{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T12:15:17Z","timestamp":1774354517570,"version":"3.50.1"},"reference-count":51,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T00:00:00Z","timestamp":1774310400000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["2429835, 2422241, and 2040209"],"award-info":[{"award-number":["2429835, 2422241, and 2040209"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"<jats:p>Machine learning (ML) suffers from a persistent and critical flaw: adversarial examples. Many new forms of adversarial example attacks have been invented and many narrow defenses have been proposed. Unfortunately, no defensive approach can withstand current attacks. We hypothesize that ML model robustness can be improved with approaches that delineate the data-point-sparse latent space between data-dense regions of a model\u2019s classification space as a barrier class. We introduce one such defense, PadNet, that builds a barrier class using a combination of training samples that mix multiple classes together. It leverages this barrier class to separate decision boundaries between benign classes with regions of padding. PadNet then implements a gradient regularization strategy that penalizes gradients in the direction of the barrier class, causing the decision boundary to draw tighter around training samples increasing boundary thickness between classes. We evaluate PadNet against a sampling of the most effective state-of-the-art attacks, demonstrating that it offers significant robustness and reliability compared to current defenses. We also test it against adaptive attacks and find that PadNet remains robust against them.<\/jats:p>","DOI":"10.1145\/3799889","type":"journal-article","created":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T10:51:27Z","timestamp":1774349487000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["PadNet: Defending Neural Networks Against Adversarial Examples"],"prefix":"10.1145","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8227-3621","authenticated-orcid":false,"given":"Armon","family":"Barton","sequence":"first","affiliation":[{"name":"Computer Science, Naval Postgraduate School","place":["Monterey, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8489-6347","authenticated-orcid":false,"given":"Matthew","family":"Wright","sequence":"additional","affiliation":[{"name":"Computer Science, Rochester Institute of Technology","place":["Rochester, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5791-2794","authenticated-orcid":false,"given":"Shaikh Akib","family":"Shahriyar","sequence":"additional","affiliation":[{"name":"Computer Science, Rochester Institute of Technology","place":["Rochester, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6626-2458","authenticated-orcid":false,"given":"Edgar","family":"Jatho","sequence":"additional","affiliation":[{"name":"Computer Science, US Naval Academy","place":["Annapolis, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6673-171X","authenticated-orcid":false,"given":"Mohammad Saidur","family":"Rahman","sequence":"additional","affiliation":[{"name":"Computer Science, Rochester Institute of Technology","place":["Rochester, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0185-3220","authenticated-orcid":false,"given":"Kantha Girish","family":"Gangadhara","sequence":"additional","affiliation":[{"name":"Computer Science, Rochester Institute of Technology","place":["Rochester, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9682-0502","authenticated-orcid":false,"given":"Jiang","family":"Ming","sequence":"additional","affiliation":[{"name":"Tulane University","place":["New Orleans, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,3,24]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-021-10125-w"},{"key":"e_1_3_2_3_2","unstructured":"Anish Athalye Nicholas Carlini and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv:1802.00420. Retrieved from https:\/\/arxiv.org\/abs\/1802.00420"},{"key":"e_1_3_2_4_2","article-title":"Adversarial training with synthesized data: A path to robust and generalizable neural networks","author":"Bayat Reza","year":"2024","unstructured":"Reza Bayat and Irina Rish. 2024. Adversarial training with synthesized data: A path to robust and generalizable neural networks. OpenReview (ICML 2024 Workshop \u2013 Next Gen AI Safety) (2024). Retrieved from https:\/\/openreview.net\/pdf?id=H6V1NW7bGS","journal-title":"OpenReview (ICML 2024 Workshop \u2013 Next Gen AI Safety)"},{"key":"e_1_3_2_5_2","unstructured":"Wieland Brendel Jonas Rauber and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv:1712.04248. Retrieved from https:\/\/arxiv.org\/abs\/1712.04248"},{"key":"e_1_3_2_6_2","unstructured":"Xiaoyu Cao and Neil Zhenqiang Gong. 2017. Mitigating evasion attacks to deep neural networks via region-based classification. arXiv:1709.05583. Retrieved from https:\/\/arxiv.org\/abs\/1709.05583"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_8_2","unstructured":"Anirban Chakraborty Manaar Alam Vishal Dey Anupam Chattopadhyay and Debdeep Mukhopadhyay. 