pith. sign in

arxiv: 2605.31219 · v2 · pith:GHNV562Tnew · submitted 2026-05-29 · 💻 cs.CV · cs.CR· cs.LG

Latent Geometric Chords for Query-Efficient Decision-Based Adversarial Attacks

Ei Hmue Khine , Yao Li , Jiebao Sun , Shengzhu Shi , Zhichang Guo , Boying Wu This is my paper

Pith reviewed 2026-06-28 23:06 UTC · model grok-4.3

classification 💻 cs.CV cs.CRcs.LG
keywords adversarial attacksdecision-based attacksblack-boxlatent spacegeometric chordsimage fidelityquery efficiency
0
0 comments X

The pith

Latent Geometric Chords enable high-fidelity decision-based adversarial attacks by searching in semantic manifolds and overlaying perturbations directly.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Latent Geometric Chords (LGC) to address shortcomings in decision-based black-box attacks on images. Pixel-level methods create visible artifacts while existing latent methods struggle with small search spaces and poor reconstructions. LGC performs a curvature-aware search in a compressed semantic space and uses a residual mechanism to add the resulting geometric chords straight onto the original image. This approach aims to produce perturbations that are both effective against defended models and nearly invisible, with high similarity scores after limited queries.

Core claim

LGC navigates decision boundaries by executing a curvature-aware geometric search within a compressed semantic manifold. The Residual-based Adversarial Generation (RAG) mechanism isolates semantic perturbations as geometric chords and superimposes them directly onto the original source image, resolving reconstruction flaws and expanding the search space to achieve better visual fidelity and attack success.

What carries the argument

The Residual-based Adversarial Generation (RAG) mechanism, which isolates semantic perturbations as geometric chords in a latent manifold and adds them directly to the source image to bypass reconstruction issues.

If this is right

  • LGC achieves SSIM exceeding 0.99 and LPIPS below 0.01 at 5000 queries while maintaining high attack success rates.
  • The method shows robust cross-dataset transferability and outperforms prior state-of-the-art baselines.
  • It successfully compromises adversarially trained robust models under stringent perceptual constraints.
  • LGC-H variant provides an additional option for query-efficient attacks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the direct superposition works as described, it suggests that semantic information can be transferred without full image reconstruction in the latent space.
  • This could extend to testing whether similar geometric chord approaches improve efficiency in other black-box attack settings like audio classification.
  • Further work might examine if the curvature-aware search reduces the number of queries needed compared to linear searches in the same manifold.

Load-bearing premise

The premise that a curvature-aware geometric search in the compressed manifold combined with direct chord superposition on the source image avoids the limited search space and reconstruction flaws of previous latent-space methods.

What would settle it

An evaluation on standard image datasets showing that LGC perturbations result in SSIM below 0.99 or LPIPS above 0.01 at 5000 queries, or fail to achieve high success rates against adversarially trained models.

Figures

Figures reproduced from arXiv: 2605.31219 by Boying Wu, Ei Hmue Khine, Jiebao Sun, Shengzhu Shi, Yao Li, Zhichang Guo.

Figure 1
Figure 1. Figure 1: The proposed LGC architecture. The source image [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: ASR versus queries and SSIM thresholds across various classifiers on ImageNet and Places365. 0 50 100 ImageNet-ResNet50 ASR (%) Non-targeted (Queries) Targeted (Queries) Non-targeted (Threshold) Targeted (Threshold) 0 50 100 ImageNet-VGG16 ASR (%) 0 50 100 ImageNet-DenseNet121 ASR (%) 0 50 100 ImageNet-ViT ASR (%) 0 50 100 Places365-ResNet50 ASR (%) 0 5000 10000 Number of Queries 0 50 100 Places365-DenseNe… view at source ↗
Figure 5
Figure 5. Figure 5: Adversarial examples against ResNet-50 on Places365. bone, we compared VGG16 against ResNet-50 on ImageNet using a ViT classifier. Tables VII and VI show that VGG16 consistently outperforms ResNet-50, maximizing structural preservation while minimizing the perturbation magnitude [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 9
Figure 9. Figure 9: ASR results against ViT varying autoencoder on ImageNet. 0.90, LPIPS ≤ 0.3). This advantage is rooted in VGG16’s strictly sequential architecture, which creates a feature space strongly aligned with human visual perception [27]. As a result, geometric operations within its latent space—such as LGC’s semicircular trajectories—translate predictably into visually coherent semantic shifts. This predictable map… view at source ↗
Figure 6
Figure 6. Figure 6: Adversarial examples generated by the LGC and LGC-H methods against ResNet-18 on the CelebAMask-HQ dataset. Original Source Image Target Reference Image Adversarial Image (Ablation LGC_H) Adversarial Image (Ablation LGC) Adversarial Image (LGC_H) Adversarial Image (LGC) [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Ablation study comparing visual quality with and without Residual [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: ASR results against Adversarially-trained ViT on ImageNet. targeted: SSIM ≥ 0.99, LPIPS ≤ 0.05; targeted: SSIM ≥ 0 5000 10000 Number of Queries 0 50 100 Autoencoder ImageNet-ViT ASR (%) Non-targeted (Varying Queries) 0 5000 10000 Number of Queries Targeted (Varying Queries) 0.8 0.9 1.0 SSIM Threshold Non-targeted (Varying Threshold) 0.70 0.85 1.00 SSIM Threshold Targeted (Varying Threshold) LGC (VGG16 AE) … view at source ↗
read the original abstract

