{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T22:16:08Z","timestamp":1775600168783,"version":"3.50.1"},"reference-count":74,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,1,9]],"date-time":"2025-01-09T00:00:00Z","timestamp":1736380800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62272020, U20B2069 and 62176253"],"award-info":[{"award-number":["62272020, U20B2069 and 62176253"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"State Key Laboratory of Complex & Critical Software Environment","award":["SKLSDE2023ZX-16"],"award-info":[{"award-number":["SKLSDE2023ZX-16"]}]},{"name":"Fundamental Research Funds for Central Universities"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Multimedia Comput. Commun. Appl."],"published-print":{"date-parts":[[2025,2,28]]},"abstract":"<jats:p>Adversarial example detection, which can be conveniently applied in many scenarios, is important in the area of adversarial defense. Unfortunately, existing detection methods suffer from poor generalization performance because their training process usually relies on the examples generated from a single known adversarial attack and there exists a large discrepancy between the training and unseen testing adversarial examples. To address this issue, we propose a novel method, named Adversarial Example Detection via Principal Adversarial Domain Adaptation (AED-PADA). Specifically, our approach identifies the Principal Adversarial Domains (PADs), i.e., a combination of features of the adversarial examples generated by different attacks, which possesses a large portion of the entire adversarial feature space. Subsequently, we pioneer to exploit Multi-source Unsupervised Domain Adaptation in adversarial example detection, with PADs as the source domains. Experimental results demonstrate the superior generalization ability of our proposed AED-PADA. Note that this superiority is particularly achieved in challenging scenarios characterized by employing the minimal magnitude constraint for the perturbations.<\/jats:p>","DOI":"10.1145\/3706061","type":"journal-article","created":{"date-parts":[[2024,12,3]],"date-time":"2024-12-03T13:36:27Z","timestamp":1733232987000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["AED-PADA: Improving Generalizability of Adversarial Example Detection via Principal Adversarial Domain Adaptation"],"prefix":"10.1145","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-4842-1754","authenticated-orcid":false,"given":"Heqi","family":"Peng","sequence":"first","affiliation":[{"name":"School of Computer Science and Engineering, Beihang University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8001-2703","authenticated-orcid":false,"given":"Yunhong","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Beihang University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2836-8005","authenticated-orcid":false,"given":"Ruijie","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Beihang University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-3967-7092","authenticated-orcid":false,"given":"Beichen","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Beihang University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4792-1945","authenticated-orcid":false,"given":"Rui","family":"Wang","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4592-8083","authenticated-orcid":false,"given":"Yuanfang","family":"Guo","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Beihang University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,1,9]]},"reference":[{"key":"e_1_3_1_2_2","volume-title":"International Conference on Learning Representations","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations."},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298640"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICME51207.2021.9428243"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01488"},{"key":"e_1_3_1_6_2","volume-title":"International Conference on Learning Representations","author":"Yan Chiu Wai","year":"2023","unstructured":"Chiu Wai Yan, Tsz-Him Cheung, and Dit-Yan Yeung. 2023. ILA-DA: Improving transferability of intermediate level attack with data augmentation. In International Conference on Learning Representations."},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/3599730"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICRA46639.2022.9811574"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2020.107332"},{"key":"e_1_3_1_10_2","volume-title":"International Conference on Learning Representations","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/403"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00090"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3616375"},{"key":"e_1_3_1_14_2","volume-title":"International Conference on Learning Representations","author":"Ma Xingjun","year":"2018","unstructured":"Xingjun Ma, Bo Li, Yisen Wang, Sarah M. Erfani, Sudanthi N. R. Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E. Houle, and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. In International Conference on Learning Representations."},{"key":"e_1_3_1_15_2","first-page":"7167","article-title":"A simple unified framework for detecting out-of-distribution samples and adversarial attacks","author":"Lee Kimin","year":"2018","unstructured":"Kimin Lee, Kibok Lee, Honglak Lee, and Jinwoo Shin. 2018. