya Razenshteyn Pengchuan Zhang Huan Zhang Sebastien Bubeck and Greg Yang. 2019. Provably robust deep learning via adversarially trained smoothed classifiers. In NeurIPS."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Mark Sandler Andrew Howard Menglong Zhu Andrey Zhmoginov and Liang-Chieh Chen. 2018. MobileNetV2: Inverted residuals and linear bottlenecks. In CVPR.","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-019-0197-0"},{"key":"e_1_3_2_1_36_1","unstructured":"K. Simonyan and A. Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. In ICLR."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"crossref","unstructured":"Christian Szegedy Sergey Ioffe Vincent Vanhoucke and Alexander A Alemi. 2017. Inception-v4 Inception-ResNet and the impact of residual connections on learning. In AAAI.","DOI":"10.1609\/aaai.v31i1.11231"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"crossref","unstructured":"Christian Szegedy Wei Liu Yangqing Jia Pierre Sermanet Scott Reed Dragomir Anguelov Dumitru Erhan Vincent Vanhoucke and Andrew Rabinovich. 2015. Going deeper with convolutions. In CVPR.","DOI":"10.1109\/CVPR.2015.7298594"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"crossref","unstructured":"Christian Szegedy Vincent Vanhoucke Sergey Ioffe Jon Shlens and Zbigniew Wojna. 2016. Rethinking the inception architecture for computer vision. In CVPR.","DOI":"10.1109\/CVPR.2016.308"},{"key":"e_1_3_2_1_40_1","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR."},{"key":"e_1_3_2_1_41_1","volume-title":"Le","author":"Tan Mingxing","year":"2019","unstructured":"Mingxing Tan, Bo Chen, Ruoming Pang, Vijay Vasudevan, Mark Sandler, Andrew Howard, and Quoc V. Le. 2019. MnasNet: Platform-Aware Neural Architecture Search for Mobile. In CVPR."},{"key":"e_1_3_2_1_42_1","unstructured":"Florian Tramer. 2022. Detecting adversarial examples is (nearly) as hard as classifying them. In ICML."},{"key":"e_1_3_2_1_43_1","unstructured":"Florian Tram\u00e8r Alexey Kurakin Nicolas Papernot Ian Goodfellow Dan Boneh and Patrick McDaniel. 2018. Ensemble adversarial training: Attacks and defenses. In ICLR."},{"key":"e_1_3_2_1_44_1","unstructured":"Aladin Virmaux and Kevin Scaman. 2018. Lipschitz regularity of deep neural networks: Analysis and efficient estimation. In NeurIPS."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Xiaosen Wang and Kun He. 2021. Enhancing the transferability of adversarial attacks through variance tuning. In CVPR.","DOI":"10.1109\/ICCV48922.2021.01585"},{"key":"e_1_3_2_1_46_1","volume-title":"Admix: Enhancing the transferability of adversarial attacks. In ICCV.","author":"Wang Xiaosen","year":"2021","unstructured":"Xiaosen Wang, Xuanran He, Jingdong Wang, and Kun He. 2021. Admix: Enhancing the transferability of adversarial attacks. In ICCV."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"crossref","unstructured":"Xiaosen Wang Jiadong Lin Han Hu Jingdong Wang and Kun He. 2021. Boosting adversarial transferability through enhanced momentum. In BMVC.","DOI":"10.5244\/C.35.186"},{"key":"e_1_3_2_1_48_1","unstructured":"Xin Wang Jie Ren Shuyun Lin Xiangming Zhu Yisen Wang and Quanshi Zhang. 2020. A Unified Approach to Interpreting and Boosting Adversarial Transferability. In ICLR."},{"key":"e_1_3_2_1_49_1","volume-title":"Deep image: Scaling up image recognition. arXiv","author":"Wu Ren","year":"2015","unstructured":"Ren Wu, Shengen Yan, Yi Shan, Qingqing Dang, and Gang Sun. 2015. Deep image: Scaling up image recognition. arXiv (2015)."