While decision-based black-box adversarial attacks present a severe security threat, current methodologies suffer from fundamental limitations. Pixel-wise attacks frequently introduce unnatural, high-frequency visual artifacts, while latent-space frameworks are confined by the limited search space of low-dimensional manifolds and inherent reconstruction flaws. To resolve these limitations, we propose Latent Geometric Chords (LGC) for Query-Efficient Decision-Based Adversarial Attacks alongside a variant, LGC-H. At its core, LGC navigates decision boundaries by executing a curvature-aware geometric search within a compressed semantic manifold. To guarantee high visual fidelity and circumvent dimensionality bottlenecks, we introduce a Residual-based Adversarial Generation (RAG) mechanism. RAG isolates semantic perturbations as geometric chords and superimposes them directly onto the original source image. RAG substantially resolves baseline reconstruction flaws and effectively doubles the permissible search space dimensions. Experimental results demonstrate that LGC achieves robust cross-dataset transferability and substantially outperforms state-of-the-art baselines. Notably, our method, LGC, minimizes perturbation magnitudes while achieving state-of-the-art visual fidelity--with a Structural Similarity Index Measure (SSIM) exceeding 0.99 and a Learned Perceptual Image Patch Similarity (LPIPS) below 0.01 at 5000 queries--and sustaining high attack success rates under stringent perceptual constraints, successfully compromising adversarially trained robust models. The source code is available at: https://github.com/eihmuekhine/Latent-Geometric-Chords.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes Latent Geometric Chords (LGC) and its variant LGC-H for query-efficient decision-based black-box adversarial attacks. It performs curvature-aware geometric search inside a compressed semantic manifold and introduces a Residual-based Adversarial Generation (RAG) mechanism that extracts semantic perturbations as geometric chords and directly superimposes them onto the source image, thereby expanding the search space and avoiding reconstruction artifacts of prior latent-space methods. The central empirical claims are robust cross-dataset transferability, substantial outperformance of state-of-the-art baselines, SSIM exceeding 0.99, LPIPS below 0.01 at 5000 queries, and high attack success rates against adversarially trained models, with source code released.

Significance. If the reported performance numbers and transferability results hold under proper experimental controls, the work would constitute a meaningful incremental advance in query-efficient decision-based attacks by combining latent-space geometry with direct residual superposition, potentially improving the perceptual quality versus query budget trade-off. The public code release is a clear strength that enables direct verification.

major comments (2)
  1. [Abstract, §4] Abstract and §4 (Experiments): the manuscript states concrete performance figures (SSIM > 0.99, LPIPS < 0.01 at 5000 queries) and superiority over baselines together with success on robust models, yet supplies no description of datasets, attack budgets, baseline implementations, number of trials, variance estimates, or statistical tests. These omissions render the central empirical claims unevaluable from the text.
  2. [§3.2] §3.2 (RAG mechanism): the claim that RAG “effectively doubles the permissible search space dimensions” and resolves reconstruction flaws is presented without a quantitative derivation, ablation isolating the doubling effect, or direct comparison of reconstruction error against the cited latent-space baselines; this is load-bearing for the stated advantage over prior work.
minor comments (2)
  1. [§3] Notation for the curvature-aware search and chord extraction is introduced without an explicit algorithmic listing or pseudocode, making the geometric construction difficult to follow.
  2. [Abstract, §4] The abstract asserts “robust cross-dataset transferability” but the manuscript does not define the transfer protocol (source/target dataset pairs, query limits on target) or report per-dataset metrics.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive report. We address each major comment point by point below. Where the manuscript is missing required details, we will revise accordingly to improve clarity and reproducibility.

