{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,15]],"date-time":"2025-10-15T00:40:11Z","timestamp":1760488811196,"version":"build-2065373602"},"publisher-location":"New York, NY, USA","reference-count":41,"publisher":"ACM","funder":[{"name":"Research Ireland","award":["18\/CRT\/6223"],"award-info":[{"award-number":["18\/CRT\/6223"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,8,27]]},"DOI":"10.1145\/3704268.3742694","type":"proceedings-article","created":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T16:44:47Z","timestamp":1756313087000},"page":"1-8","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Robust Image Classifiers Fail Under Shifted Adversarial Perturbations"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6255-4573","authenticated-orcid":false,"given":"Fatemeh","family":"Amerehi","sequence":"first","affiliation":[{"name":"University of Limerick, Ireland"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3824-7442","authenticated-orcid":false,"given":"Patrick","family":"Healy","sequence":"additional","affiliation":[{"name":"University of Limerick, Ireland"}]}],"member":"320","published-online":{"date-parts":[[2025,8,27]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_29"},{"key":"e_1_3_2_1_2_1","volume-title":"International conference on machine learning. PMLR, 274--283","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning. PMLR, 274--283."},{"volume-title":"International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=Sye_OgHFwH","author":"Bhattad Anand","key":"e_1_3_2_1_3_1","unstructured":"Anand Bhattad, Min Jin Chong, Kaizhao Liang, Bo Li, and D. A. Forsyth. 2020. Unrestricted Adversarial Examples via Semantic Manipulation. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=Sye_OgHFwH"},{"key":"e_1_3_2_1_4_1","volume-title":"On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas Rauber, Dimitris Tsipras, Ian Goodfellow, Aleksander Madry, and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 (2019)."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). Ieee 39--57.","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_6_1","volume-title":"The Thirteenth International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=JMPOqoe4tl","author":"Cin\u00e0 Antonio Emanuele","year":"2025","unstructured":"Antonio Emanuele Cin\u00e0, Francesco Villani, Maura Pintor, Lea Sch\u00f6nherr, Battista Biggio, and Marcello Pelillo. 2025. σ-zero: Gradient-based Optimization of ℓ_0-norm Adversarial Examples. In The Thirteenth International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=JMPOqoe4tl"},{"key":"e_1_3_2_1_7_1","volume-title":"Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce, Maksym Andriushchenko, Vikash Sehwag, Edoardo Debenedetti, Nicolas Flammarion, Mung Chiang, Prateek Mittal, and Matthias Hein. 2020. Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670 (2020)."},{"key":"e_1_3_2_1_8_1","volume-title":"International Conference on Machine Learning. PMLR, 2196--2205","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Minimally distorted adversarial examples with a fast adaptive boundary attack. In International Conference on Machine Learning. PMLR, 2196--2205."},{"key":"e_1_3_2_1_9_1","volume-title":"International conference on machine learning. PMLR, 2206--2216","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning. PMLR, 2206--2216."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV45572.2020.9093429"},{"key":"e_1_3_2_1_11_1","volume-title":"International conference on machine learning. PMLR","author":"Engstrom Logan","year":"2019","unstructured":"Logan Engstrom, Brandon Tran, Dimitris Tsipras, Ludwig Schmidt, and Alek-sander Madry. 2019. Exploring the landscape of spatial robustness. In International conference on machine learning. PMLR, 1802--1811."},{"key":"e_1_3_2_1_12_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_14_1","volume-title":"Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261","author":"Hendrycks Dan","year":"2019","unstructured":"Dan Hendrycks and Thomas Dietterich. 2019. Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261 (2019)."},{"key":"e_1_3_2_1_15_1","volume-title":"Denoising diffusion probabilistic models. Advances in neural information processing systems 33","author":"Ho Jonathan","year":"2020","unstructured":"Jonathan Ho, Ajay Jain, and Pieter Abbeel. 2020. Denoising diffusion probabilistic models. Advances in neural information processing systems 33 (2020), 6840--6851."},{"key":"e_1_3_2_1_16_1","volume-title":"Perceptual Adversarial Robustness: Defense Against Unseen Threat Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=dFwBosAcJkN","author":"Laidlaw Cassidy","year":"2021","unstructured":"Cassidy Laidlaw, Sahil Singla, and Soheil Feizi. 2021. Perceptual Adversarial Robustness: Defense Against Unseen Threat Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=dFwBosAcJkN"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/s41965-024-00142-3"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01488"},{"key":"e_1_3_2_1_19_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_20_1","first-page":"18599","article-title":"When adversarial training meets vision transformers: Recipes from training to architecture","volume":"35","author":"Mo Yichuan","year":"2022","unstructured":"Yichuan Mo, Dongxian Wu, Yifei Wang, Yiwen Guo, and Yisen Wang. 2022. When adversarial training meets vision transformers: Recipes from training to architecture. Advances in Neural Information Processing Systems 35 (2022), 18599--18611.