pith. sign in

arxiv: 2606.31378 · v1 · pith:DKHDEUQOnew · submitted 2026-06-30 · 💻 cs.CV

MAPE: Defending Against Transferable Adversarial Attacks Using Multi-Source Adversarial Perturbations Elimination

Pith reviewed 2026-07-01 05:41 UTC · model grok-4.3

classification 💻 cs.CV
keywords adversarial defensetransferable attacksblack-box defenseperturbation eliminationU-Netimage classificationCIFAR-10Mini-ImageNet
0
0 comments X

The pith

A channel-attention U-Net trained on perturbations from multiple scheduled pre-trained models eliminates those from unknown attackers in black-box settings.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces MAPE to protect image classifiers from transferable adversarial attacks that succeed across different models without access to the target. It pairs a single-source elimination step that trains the U-Net on examples from one pre-trained model with a scheduling step that picks several models to increase variety in the training perturbations. This combination aims to make the defense remove perturbations even when the attacking substitute model was never seen during training. The reported defense rates above 95 percent on CIFAR-10 and above 71 percent on Mini-ImageNet indicate that such training can produce usable robustness against stealthy cross-model attacks.

Core claim

MAPE comprises the single-source adversarial perturbation elimination mechanism that trains a channel-attention U-Net on adversarial examples generated by pre-trained models and the pre-trained models probabilistic scheduling algorithm that uses model difference quantification and negative momentum to select multiple sources, thereby training the defense model to eliminate perturbations crafted by a range of substitute models not encountered in training.

What carries the argument

Channel-attention U-Net defense model whose training is diversified by probabilistic scheduling across multiple pre-trained models.

If this is right

  • The defense operates without any queries to the target model or its outputs.
  • Average defense rates exceed 95.1 percent on CIFAR-10 and 71.5 percent on Mini-ImageNet when ResNet-34 is the target.
  • Performance holds across attacks generated by different substitute models because training maximizes source diversity.
  • The method requires no modification to the target classifier itself.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same scheduling principle could be tested on detection of adversarial examples rather than their removal.
  • If model-difference quantification proves reliable, the number of required source models during training might be reduced without loss of coverage.
  • The approach suggests that explicit diversity in training sources may be more important than volume of examples for generalization to unknown attackers.

Load-bearing premise

Training exclusively on adversarial examples from a known set of pre-trained models will enable the U-Net to remove perturbations generated by substitute models never used in training.

What would settle it

Defense success rate falls below 70 percent on CIFAR-10 when the attack is generated by a substitute model whose architecture family was withheld from the training sources.

Figures

Figures reproduced from arXiv: 2606.31378 by Jichao Xie, Peng Yi, Shumin Huo, Tao Hu, Xinlei Liu, Yuxiang Hu, Zhen Zhang.

Figure 1
Figure 1. Figure 1: Clean example and adversarial example. When the adversarial perturbations are added to a house finch, it is [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Single-source adversarial perturbation elimination (SAPE) mechanism. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Deep learning defense known as multi-source adversarial perturbations elimination (MAPE). [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Utilizing MAPE to defend against adversarial attacks. [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Classification accuracy rates (%) of MAPEs with different defense models in defending against unknown [PITH_FULL_IMAGE:figures/full_fig_p014_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Classification accuracy rates (%) of MAPE and LDT in defending against unknown types of adversarial [PITH_FULL_IMAGE:figures/full_fig_p015_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Comparison of different defense methods in terms of (a) training cost and (b) evaluation cost. The comparison [PITH_FULL_IMAGE:figures/full_fig_p015_7.png] view at source ↗
read the original abstract