},{"key":"e_1_3_2_1_50_1","unstructured":"Weibin Wu Yuxin Su Michael R Lyu and Irwin King. 2021. Improving the transferability of adversarial samples with adversarial transformations. In CVPR."},{"key":"e_1_3_2_1_51_1","unstructured":"Cihang Xie Zhishuai Zhang Yuyin Zhou Song Bai Jianyu Wang Zhou Ren and Alan L Yuille. 2019. Improving transferability of adversarial examples with input diversity. In CVPR."},{"key":"e_1_3_2_1_52_1","volume-title":"Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In NDSS.","author":"Xu Weilin","year":"2018","unstructured":"Weilin Xu, David Evans, and Yanjun Qi. 2018. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In NDSS."},{"key":"e_1_3_2_1_53_1","volume-title":"TRS: Transferability reduced ensemble via promoting gradient diversity and model smoothness. In NeurIPS.","author":"Yang Zhuolin","year":"2021","unstructured":"Zhuolin Yang, Linyi Li, Xiaojun Xu, Shiliang Zuo, Qian Chen, Pan Zhou, Benjamin Rubinstein, Ce Zhang, and Bo Li. 2021. TRS: Transferability reduced ensemble via promoting gradient diversity and model smoothness. In NeurIPS."},{"key":"e_1_3_2_1_54_1","unstructured":"Shengming Yuan and Qilong Zhang. [n. d.]. TF to PyTorch Model. https:\/\/github.com\/ylhz\/tf_to_pytorch_model."},{"key":"e_1_3_2_1_55_1","volume-title":"Sanghyuk Chun, Junsuk Choe, and Youngjoon Yoo.","author":"Yun Sangdoo","year":"2019","unstructured":"Sangdoo Yun, Dongyoon Han, Seong Joon Oh, Sanghyuk Chun, Junsuk Choe, and Youngjoon Yoo. 2019. CutMix: Regularization strategy to train strong classifiers with localizable features. In ICCV."},{"key":"e_1_3_2_1_56_1","unstructured":"Zebin Yun Achi-Or Weingarten Eyal Ronen and Mahmood Sharif. 2024. Implementation of UltComb. https:\/\/github.com\/yundaqwe\/Ultimate-Combo."},{"key":"e_1_3_2_1_57_1","unstructured":"Hongyi Zhang Moustapha Cisse Yann N Dauphin and David Lopez-Paz. 2018. mixup: Beyond empirical risk minimization. In ICLR."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"crossref","unstructured":"Jianping Zhang Jen-tse Huang Wenxuan Wang Yichen Li Weibin Wu Xiaosen Wang Yuxin Su and Michael R Lyu. 2023. Improving the Transferability of Adversarial Samples by Path-Augmented Method. In CVPR.","DOI":"10.1109\/CVPR52729.2023.00790"},{"key":"e_1_3_2_1_59_1","volume-title":"Junyu Shi, Minghui Li, Xiaogeng Liu, Wei Wan, and Hai Jin.","author":"Zhang Yechao","year":"2024","unstructured":"Yechao Zhang, Shengshan Hu, Leo Yu Zhang, Junyu Shi, Minghui Li, Xiaogeng Liu, Wei Wan, and Hai Jin. 2024. Why Does Little Robustness Help? Understanding and Improving Adversarial Transferability from Surrogate Training. In S&P."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"crossref","unstructured":"Zhun Zhong Liang Zheng Guoliang Kang Shaozi Li and Yi Yang. 2020. Random erasing data augmentation. In AAAI.","DOI":"10.1609\/aaai.v34i07.7000"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Salt Lake City UT USA","acronym":"CCS '24"},"container-title":["Proceedings of the 2024 Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689932.3694769","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3689932.3694769","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T02:07:47Z","timestamp":1755914867000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689932.3694769"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,6]]},"references-count":60,"alternative-id":["10.1145\/3689932.3694769","10.1145\/3689932"],"URL":"https:\/\/doi.org\/10.1145\/3689932.3694769","relation":{},"subject":[],"published":{"date-parts":[[2024,11,6]]},"assertion":[{"value":"2024-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}