read point-by-point responses

  1. Referee: [Abstract, §4] Abstract and §4 (Experiments): the manuscript states concrete performance figures (SSIM > 0.99, LPIPS < 0.01 at 5000 queries) and superiority over baselines together with success on robust models, yet supplies no description of datasets, attack budgets, baseline implementations, number of trials, variance estimates, or statistical tests. These omissions render the central empirical claims unevaluable from the text.

    Authors: We agree that the current manuscript lacks sufficient experimental details to allow full evaluation of the reported metrics. In the revised version we will expand both the abstract and §4 with explicit descriptions of the datasets (ImageNet, CIFAR-10, etc.), query budgets, baseline implementations (including code references), number of trials, standard deviations across runs, and any statistical tests used. This will make the central claims directly verifiable. revision: yes

  2. Referee: [§3.2] §3.2 (RAG mechanism): the claim that RAG “effectively doubles the permissible search space dimensions” and resolves reconstruction flaws is presented without a quantitative derivation, ablation isolating the doubling effect, or direct comparison of reconstruction error against the cited latent-space baselines; this is load-bearing for the stated advantage over prior work.

    Authors: The doubling claim arises because RAG superimposes latent-derived chords directly onto the full-dimensional source image, combining latent geometry with pixel-space residuals. We acknowledge that the current text provides neither a formal derivation nor supporting ablations or reconstruction-error comparisons. In the revision we will add a quantitative derivation, an ablation isolating the RAG contribution, and direct reconstruction-error metrics (e.g., MSE/PSNR) versus the cited latent-space baselines in §3.2 and the experiments section. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper proposes an empirical adversarial attack method (LGC with RAG) whose central claims rest on experimental metrics (SSIM > 0.99, LPIPS < 0.01, attack success rates) and code release rather than any derivation chain. No equations, fitted parameters renamed as predictions, self-definitional constructs, or load-bearing self-citations appear in the abstract or described mechanism. The approach is self-contained and falsifiable externally, with no reduction of outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no free parameters, axioms, or invented entities are specified.

pith-pipeline@v0.9.1-grok · 5812 in / 1107 out tokens · 27650 ms · 2026-06-28T23:06:07.204423+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 20 canonical work pages · 4 internal anchors

  1. [1]

    Intriguing properties of neural networks,

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in2nd International Conference on Learning Representations (ICLR), Banff, AB, Canada, 2014

    2014

  2. [2]

    Explaining and harnessing adversarial examples,

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in3rd International Conference on Learning Representations (ICLR), San Diego, CA, USA, 2015

    2015

  3. [3]

    Towards Evaluating the Robustness of Neural Networks

    N. Carlini and D. Wagner, “Towards Evaluating the Robustness of Neural Networks,” in2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 39–57, doi: 10.1109/SP.2017.49

    work page doi:10.1109/sp.2017.49 2017

  4. [4]

    Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors,

    A. Ilyas, L. Engstrom, and A. Madry, “Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors,” inProceedings of the 7th International Conference on Learning Representations (ICLR), New Orleans, LA, USA, 2019

    2019

  5. [5]

    Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

    N. Papernot, P. McDaniel, and I. J. Goodfellow, “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Ad- versarial Samples,”arXiv preprint arXiv:1605.07277, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  6. [6]

    Learning the PE Header, Malware Detection with Minimal Domain Knowledge,

    P.-Y . Chen, H. Zhang, Y . Sharma, J. Yi, and C.-J. Hsieh, “ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models,” inProceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec), Dallas, TX, USA, 2017, pp. 15–26, doi: 10.1145/3128572.3140448

    work page doi:10.1145/3128572.3140448 2017

  7. [7]

    Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets,

    D. Wu, Y . Wang, S.-T. Xia, J. Bailey, and X. Ma, “Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets,” inProceedings of the 8th International Conference on Learning Representations (ICLR), Addis Ababa, Ethiopia, 2020