Neural networks are vulnerable to meticulously crafted adversarial examples, leading to high-confidence misclassifications in image classification tasks. Due to their consistency with regular input patterns and the absence of reliance on the target model and its output information, transferable adversarial attacks exhibit a notably high stealthiness and detection difficulty, making them a significant focus of defense. In this work, we propose a deep learning defense known as multi-source adversarial perturbations elimination (MAPE) to counter diverse transferable attacks. MAPE comprises the single-source adversarial perturbation elimination (SAPE) mechanism and the pre-trained models probabilistic scheduling algorithm (PPSA). SAPE utilizes a thoughtfully designed channel-attention U-Net as the defense model and employs adversarial examples generated by a pre-trained model (e.g., ResNet) for its training, thereby enabling the elimination of known adversarial perturbations. PPSA introduces model difference quantification and negative momentum to strategically schedule multiple pre-trained models, thereby maximizing the differences among adversarial examples during the defense model's training and enhancing its robustness in eliminating adversarial perturbations. MAPE effectively eliminates adversarial perturbations in various adversarial examples, providing a robust defense against attacks from different substitute models. In a black-box attack scenario utilizing ResNet-34 as the target model, our approach achieves average defense rates of over 95.1\% on CIFAR-10 and over 71.5\% on Mini-ImageNet, demonstrating state-of-the-art performance.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper proposes MAPE for defending against transferable adversarial attacks. It consists of SAPE, which trains a channel-attention U-Net on adversarial examples generated from pre-trained models (e.g., ResNet), and PPSA, which uses model difference quantification and negative momentum to schedule multiple pre-trained models during training to maximize diversity. The method claims to eliminate perturbations from diverse substitute models, achieving average defense rates over 95.1% on CIFAR-10 and 71.5% on Mini-ImageNet in black-box settings with ResNet-34 as the target model, reported as state-of-the-art.

Significance. If the generalization to unseen substitute models is demonstrated, the approach would meaningfully advance defenses against transferable attacks, which are stealthy and model-independent. The PPSA scheduling provides a concrete mechanism for multi-source training that could improve robustness beyond single-source methods.

major comments (1)
  1. [Abstract] Abstract: The central claim of >95.1% defense rates against attacks from 'unknown substitute models not seen during training' is load-bearing for the contribution, yet the training uses a closed set of pre-trained models scheduled via PPSA. No evidence is given that the substitute models used to generate test attacks are disjoint from this training ensemble, nor are ablations reported on held-out architectures. Without this, the results may reflect interpolation within the trained perturbation manifold rather than elimination of novel transferable perturbations.
minor comments (2)
  1. The abstract states high defense rates and SOTA performance but omits details on the number of attack methods, exact substitute models, clean accuracy impact, or statistical significance of the reported averages.
  2. Clarify the precise set of pre-trained models used in PPSA training versus those used as substitutes in the black-box evaluation experiments.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful reading and the important observation on the generalization claim. We address the major comment below.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The central claim of >95.1% defense rates against attacks from 'unknown substitute models not seen during training' is load-bearing for the contribution, yet the training uses a closed set of pre-trained models scheduled via PPSA. No evidence is given that the substitute models used to generate test attacks are disjoint from this training ensemble, nor are ablations reported on held-out architectures. Without this, the results may reflect interpolation within the trained perturbation manifold rather than elimination of novel transferable perturbations.

    Authors: We agree that the abstract claim requires clarification and that explicit evidence of disjoint test models plus held-out ablations is needed to support generalization. The current experiments train on a closed ensemble scheduled by PPSA and evaluate on attacks from other architectures, but this distinction and the corresponding ablations are not stated or reported. We will revise the abstract to accurately describe the training and test model sets and add a new ablation subsection evaluating performance on held-out architectures. These changes will appear in the revised manuscript. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical defense claims rest on measured performance rather than definitional reduction.