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00930"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_23_1","volume-title":"International conference on machine learning. PMLR.","author":"Nie Weili","year":"2022","unstructured":"Weili Nie, Brandon Guo, Yujia Huang, Chaowei Xiao, Arash Vahdat, and Anima Anandkumar. 2022. Diffusion models for adversarial purification. In International conference on machine learning. PMLR."},{"key":"e_1_3_2_1_24_1","unstructured":"OpenAI. 2021. Guided Diffusion Library. https:\/\/github.com\/openai\/guided-diffusion."},{"key":"e_1_3_2_1_25_1","volume-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)."},{"key":"e_1_3_2_1_26_1","unstructured":"Adam Paszke Sam Gross Soumith Chintala Gregory Chanan Edward Yang Zachary DeVito Zeming Lin Alban Desmaison Luca Antiga and Adam Lerer. 2017. Automatic differentiation in PyTorch. (2017). https:\/\/pytorch.org\/vision\/main\/generated\/torchvision.transforms.v2.functional.autocontrast.html"},{"key":"e_1_3_2_1_27_1","first-page":"3533","article-title":"Do adversarially robust imagenet models transfer better","volume":"33","author":"Salman Hadi","year":"2020","unstructured":"Hadi Salman, Andrew Ilyas, Logan Engstrom, Ashish Kapoor, and Aleksander Madry. 2020. Do adversarially robust imagenet models transfer better? Advances in Neural Information Processing Systems 33 (2020), 3533--3545.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_28_1","volume-title":"Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=BkJ3ibb0-","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=BkJ3ibb0-"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00123"},{"key":"e_1_3_2_1_30_1","volume-title":"International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=rJUYGxbCW","author":"Song Yang","year":"2018","unstructured":"Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2018. PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=rJUYGxbCW"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00714"},{"key":"e_1_3_2_1_32_1","volume-title":"International conference on machine learning. PMLR, 9155--9166","author":"Stutz David","year":"2020","unstructured":"David Stutz, Matthias Hein, and Bernt Schiele. 2020. Confidence-calibrated adversarial training: Generalizing to unseen attacks. In International conference on machine learning. PMLR, 9155--9166."},{"key":"e_1_3_2_1_33_1","first-page":"18583","article-title":"Measuring robustness to natural distribution shifts in image classification","volume":"33","author":"Taori Rohan","year":"2020","unstructured":"Rohan Taori, Achal Dave, Vaishaal Shankar, Nicholas Carlini, Benjamin Recht, and Ludwig Schmidt. 2020. Measuring robustness to natural distribution shifts in image classification. Advances in Neural Information Processing Systems 33 (2020), 18583--18599.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_34_1","volume-title":"Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32 (2019)."},{"key":"e_1_3_2_1_35_1","volume-title":"The space of transferable adversarial examples. arXiv preprint arXiv:1704.03453","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. The space of transferable adversarial examples. arXiv preprint arXiv:1704.03453 (2017)."},{"key":"e_1_3_2_1_36_1","volume-title":"International conference on learning representations.","author":"Wang Yisen","year":"2019","unstructured":"Yisen Wang, Difan Zou, Jinfeng Yi, James Bailey, Xingjun Ma, and Quanquan Gu. 2019. Improving adversarial robustness requires revisiting misclassified examples. In International conference on learning representations."},{"key":"e_1_3_2_1_37_1","volume-title":"Spatially Transformed Adversarial Examples. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=HyydRMZC-","author":"Xiao Chaowei","year":"2018","unstructured":"Chaowei Xiao, Jun-Yan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. 2018. Spatially Transformed Adversarial Examples. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=HyydRMZC-"},{"key":"e_1_3_2_1_38_1","volume-title":"International Conference on Machine Learning. PMLR, 12062--12072","author":"Yoon Jongmin","year":"2021","unstructured":"Jongmin Yoon, Sung Ju Hwang, and Juho Lee. 2021. Adversarial purification with score-based generative models. In International Conference on Machine Learning. PMLR, 12062--12072."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00713"},{"key":"e_1_3_2_1_40_1","volume-title":"International conference on machine learning. PMLR, 7472--7482","author":"Zhang Hongyang","year":"2019","unstructured":"Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning. PMLR, 7472--7482."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00112"}],"event":{"name":"DocEng '25: ACM Symposium on Document Engineering 2025","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"],"location":"Nottingham United Kingdom","acronym":"DocEng '25"},"container-title":["Proceedings of the 2025 ACM Symposium on Document Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3704268.3742694","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,14]],"date-time":"2025-10-14T18:26:44Z","timestamp":1760466404000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3704268.3742694"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,27]]},"references-count":41,"alternative-id":["10.1145\/3704268.3742694","10.1145\/3704268"],"URL":"https:\/\/doi.org\/10.1145\/3704268.3742694","relation":{},"subject":[],"published":{"date-parts":[[2025,8,27]]},"assertion":[{"value":"2025-08-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}