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In Advances in Neural Information Processing Systems, 7167\u20137177.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00496"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i11.17187"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2023.3274538"},{"key":"e_1_3_1_19_2","volume-title":"International Conference on Learning Representations Workshop","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. 2017. Adversarial examples in the physical world. In International Conference on Learning Representations Workshop."},{"key":"e_1_3_1_20_2","volume-title":"International Conference on Learning Representations","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations."},{"key":"e_1_3_1_21_2","first-page":"3","article-title":"Adversarial examples are not easily detected: Bypassing ten detection methods","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. 2017. Adversarial examples are not easily detected: Bypassing ten detection methods. In ACM Workshop on Artificial Intelligence and Security, 3\u201314.","journal-title":"ACM Workshop on Artificial Intelligence and Security"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10489-023-04532-5"},{"key":"e_1_3_1_23_2","volume-title":"International Conference on Learning Representations","author":"Hendrycks Dan","year":"2017","unstructured":"Dan Hendrycks and Kevin Gimpel. 2017. A baseline for detecting misclassified and out-of-distribution examples in neural networks. In International Conference on Learning Representations."},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_1_25_2","volume-title":"International Conference on Learning Representations","author":"Song Yang","year":"2018","unstructured":"Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2018. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_1_26_2","volume-title":"International Conference on Learning Representations","author":"Aigrain Jonathan","year":"2019","unstructured":"Jonathan Aigrain and Marcin Detyniecki. 2019. Detecting adversarial examples and other misclassifications in neural networks by introspection. In International Conference on Learning Representations."},{"key":"e_1_3_1_27_2","first-page":"198","article-title":"DLA: Dense-layer-analysis for adversarial example detection","author":"Sperl Philip","year":"2019","unstructured":"Philip Sperl, Ching-Yu Kao, Peng Chen, and Konstantin B\u00f6ttinger. 2019. DLA: Dense-layer-analysis for adversarial example detection. In IEEE European Symposium on Security and Privacy, 198\u2013215.","journal-title":"IEEE European Symposium on Security and Privacy"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437529"},{"key":"e_1_3_1_29_2","unstructured":"Kathrin Grosse Praveen Manoharan Nicolas Papernot Michael Backes and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. arXiv:1702.06280. Retrieved from http:\/\/arxiv.org\/abs\/1702.06280"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.615"},{"key":"e_1_3_1_31_2","unstructured":"Reuben Feinman Ryan R. Curtin Saurabh Shintre and Andrew B. Gardner. 2017. Detecting adversarial samples from artifacts. arXiv:1703.00410. Retrieved from http:\/\/arxiv.org\/abs\/1703.00410"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3241055"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/2457450.2457456"},{"key":"e_1_3_1_34_2","first-page":"17","volume-title":"International Conference on Machine Learning","volume":"27","author":"Bengio Yoshua","year":"2012","unstructured":"Yoshua Bengio. 2012. Deep learning of representations for unsupervised and transfer learning. In International Conference on Machine Learning, Vol. 27, 17\u201336."},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2020.2973293"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00970"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2018.2814042"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.5757"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33015989"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00149"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00417"},{"key":"e_1_3_1_42_2","first-page":"10214","volume-title":"International Conference on Machine Learning","author":"Wen Junfeng","year":"2020","unstructured":"Junfeng Wen, Russell Greiner, and Dale Schuurmans. 2020. Domain aggregation networks for multi-source domain adaptation. In International Conference on Machine Learning, 10214\u201310224."},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00908"},{"key":"e_1_3_1_44_2","first-page":"6799","article-title":"Extracting relationships by multi-domain matching","author":"Li Yitong","year":"2018","unstructured":"Yitong Li, Michael Murias, Geraldine Dawson, and David E. Carlson. 2018. Extracting relationships by multi-domain matching. In Advances in Neural Information Processing Systems, 6799\u20136810.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6997"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33015613"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58598-3_43"},{"key":"e_1_3_1_48_2","first-page":"18661","article-title":"Supervised contrastive learning","author":"Wang Chen","year":"2020","unstructured":"Chen Wang, Aaron Sarna, Yonglong Tian, Phillip Isola, Aaron Maschinot, Ce Liu, and Dilip Krishnan. 2020. Supervised contrastive learning. In Advances in Neural Information Processing Systems, 18661\u201318673.