full rationale

The paper describes an empirical training procedure (channel-attention U-Net trained on adversarial examples generated via PPSA scheduling from a set of known pre-trained models) and reports measured defense rates on CIFAR-10 and Mini-ImageNet. No equations, uniqueness theorems, or self-citations are presented that would make the reported rates equivalent to the training inputs by construction. The generalization claim to unseen substitutes is an empirical assertion whose validity depends on whether test substitutes are disjoint, but this is a question of experimental design rather than a self-referential derivation. No load-bearing step reduces to a fitted parameter renamed as prediction or an ansatz smuggled via self-citation.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities; the method implicitly assumes that perturbations from known models are representative of unknown attacks and that the U-Net can learn a general elimination mapping.

pith-pipeline@v0.9.1-grok · 5803 in / 1279 out tokens · 22471 ms · 2026-07-01T05:41:34.453219+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

58 extracted references · 38 canonical work pages · 2 internal anchors

  1. [1]

    Deep learning

    LeCun, Y., Bengio, Y., Hinton, G., 2015. Deep learning. Nature 521, 436–444. doi:10.1038/nature14539

  2. [2]

    Deep Residual Learning for Image Recognition,

    He, K., Zhang, X., Ren, S., Sun, J., 2016. Deep residual learning for image recognition, in: 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778. doi:10.1109/CVPR.2016.90

  3. [3]

    In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, virtual, June 19-25, 2021

    Guo, J., Han, K., Wang, Y., Wu, H., Chen, X., Xu, C., Xu, C., 2021. Distilling object detectors via decoupled features, in: 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 2154–2164. doi:10.1109/CVPR46437.2021.00219

  4. [4]

    A comparative study of real-time semantic segmentation for autonomous driving, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp

    Siam, M., Gamal, M., Abdel-Razek, M., Yogamani, S., Jagersand, M., Zhang, H., 2018. A comparative study of real-time semantic segmentation for autonomous driving, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp. 700–70010. doi:10.1109/CVPRW.2018.00101

  5. [5]

    Zhou,Y.,Han,M.,Liu,L.,He,J.,Gao,X.,2019.Theadversarialattacksthreatsoncomputervision:Asurvey,in:2019IEEE16thInternational Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), pp. 25–30. doi:10.1109/MASSW.2019.00012

  6. [6]

    Threat of adversarial attacks on deep learning in computer vision: Survey II

    Akhtar, N., Mian, A., Kardan, N., Shah, M., 2021. Threat of adversarial attacks on deep learning in computer vision: Survey II. CoRR abs/2108.00401.arXiv:2108.00401

  7. [7]

    Applied Soft Computing 162, 111778

    Gao,H.,Yang,X.,Hu,Y.,Liang,Z.,Xu,H.,Wang,B.,Mu,H.,Wang,Y.,2024.Adversarialsampleattacksalgorithmbasedoncycle-consistent generative networks. Applied Soft Computing 162, 111778. doi:https://doi.org/10.1016/j.asoc.2024.111778

  8. [8]

    Attack-cosm:attackingthecamouflagedobjectsegmentationmodelthroughdigitalworldadversarial examples

    Li,Q.,Wang,Z.,Zhang,X.,Li,Y.,2024. Attack-cosm:attackingthecamouflagedobjectsegmentationmodelthroughdigitalworldadversarial examples. Complex & Intelligent Systems 10, 5445–5457. doi:https://doi.org/10.1007/s40747-024-01455-7

  9. [9]

    Adversarial examples in the physical world, in: 2017 International Conference on Learning Representations (ICLR), OpenReview.net

    Kurakin, A., Goodfellow, I.J., Bengio, S., 2017. Adversarial examples in the physical world, in: 2017 International Conference on Learning Representations (ICLR), OpenReview.net

  10. [10]

    Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks, in: 2020 International Conference on Machine Learning (ICML), PMLR

    Croce, F., Hein, M., 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks, in: 2020 International Conference on Machine Learning (ICML), PMLR. pp. 2206–2216

  11. [11]

    Improving transferability of adversarial examples with input diversity,in:2019IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.2725–2734

    Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., Yuille, A.L., 2019. Improving transferability of adversarial examples with input diversity,in:2019IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.2725–2734. doi:10.1109/CVPR.2019. 00284