2018. Adversarial attacks and defences: A survey. arxiv:1810.00069 [cs.LG]. Retrieved from https:\/\/arxiv.org\/abs\/1810.00069"},{"key":"e_1_3_2_9_2","unstructured":"Terrance DeVries and Graham W. Taylor. 2017. Improved regularization of convolutional neural networks with cutout. arXiv:1708.04552. Retrieved from https:\/\/arxiv.org\/abs\/1708.04552"},{"key":"e_1_3_2_10_2","doi-asserted-by":"crossref","unstructured":"Junhao Dong Seyed-Mohsen Moosavi-Dezfooli Jianhuang Lai and Xiaohua Xie. 2022. The enemy of my enemy is my friend: Exploring inverse adversaries for improving adversarial training. arXiv:2211.00525. Retrieved from https:\/\/arxiv.org\/abs\/2211.00525","DOI":"10.1109\/CVPR52729.2023.02364"},{"key":"e_1_3_2_11_2","unstructured":"Alexey Dosovitskiy Lucas Beyer Alexander Kolesnikov Dirk Weissenborn Xiaohua Zhai Thomas Unterthiner Mostafa Dehghani Matthias Minderer Georg Heigold Sylvain Gelly et\u00a0al. 2020. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv:2010.11929. Retrieved from https:\/\/arxiv.org\/abs\/2010.11929"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/72.165600"},{"key":"e_1_3_2_13_2","unstructured":"Pierre Foret Ariel Kleiner Hossein Mobahi and Behnam Neyshabur. 2020. Sharpness-aware minimization for efficiently improving generalization. arXiv:2010.01412. Retrieved from https:\/\/arxiv.org\/abs\/2010.01412"},{"key":"e_1_3_2_14_2","unstructured":"Salah Ghamizi Jingfeng Zhang Maxime Cordy Mike Papadakis Masashi Sugiyama and Yves Le Traon. 2023. GAT: Guided adversarial training with Pareto-optimal auxiliary tasks. arXiv:2302.02907. Retrieved from https:\/\/arxiv.org\/abs\/2302.02907"},{"key":"e_1_3_2_15_2","volume-title":"Proceedings of the International Conference on Learning Representations (ICLR\u201915)","author":"Goodfellow Ian","year":"2015","unstructured":"Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations (ICLR\u201915)."},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00129"},{"key":"e_1_3_2_17_2","unstructured":"Sven Gowal Chongli Qin Jonathan Uesato Timothy Mann and Pushmeet Kohli. 2020. Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv:2010.03593. Retrieved from https:\/\/arxiv.org\/abs\/2010.03593"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33013714"},{"key":"e_1_3_2_19_2","unstructured":"Harini Kannan Alexey Kurakin and Ian Goodfellow. 2018. Adversarial logit pairing. arXiv:1803.06373. Retrieved from https:\/\/arxiv.org\/abs\/1803.06373"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN48605.2020.9206959"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.5555\/3698900.3699104"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23415"},{"key":"e_1_3_2_23_2","unstructured":"Xingjun Ma Bo Li Yisen Wang Sarah M. Erfani Sudanthi Wijewickrema Grant Schoenebeck Dawn Song Michael E. Houle and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv:1801.02613. Retrieved from https:\/\/arxiv.org\/abs\/1801.02613"},{"key":"e_1_3_2_24_2","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083. Retrieved from https:\/\/arxiv.org\/abs\/1706.06083"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01029"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_28_2","unstructured":"Maria-Irina Nicolae Mathieu Sinn Minh Ngoc Tran Beat Buesser Ambrish Rawat Martin Wistuba Valentina Zantedeschi Nathalie Baracaldo Bryant Chen Heiko Ludwig et\u00a0al. 2018. Adversarial robustness toolbox v1. 0.0. arXiv:1807.01069. Retrieved from https:\/\/arxiv.org\/abs\/1807.01069"},{"key":"e_1_3_2_29_2","unstructured":"Tianyu Pang Kun Xu and Jun Zhu. 2019. Mixup inference: Better exploiting mixup to defend adversarial attacks. arXiv:1909.11515. Retrieved from https:\/\/arxiv.org\/abs\/1909.11515"},{"key":"e_1_3_2_30_2","unstructured":"Nicolas Papernot Patrick McDaniel Arunesh Sinha and Michael Wellman. 2016. Towards the science of security and privacy in machine learning. arXiv:1611.03814. Retrieved from https:\/\/arxiv.org\/abs\/1611.03814"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/WACV57701.2024.00394"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3689932.3694765"},{"key":"e_1_3_2_34_2","unstructured":"Jie Qin Jiemin Fang Qian Zhang Wenyu Liu Xingang Wang and Xinggang Wang. 2020. Resizemix: Mixing data with preserved object information and true labels. arXiv:2012.11101. Retrieved from https:\/\/arxiv.org\/abs\/2012.11101"},{"key":"e_1_3_2_35_2","unstructured":"Han Qiu Yi Zeng Tianwei Zhang Yong Jiang and Meikang Qiu. 2020. Fencebox: A platform for defeating adversarial examples with data augmentation techniques. arXiv:2012.01701. Retrieved from https:\/\/arxiv.org\/abs\/2012.01701"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11504"},{"key":"e_1_3_2_37_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Shafahi Ali","year":"2019","unstructured":"Ali Shafahi, W. Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. 2019. Are adversarial examples inevitable?. In Proceedings of the International Conference on Learning Representations. Retrieved from https:\/\/openreview.net\/forum?id=r1lWUoA9FQ"},{"key":"e_1_3_2_38_2","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv:1312.6199. Retrieved from https:\/\/arxiv.org\/abs\/1312.6199"},{"key":"e_1_3_2_39_2","volume-title":"Proceedings of the International Conference on Learning Representations (ICLR\u201913)","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations (ICLR\u201913)."},{"key":"e_1_3_2_40_2","unstructured":"Rohan Taori Achal Dave Vaishaal Shankar Nicholas Carlini Benjamin Recht and Ludwig Schmidt. 2020. Measuring robustness to natural distribution shifts in image classification. arXiv:2007.00644. Retrieved from https:\/\/arxiv.org\/abs\/2007.00644"},{"key":"e_1_3_2_41_2","article-title":"Adversarial training and robustness for multiple perturbations","volume":"32","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. Advances in Neural Information Processing Systems 32 (2019).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_42_2","unstructured":"Florian Tram\u00e8r Nicholas Carlini Wieland Brendel and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. arXiv:2002.08347. Retrieved from https:\/\/arxiv.org\/abs\/2002.08347"},{"key":"e_1_3_2_43_2","volume-title":"Proceedings of the International Conference on Learning Representations (ICLR\u201918)","author":"Tram\u00e8r Florian","year":"2018","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2018. Ensemble adversarial training: Attacks and defenses. In Proceedings of the International Conference on Learning Representations (ICLR\u201918)."},{"key":"e_1_3_2_44_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Uddin A. .F M. Shahab","year":"2021","unstructured":"A. .F M. Shahab Uddin, Mst. Sirazam Monira, Wheemyung Shin, TaeChoong Chung, and Sung-Ho Bae. 2021. SaliencyMix: A saliency guided data augmentation strategy for better regularization. In Proceedings of the International Conference on Learning Representations. Retrieved from https:\/\/openreview.net\/forum?id=-M0QkvBGTTq"},{"issue":"11","key":"e_1_3_2_45_2","article-title":"Visualizing data using t-SNE.","volume":"9","author":"Maaten Laurens Van der","year":"2008","unstructured":"Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of Machine Learning Research 9, 11 (2008).","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_46_2","volume-title":"Proceedings of the 12th International Conference on Learning Representations (ICLR)","author":"Vo Viet Quoc","year":"2024","unstructured":"Viet Quoc Vo, Ehsan Abbasnejad, and Damith C. Ranasinghe. 2024. BruSLeAttack: A query-efficient score-based black-box sparse adversarial attack. In Proceedings of the 12th International Conference on Learning Representations (ICLR). Retrieved from https:\/\/arxiv.org\/abs\/2404.05311"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.5555\/3618408.3619915"},{"key":"e_1_3_2_48_2","first-page":"6223","article-title":"Boundary thickness and robustness in learning models","volume":"33","author":"Yang Yaoqing","year":"2020","unstructured":"Yaoqing Yang, Rajiv Khanna, Yaodong Yu, Amir Gholami, Kurt Keutzer, Joseph E. Gonzalez, Kannan Ramchandran, and Michael W. Mahoney. 2020. Boundary thickness and robustness in learning models. Advances in Neural Information Processing Systems 33 (2020), 6223\u20136234.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00612"},{"key":"e_1_3_2_50_2","unstructured":"Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv:1605.07146. Retrieved from https:\/\/arxiv.org\/abs\/1605.07146"},{"key":"e_1_3_2_51_2","unstructured":"Hongyi Zhang Moustapha Cisse Yann N. Dauphin and David Lopez-Paz. 2017. mixup: Beyond empirical risk minimization. arXiv:1710.09412. Retrieved from https:\/\/arxiv.org\/abs\/1710.09412"},{"key":"e_1_3_2_52_2","first-page":"7472","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Zhang Hongyang","year":"2019","unstructured":"Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the International Conference on Machine Learning. PMLR, 7472\u20137482."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3799889","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3799889","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T10:51:45Z","timestamp":1774349505000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3799889"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,24]]},"references-count":51,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3799889"],"URL":"https:\/\/doi.org\/10.1145\/3799889","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,24]]},"assertion":[{"value":"2025-02-12","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-11-05","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-03-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}