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_49_2","volume-title":"International Conference on Learning Representations","author":"Guo Chuan","year":"2018","unstructured":"Chuan Guo, Mayank Rana, Moustapha Ciss\u00e9, and Laurens van der Maaten. 2018. Countering adversarial images using input transformations. In International Conference on Learning Representations."},{"key":"e_1_3_1_50_2","volume-title":"International Conference on Learning Representations","author":"Xie Cihang","year":"2018","unstructured":"Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan L. Yuille. 2018. Mitigating adversarial effects through randomization. In International Conference on Learning Representations."},{"key":"e_1_3_1_51_2","first-page":"281","volume-title":"Proceedings of the 5th Berkeley Symposium on Mathematical Statistics and Probability","author":"James MacQueen and","year":"1967","unstructured":"MacQueen and James. 1967. Some methods for classification and analysis of multivariate observations. In Proceedings of the 5th Berkeley Symposium on Mathematical Statistics and Probability, 281\u2013297."},{"key":"e_1_3_1_52_2","first-page":"849","article-title":"On spectral clustering: Analysis and an algorithm","author":"Ng Andrew Y.","year":"2001","unstructured":"Andrew Y. Ng, Michael I. Jordan, and Yair Weiss. 2001. On spectral clustering: Analysis and an algorithm. In Advances in Neural Information Processing Systems, 849\u2013856.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.2014.2320500"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1007\/s41870-022-01113-6"},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1214\/aoms\/1177729694"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.5555\/2188385.2188410"},{"key":"e_1_3_1_57_2","volume-title":"International Conference on Learning Representations","author":"Geirhos Robert","year":"2019","unstructured":"Robert Geirhos, Patricia Rubisch, Claudio Michaelis, Matthias Bethge, Felix A. Wichmann, and Wieland Brendel. 2019. ImageNet-trained CNNs are biased towards texture; Increasing shape Bias improves accuracy and robustness. In International Conference on Learning Representations."},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00871"},{"key":"e_1_3_1_59_2","first-page":"21480","article-title":"When does contrastive learning preserve adversarial robustness from pretraining to finetuning?","author":"Fan Lijie","year":"2021","unstructured":"Lijie Fan, Sijia Liu, Pin-Yu Chen, Gaoyuan Zhang, and Chuang Gan. 2021. When does contrastive learning preserve adversarial robustness from pretraining to finetuning? In Advances in Neural Information Processing Systems, 21480\u201321492.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2012.2190402"},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00116"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_1_63_2","volume-title":"International Conference on Learning Representations","author":"Simonyan Karen","year":"2015","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations."},{"key":"e_1_3_1_64_2","volume-title":"Learning Multiple Layers of Features from Tiny Images","author":"Krizhevsky Alex","year":"2009","unstructured":"Alex Krizhevsky and Geoffrey Hinton. 2009. Learning Multiple Layers of Features from Tiny Images. Technical Report. Citeseer."},{"key":"e_1_3_1_65_2","first-page":"1","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y. Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning, 1\u20139."},{"key":"e_1_3_1_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_1_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00284"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00483"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58517-4_15"},{"key":"e_1_3_1_72_2","volume-title":"International Conference on Learning Representations","author":"Lin Jiadong","year":"2020","unstructured":"Jiadong Lin, Chuanbiao Song, Kun He, Liwei Wang, and John E. Hopcroft. 2020. Nesterov accelerated gradient and scale invariance for adversarial attacks. In International Conference on Learning Representations."},{"key":"e_1_3_1_73_2","first-page":"2206","volume-title":"International Conference on Machine Learning","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International Conference on Machine Learning, 2206\u20132216."},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_1_75_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00196"}],"container-title":["ACM Transactions on Multimedia Computing, Communications, and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706061","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3706061","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:13Z","timestamp":1750295893000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706061"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,9]]},"references-count":74,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,2,28]]}},"alternative-id":["10.1145\/3706061"],"URL":"https:\/\/doi.org\/10.1145\/3706061","relation":{},"ISSN":["1551-6857","1551-6865"],"issn-type":[{"value":"1551-6857","type":"print"},{"value":"1551-6865","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,1,9]]},"assertion":[{"value":"2024-06-05","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-11-08","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}