  12. [12]

    Nesterov accelerated gradient and scale invariance for adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

    Lin, J., Song, C., He, K., Wang, L., Hopcroft, J.E., 2020. Nesterov accelerated gradient and scale invariance for adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

  13. [13]

    In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, virtual, June 19-25, 2021

    Wang, X., He, K., 2021. Enhancing the transferability of adversarial attacks through variance tuning, in: 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1924–1933. doi:10.1109/CVPR46437.2021.00196

  14. [14]

    Frequency-based methods for improving the imperceptibility and transferability of adversarial examples

    Zhu, H., Ren, Y., Liu, C., Sui, X., Zhang, L., 2024. Frequency-based methods for improving the imperceptibility and transferability of adversarial examples. Applied Soft Computing 150, 111088. doi:https://doi.org/10.1016/j.asoc.2023.111088

  15. [15]

    Comprehensive comparisons of gradient-based multi-label adversarial attacks

    Chen, Z., Luo, W., Naseem, M.L., Kong, L., Yang, X., 2024. Comprehensive comparisons of gradient-based multi-label adversarial attacks. Complex & Intelligent Systems 10, 6667–6692. doi:https://doi.org/10.1007/s40747-024-01506-z

  16. [16]

    Practical black-box attacks on deep neural networks using efficient query mechanisms, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y

    Bhagoji, A.N., He, W., Li, B., Song, D., 2018. Practical black-box attacks on deep neural networks using efficient query mechanisms, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (Eds.), Computer Vision - ECCV 2018 - 15th European Conference, Munich, Germany, September 8-14, 2018, Proceedings, Part XII, Springer. pp. 158–174. URL:https://doi.or...

  17. [17]

    Li, H., Xu, X., Zhang, X., Yang, S., Li, B., 2020. QEBA: query-efficient boundary-based blackbox attack, in: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020, Seattle, WA, USA, June 13-19, 2020, Computer Vision Founda- tion / IEEE. pp. 1218–1227. URL:https://openaccess.thecvf.com/content_CVPR_2020/html/Li_QEBA_Query-Efficient...

  18. [18]

    Query-efficient black-box adversarial attack with customized iteration and sampling

    Shi, Y., Han, Y., Hu, Q., Yang, Y., Tian, Q., 2023. Query-efficient black-box adversarial attack with customized iteration and sampling. IEEETrans.PatternAnal.Mach.Intell.45,2226–2245.URL:https://doi.org/10.1109/TPAMI.2022.3169802,doi:10.1109/TPAMI. 2022.3169802

  19. [19]

    Towards deep learning models resistant to adversarial attacks, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net

    Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A., 2018. Towards deep learning models resistant to adversarial attacks, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net

  20. [20]

    Zhang,H.,Yu,Y.,Jiao,J.,Xing,E.P.,Ghaoui,L.E.,Jordan,M.I.,2019. Theoreticallyprincipledtrade-offbetweenrobustnessandaccuracy,in: Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, PMLR. pp. 7472–7482

  21. [21]

    Adversarial attacks and defenses against deep neural networks: A survey

    Ozdag, M., 2018. Adversarial attacks and defenses against deep neural networks: A survey. Procedia Computer Science 140, 152–161. doi:https://doi.org/10.1016/j.procs.2018.10.315. cyber Physical Systems and Deep Learning Chicago, November 5-7, 2018

  22. [22]

    Barrage of random transforms for adversarially robust defense, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Raff, E., Sylvester, J., Forsyth, S., McLean, M., 2019. Barrage of random transforms for adversarially robust defense, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 6521–6530. doi:10.1109/CVPR.2019.00669

  23. [23]

    Mixup inference: Better exploiting mixup to defend adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

    Pang, T., Xu, K., Zhu, J., 2020. Mixup inference: Better exploiting mixup to defend adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

  24. [24]

    Natural and Adversarial Error Detection using Invariance to Image Transformations