    2020

  8. [8]

    Decision-Based Adversarial At- tacks: Reliable Attacks Against Black-Box Machine Learning Models,

    W. Brendel, J. Rauber, and M. Bethge, “Decision-Based Adversarial At- tacks: Reliable Attacks Against Black-Box Machine Learning Models,” inInt. Conf. Learn. Represent. (ICLR), 2018

    2018

  9. [9]

    HopSkipJumpAttack: A Query-Efficient Decision-Based Attack,

    J. Chen, M. Jordan, and M. Wainwright, “HopSkipJumpAttack: A Query-Efficient Decision-Based Attack,” in2020 IEEE Sympo- sium on Security and Privacy (SP), 2020, pp. 1277–1294, doi: 10.1109/SP40000.2020.00045

    work page doi:10.1109/sp40000.2020.00045 2020

  10. [10]

    Center -based 3D Object Detection and Tracking,

    T. Maho, T. Furon, and E. Le Merrer, “SurFree: a fast surrogate-free black-box attack,” in2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Nashville, TN, USA, 2021, pp. 10425– 10434, doi: 10.1109/CVPR46437.2021.01029

    work page doi:10.1109/cvpr46437.2021.01029 2021

  11. [11]

    Triangle Attack: A Query-Efficient Decision-Based Adversarial Attack,

    X. Wanget al., “Triangle Attack: A Query-Efficient Decision-Based Adversarial Attack,” inComputer Vision – ECCV 2022,Lecture Notes in Computer Science, vol. 13665, S. Avidan, G. Brostow, M. Ciss ´e, G. M. Farinella, and T. Hassner, Eds. Cham: Springer, 2022, doi: 10.1007/978-3-031-20065-6 10

    work page doi:10.1007/978-3-031-20065-6 2022

  12. [12]

    InProceedings of the SIGGRAPH Asia 2025 Conference Papers (SA Conference Papers ’25)

    M. F. Reza, A. Rahmati, T. Wu, and H. Dai, “CGBA: Curvature- aware Geometric Black-box Attack,” in2023 IEEE/CVF International Conference on Computer Vision (ICCV), Paris, France, 2023, pp. 124– 133, doi: 10.1109/ICCV51070.2023.00018

    work page doi:10.1109/iccv51070.2023.00018 2023

  13. [13]

    arXiv:1910.12933 [cs]

    H. Li, X. Xu, X. Zhang, S. Yang, and B. Li, “QEBA: Query-Efficient Boundary-Based Blackbox Attack,” in2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, W A, USA, 2020, pp. 1218–1227, doi: 10.1109/CVPR42600.2020.00130

    work page doi:10.1109/cvpr42600.2020.00130 2020

  14. [14]

    Diffusion Models for Imperceptible and Transferable Adversarial Attack,

    J. Chen, H. Chen, K. Chen, Y . Zhang, Z. Zou, and Z. Shi, “Diffusion Models for Imperceptible and Transferable Adversarial Attack,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 47, no. 2, pp. 961–977, Feb. 2025, doi: 10.1109/TPAMI.2024.3480519

    work page doi:10.1109/tpami.2024.3480519 2025

  15. [15]

    InProceedings of the SIGGRAPH Asia 2025 Conference Papers (SA Conference Papers ’25)

    X. Chen, X. Gao, J. Zhao, K. Ye, and C.-Z. Xu, “AdvDiffuser: Nat- ural Adversarial Example Synthesis with Diffusion Models,” in2023 IEEE/CVF International Conference on Computer Vision (ICCV), Paris, France, 2023, pp. 4539–4549, doi: 10.1109/ICCV51070.2023.00421

    work page doi:10.1109/iccv51070.2023.00421 2023

  16. [16]

    Diffusion-based adversarial sample generation for improved stealthiness and controllability,

    H. Xue, A. Araujo, B. Hu, and Y . Chen, “Diffusion-based adversarial sample generation for improved stealthiness and controllability,” in Advances in Neural Information Processing Systems, vol. 36, 2023, pp. 2894–2921

    2023

  17. [17]

    In: 2021 IEEE/CVF International Conference on Computer Vision (ICCV)

    J. Liet al., “Aha! Adaptive History-driven Attack for Decision-based Black-box Models,” in2021 IEEE/CVF International Conference on Computer Vision (ICCV), Montreal, QC, Canada, 2021, pp. 16148– 16157, doi: 10.1109/ICCV48922.2021.01586

    work page doi:10.1109/iccv48922.2021.01586 2021

  18. [18]