    Bahat, Y., Irani, M., Shakhnarovich, G., 2019. Natural and adversarial error detection using invariance to image transformations. CoRR abs/1902.00236.arXiv:1902.00236

  25. [25]

    Learning defense transformations for counterattacking adversarial examples

    Li, J., Zhang, S., Cao, J., Tan, M., 2023. Learning defense transformations for counterattacking adversarial examples. Neural Networks 164, 177–185. doi:https://doi.org/10.1016/j.neunet.2023.03.008

  26. [26]

    Defense against adversarial attacks using high-level representation guided denoiser,in:2018IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.1778–1787

    Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., Zhu, J., 2018. Defense against adversarial attacks using high-level representation guided denoiser,in:2018IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.1778–1787. doi:10.1109/CVPR.2018. 00191

  27. [27]

    Feature denoising for improving adversarial robustness, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Xie, C., Wu, Y., Maaten, L.v.d., Yuille, A.L., He, K., 2019. Feature denoising for improving adversarial robustness, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 501–509. doi:10.1109/CVPR.2019.00059

  28. [28]

    Explaining and harnessing adversarial examples, in: Bengio, Y., LeCun, Y

    Goodfellow, I.J., Shlens, J., Szegedy, C., 2015. Explaining and harnessing adversarial examples, in: Bengio, Y., LeCun, Y. (Eds.), 2015 International Conference on Learning Representations (ICLR)

  29. [29]

    Backpropagating linearly improves transferability of adversarial examples, in: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H

    Guo, Y., Li, Q., Chen, H., 2020. Backpropagating linearly improves transferability of adversarial examples, in: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H. (Eds.), 2020 Neural Information Processing Systems(NeurIPS)

  30. [30]

    Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J., 2018. Boosting adversarial attacks with momentum, in: 2018 IEEE Conference on Computer Vision and Pattern Recognition CVPR 2018, Salt Lake City, UT, USA, June 18-22, 2018, Computer Vision Foundation / IEEE Computer Society. pp. 9185–9193. doi:10.1109/CVPR.2018.00957

  31. [31]

    Gubri, M., Cordy, M., Papadakis, M., Traon, Y.L., Sen, K., 2022. LGV: boosting adversarial example transferability from large geometric vicinity,in:Avidan,S.,Brostow,G.J.,Cissé,M.,Farinella,G.M.,Hassner,T.(Eds.),2022EuropeanConferenceonComputerVision(ECCV), Springer. pp. 603–618. doi:10.1007/978-3-031-19772-7\_35

  32. [32]

    Huang, Y., Kong, A.W., 2022. Transferable adversarial attack based on integrated gradients, in: The Tenth International Conference on Learning Representations, ICLR 2022, Virtual Event, April 25-29, 2022, OpenReview.net

  33. [33]

    Chen, B., Yin, J., Chen, S., Chen, B., Liu, X., 2023. An adaptive model ensemble adversarial attack for boosting adversarial transferability, in: IEEE/CVF International Conference on Computer Vision, ICCV 2023, Paris, France, October 1-6, 2023, IEEE. pp. 4466–4475. doi:10. 1109/ICCV51070.2023.00414

  34. [34]

    Countering adversarial images using input transformations, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net

    Guo, C., Rana, M., Cissé, M., van der Maaten, L., 2018. Countering adversarial images using input transformations, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net

  35. [35]

    Prakash, A., Moran, N., Garber, S., DiLillo, A., Storer, J.A., 2018. Deflecting adversarial attacks with pixel deflection, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Computer Vision Foundation / IEEE Computer Society. pp. 8571–8580. doi:10.1109/CVPR.2018.00894

  36. [36]

    A study of the effect of JPG compression on adversarial images

    Dziugaite, G.K., Ghahramani, Z., Roy, D.M., 2016. A study of the effect of JPG compression on adversarial images. CoRR abs/1608.00853. arXiv:1608.00853

  37. [37]

    Wang, L., 2021. Adversarial perturbation suppression using adaptive gaussian smoothing and color reduction, in: IEEE International SymposiumonMultimedia,ISM2021,Naple,Italy,November29-Dec.1,2021,IEEE.pp.158–165. URL:https://doi.org/10.1109/ ISM52913.2021.00033, doi:10.1109/ISM52913.2021.00033

  38. [38]

    Going deeper with convolutions, in: 2015 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A., 2015. Going deeper with convolutions, in: 2015 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1–9. doi:10.1109/CVPR.2015. 7298594

  39. [39]

    Mobilenetv2: Inverted residuals and linear bottlenecks, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C., 2018. Mobilenetv2: Inverted residuals and linear bottlenecks, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4510–4520. doi:10.1109/CVPR.2018.00474

  40. [40]

    U-net: Convolutional networks for biomedical image segmentation, in: Navab, N., Hornegger, J., III, W.M.W., Frangi, A.F

    Ronneberger, O., Fischer, P., Brox, T., 2015. U-net: Convolutional networks for biomedical image segmentation, in: Navab, N., Hornegger, J., III, W.M.W., Frangi, A.F. (Eds.), 2015 Medical Image Computing and Computer-Assisted Intervention (MICCAI), Springer. pp. 234–241. doi:10.1007/978-3-319-24574-4

  41. [41]

    Hu,J.,Shen,L.,Sun,G.,2018.Squeeze-and-excitationnetworks,in:2018IEEE/CVFConferenceonComputerVisionandPatternRecognition (CVPR), Computer Vision Foundation / IEEE Computer Society. pp. 7132–7141. doi:10.1109/CVPR.2018.00745

  42. [42]

    Generative adversarial nets, in: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q

    Goodfellow, I.J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A.C., Bengio, Y., 2014. Generative adversarial nets, in: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q. (Eds.), 2014 Neural Information Processing Systems(NeurIPS), pp. 2672–2680. Xinlei Liu et al.:Accepted by Complex & Intelligent Sy...

  43. [43]

    Denoising diffusion probabilistic models, in: Larochelle, H., Ranzato, M., Hadsell, R., Bal- can, M., Lin, H

    Ho, J., Jain, A., Abbeel, P., 2020. Denoising diffusion probabilistic models, in: Larochelle, H., Ranzato, M., Hadsell, R., Bal- can, M., Lin, H. (Eds.), Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Process- ing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual. URL:https://proceedings.neurips.cc/pap...

  44. [44]

    , year = 2017, month = jul, pages =

    Huang,G.,Liu,Z.,VanDerMaaten,L.,Weinberger,K.Q.,2017. Denselyconnectedconvolutionalnetworks,in:2017IEEE/CVFConference on Computer Vision and Pattern Recognition (CVPR), pp. 2261–2269. doi:10.1109/CVPR.2017.243

  45. [45]

    Dual path networks, in: Guyon, I., von Luxburg, U., Bengio, S., Wallach, H.M., Fergus, R., Vishwanathan, S.V.N., Garnett, R

    Chen, Y., Li, J., Xiao, H., Jin, X., Yan, S., Feng, J., 2017. Dual path networks, in: Guyon, I., von Luxburg, U., Bengio, S., Wallach, H.M., Fergus, R., Vishwanathan, S.V.N., Garnett, R. (Eds.), 2017 Neural Information Processing Systems (NeurIPS), pp. 4467–4475

  46. [46]

    Deep pyramidal residual networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Han, D., Kim, J., Kim, J., 2017. Deep pyramidal residual networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 6307–6315. doi:10.1109/CVPR.2017.668

  47. [47]

    In: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR).p.9796–9805.IEEE(Jun2020).https://doi.org/10.1109/ cvpr42600.2020.00982

    Radosavovic, I., Kosaraju, R.P., Girshick, R., He, K., Dollár, P., 2020. Designing network design spaces, in: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 10425–10433. doi:10.1109/CVPR42600.2020.01044