    RayS: A ray searching method for hard-label adver- sarial attack,

    J. Chen and Q. Gu, “RayS: A ray searching method for hard-label adver- sarial attack,” inProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, 2020, pp. 1739– 1747

    2020

  19. [19]

    A Geometry-Inspired Decision-Based Attack,

    Y . Liu, S. -M. Moosavi-Dezfooli, and P. Frossard, “A Geometry-Inspired Decision-Based Attack,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), Seoul, Korea (South), 2019, pp. 4889–4897

    2019

  20. [20]

    GeoDA: A geometric framework for black-box adversarial attacks,

    A. Rahmati, S.-M. Moosavi-Dezfooli, P. Frossard, and H. Dai, “GeoDA: A geometric framework for black-box adversarial attacks,” inProceed- ings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020, pp. 8446–8455

    2020

  21. [21]

    Constructing unrestricted adversarial examples with generative models,

    Y . Song, R. Shu, N. Kushman, and S. Ermon, “Constructing unrestricted adversarial examples with generative models,” inAdvances in Neural Information Processing Systems (NeurIPS), vol. 31, 2018

    2018

  22. [22]

    RobustBench: a standardized adversarial robustness benchmark,

    F. Croce, M. Andriushchenko, V . Sehwag, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “RobustBench: a standardized adversarial robustness benchmark,” inThirty-fifth Conference on Neural Information Processing Systems (NeurIPS) Datasets and Benchmarks Track, 2021

    2021

  23. [23]

    Sign-OPT: A Query-Efficient Hard-label Adversarial Attack,

    P.-Y . Chen, S. Liu, P. Chen, M. Cheng, C.-J. Hsieh, and S. Singh, “Sign-OPT: A Query-Efficient Hard-label Adversarial Attack,” in8th International Conference on Learning Representations (ICLR), 2020. [Online]. Available: https://hdl.handle.net/1783.1/114686

    2020

  24. [24]

    Feature Space Perturba- tions Yield More Transferable Adversarial Examples,

    N. Inkawhich, W. Wen, H. H. Li, and Y . Chen, “Feature Space Perturba- tions Yield More Transferable Adversarial Examples,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2019, pp. 7066–7074

    2019

  25. [25]

    Adversarial Examples Are Not Bugs, They Are Features,

    A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry, “Adversarial Examples Are Not Bugs, They Are Features,” inAdvances in Neural Information Processing Systems, vol. 32, 2019

    2019

  26. [26]

    GAN Inversion: A Survey,

    W. Xia, Y . Zhang, Y . Yang, J.-H. Xue, B. Zhou, and M.-H. Yang, “GAN Inversion: A Survey,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 3, pp. 3121–3138, March 2023, doi: 10.1109/TPAMI.2022.3181070

    work page doi:10.1109/tpami.2022.3181070 2023

  27. [27]

    The Unreasonable Effectiveness of Deep Features as a Perceptual Metric,

    R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The Unreasonable Effectiveness of Deep Features as a Perceptual Metric,” in2018 IEEE/CVF Conference on Computer Vision and Pattern Recog- nition (CVPR), pp. 586–595, 2018

    2018

  28. [28]

    Unrestricted Black-Box Adversarial Attack Using GAN with Limited Queries,

    D. Na, S. Ji, and J. Kim, “Unrestricted Black-Box Adversarial Attack Using GAN with Limited Queries,” inComputer Vision – ECCV 2022 Workshops, 2022, pp. 467–482

    2022

  29. [29]

    Towards Deep Learning Models Resistant to Adversarial Attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks,” inProceedings of the 6th International Conference on Learning Representations (ICLR), Vancouver, BC, Canada, 2018

    2018

  30. [30]

    Fine-grained synthesis of unrestricted adversarial examples,

    O. Poursaeed, T. Jiang, Y . Goshu, H. Yang, S. Belongie, and S. N. Lim, “Fine-grained synthesis of unrestricted adversarial examples,”arXiv preprint arXiv:1911.09058, 2019

    work page arXiv 1911

  31. [31]

    Adversarial image translation: Unre- stricted adversarial examples in face recognition systems,