  48. [48]

    Aggregated residual transformations for deep neural networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp

    Xie, S., Girshick, R., Dollár, P., Tu, Z., He, K., 2017. Aggregated residual transformations for deep neural networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 5987–5995. doi:10.1109/CVPR.2017.634

  49. [49]

    Wide residual networks, in: Wilson, R.C., Hancock, E.R., Smith, W.A.P

    Zagoruyko, S., Komodakis, N., 2016. Wide residual networks, in: Wilson, R.C., Hancock, E.R., Smith, W.A.P. (Eds.), 2016 British Machine Vision Conference (BMVC), BMVA Press

  50. [50]

    Weinberger , title =

    He, K., Zhang, X., Ren, S., Sun, J., 2016. Identity mappings in deep residual networks, in: Leibe, B., Matas, J., Sebe, N., Welling, M. (Eds.), 2016 European Conference on Computer Vision (ECCV), Springer. pp. 630–645. doi:10.1007/978-3-319-46493-0\_38

  51. [51]

    Shufflenet V2: practical guidelines for efficient CNN architecture design, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y

    Ma, N., Zhang, X., Zheng, H., Sun, J., 2018. Shufflenet V2: practical guidelines for efficient CNN architecture design, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (Eds.), 2018 European Conference on Computer Vision (ECCV), Springer. pp. 122–138. doi:10.1007/978-3-030-01264-9\_8

  52. [52]

    Very deep convolutional networks for large-scale image recognition, in: Bengio, Y., LeCun, Y

    Simonyan, K., Zisserman, A., 2015. Very deep convolutional networks for large-scale image recognition, in: Bengio, Y., LeCun, Y. (Eds.), 2015 International Conference on Learning Representations (ICLR)

  53. [53]

    Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit,J.,Houlsby,N.,2021. Animageisworth16x16words:Transformersforimagerecognitionatscale,in:9thInternationalConference on Learning Representations, ICLR 2021, Virtual Event, Austria, May 3-7, 2021, OpenReview.net

  54. [54]

    Athalye,A.,Carlini,N.,Wagner,D.A.,2018. Obfuscatedgradientsgiveafalsesenseofsecurity:Circumventingdefensestoadversarialexam- ples,in:Dy,J.G.,Krause,A.(Eds.),Proceedingsofthe35thInternationalConferenceonMachineLearning,ICML2018,Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018, PMLR. pp. 274–283

  55. [55]

    Improving adversarial robustness requires revisiting misclassified examples, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

    Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., Gu, Q., 2020. Improving adversarial robustness requires revisiting misclassified examples, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net

  56. [56]

    Better diffusion models further improve adversarial training, in: International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, PMLR

    Wang, Z., Pang, T., Du, C., Lin, M., Liu, W., Yan, S., 2023. Better diffusion models further improve adversarial training, in: International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, PMLR. pp. 36246–36263. URL:https: //proceedings.mlr.press/v202/wang23ad.html

  57. [57]

    Bartoldson, B.R., Diffenderfer, J., Parasyris, K., Kailkhura, B., 2024. Adversarial robustness limits via scaling-law and human-alignment studies,in:Forty-firstInternationalConferenceonMachineLearning,ICML2024,Vienna,Austria,July21-27,2024,OpenReview.net. URL: https://openreview.net/forum?id=HQtTg1try7

  58. [58]

    Wang,Z.,Wang,H.,Tian,C.,Jin,Y.,2024. Preventingcatastrophicoverfittinginfastadversarialtraining:Abi-leveloptimizationperspective, in: Computer Vision - ECCV 2024 - 18th European Conference, Milan, Italy, September 29-October 4, 2024, Proceedings, Part XXVIII, Springer. pp. 144–160. URL:https://doi.org/10.1007/978-3-031-73390-1_9, doi:10.1007/978-3-031-733...