    K. Kakizaki and K. Yoshida, “Adversarial image translation: Unre- stricted adversarial examples in face recognition systems,” inProceed- ings of the Workshop on Artificial Intelligence Safety, co-located with 34th AAAI 2020, 2020

    2020

  32. [32]

    Analyzing and Improving the Image Quality of StyleGAN,

    T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehtinen, and T. Aila, “Analyzing and Improving the Image Quality of StyleGAN,” in2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 8107–8116, 2020

    2020

  33. [33]

    Imagenet: A large- scale hierarchical image database

    J. Denget al., “ImageNet: A Large-Scale Hierarchical Image Database,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2009, pp. 248–255, doi: 10.1109/CVPR.2009.5206848

    work page doi:10.1109/cvpr.2009.5206848 2009

  34. [34]

    Places: A 10 Million Image Database for Scene Recognition,

    B. Zhou, A. Lapedriza, A. Khosla, A. Oliva, and A. Torralba, “Places: A 10 Million Image Database for Scene Recognition,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 40, no. 6, pp. 1452– 1464, June 2018, doi: 10.1109/TPAMI.2017.2723009

    work page doi:10.1109/tpami.2017.2723009 2018

  35. [35]

    The Robust Manifold Defense: Adversarial Training using Generative Models

    A. Jalal, A. Ilyas, C. Daskalakis, and A. G. Dimakis, “The Robust Manifold Defense: Adversarial Training using Generative Models,” arXiv preprint arXiv:1712.09196, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  36. [36]

    Defense-GAN: Protect- ing Classifiers Against Adversarial Attacks Using Generative Models,

    P. Samangouei, M. Kabkab, and R. Chellappa, “Defense-GAN: Protect- ing Classifiers Against Adversarial Attacks Using Generative Models,” in6th International Conference on Learning Representations (ICLR), Vancouver, BC, Canada, 2018

    2018

  37. [37]

    On the Need for Topology-Aware Gener- ative Models for Manifold-Based Defenses,

    U. Jang, S. Jha, and S. Jha, “On the Need for Topology-Aware Gener- ative Models for Manifold-Based Defenses,” in8th International Con- ference on Learning Representations (ICLR), Addis Ababa, Ethiopia, 2020

    2020

  38. [38]

    Towards Principled Methods for Training Generative Adversarial Networks,

    M. Arjovsky and L. Bottou, “Towards Principled Methods for Training Generative Adversarial Networks,” in5th International Conference on Learning Representations (ICLR), Toulon, France, 2017

    2017

  39. [39]

    Falconer,Fractal Geometry: Mathematical Foundations and Appli- cations, 3rd ed

    K. Falconer,Fractal Geometry: Mathematical Foundations and Appli- cations, 3rd ed. John Wiley & Sons, 2014. LATENT GEOMETRIC CHORDS FOR QUERY-EFFICIENT DECISION-BASED ADVERSARIAL ATTACKS 14

    2014

  40. [40]

    MaskGAN: Towards diverse and interactive facial image manipulation,

    C. H. Lee, Z. Liu, L. Wu, and P. Luo, “MaskGAN: Towards diverse and interactive facial image manipulation,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020

    2020

  41. [41]

    2016, in 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 770--778, 10.1109/CVPR.2016.90

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep Residual Learning for Image Recognition,” in2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV , USA, 2016, pp. 770–778, doi: 10.1109/CVPR.2016.90

    work page doi:10.1109/cvpr.2016.90 2016

  42. [42]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,”arXiv preprint arXiv:1409.1556, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  43. [43]

    An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale

    A. Dosovitskiyet al., “An image is worth 16x16 words: Transformers for image recognition at scale,”arXiv preprint arXiv:2010.11929, 2020

    work page internal anchor Pith review Pith/arXiv arXiv 2010

  44. [44]

    In: Proc

    G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely Connected Convolutional Networks,” in2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, USA, 2017, pp. 2261–2269, doi: 10.1109/CVPR.2017.243

    work page doi:10.1109/cvpr.2017.243 2017

  45. [45]

    imagenet-autoencoder: AutoEncoder trained on Ima- geNet,

    Horizon2333, “imagenet-autoencoder: AutoEncoder trained on Ima- geNet,”GitHub repository, 2022. [Online]. Available: https://github. com/Horizon2333/imagenet-autoencoder. Accessed on: May 2, 2026

    2022