arxiv: 2605.08910 · v1 · submitted 2026-05-09 · 💻 cs.CR · cs.LG

Recognition: 2 theorem links

· Lean Theorem

Enhancing Adversarial Robustness in Network Intrusion Detection: A Layer-wise Adaptive Regularization Approach

Hira Nasir , Eiman Javed , Balawal Shabir , Zunera Jalil , Ahmad Mohsin

Authors on Pith no claims yet

Pith reviewed 2026-05-12 01:46 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords adversarial robustnessnetwork intrusion detectionlayer-wise analysisadaptive regularizationUNSW-NB15 datasetauxiliary classifiersvulnerability scores

0 comments

The pith

Layer-wise vulnerability analysis and adaptive regularization improve robustness in network intrusion detection systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes LARAR to address how gradient-based adversarial attacks exploit neural network classifiers used in network intrusion detection. It adds per-layer analysis of vulnerability to these attacks, then applies adaptive weighting during training along with auxiliary classifiers. A sympathetic reader would care because standard adversarial training often lacks insight into which parts of the model are most exposed, making defenses less effective and harder to understand or optimize. The approach claims to reach 95.01 percent clean accuracy while providing stronger resistance to FGSM, PGD, and transfer attacks on the UNSW-NB15 dataset, and it points to computational savings by focusing effort on vulnerable layers for early detection of attacks.

Core claim

LARAR integrates layer-wise vulnerability scoring into adversarial training by computing how susceptible each layer is to attack propagation and then applying adaptive regularization weights that emphasize weaker layers, supported by auxiliary classifiers for additional guidance. On the UNSW-NB15 dataset this produces 95.01 percent accuracy on clean samples together with improved resistance to FGSM, PGD, and transfer attacks relative to conventional methods, while the resulting vulnerability scores enable identification of weak layers for early adversarial-sample detection and reduced computational cost.

What carries the argument

LARAR (Layer-wise Adversarial Robustness using Adaptive Regularization), which performs per-layer vulnerability analysis to guide adaptive weighting in adversarial training and employs auxiliary classifiers for extra supervision.

If this is right

Vulnerable layers can be monitored to detect adversarial samples at an early stage before full processing completes.
Defense computation can be reduced by concentrating regularization on the identified weak layers rather than the entire network.
Clean accuracy remains high at 95.01 percent while robustness improves against FGSM, PGD, and transfer attacks.
Explicit layer-wise scores make the defense more interpretable than black-box adversarial training.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same layer-wise scoring could be tested on other security classification tasks that rely on deep networks to check whether the robustness gains generalize.
Early detection via vulnerable-layer monitoring might be combined with real-time monitoring systems to block attacks before they reach the final output.
If the vulnerability scores prove stable, they could guide model architecture changes that harden the weakest layers by design.

Load-bearing premise

That adding layer-wise vulnerability analysis and adaptive weighting to adversarial training will increase robustness and interpretability without creating new vulnerabilities or overfitting to the tested attacks and dataset.

What would settle it

If further tests on other datasets or against stronger adaptive attacks show no robustness gains or a drop in clean accuracy below standard adversarial training, the central claim would be refuted.

Figures

Figures reproduced from arXiv: 2605.08910 by Ahmad Mohsin, Balawal Shabir, Eiman Javed, Hira Nasir, Zunera Jalil.

**Figure 2.** Figure 2: Accuracy assessment across different adversarial attack types. [PITH_FULL_IMAGE:figures/full_fig_p017_2.png] view at source ↗

**Figure 3.** Figure 3: (a) LVS heatmap showing layer-wise activation shifts between clean and adversarial inputs across 20 training epochs. Darker shading indicates higher vulnerability, with Layer 1 consistently exhibiting greater sensitivity than Layer 2. (b) Perturbation propagation across network depth comparing Base ADVNN and LARAR at Epoch 1 and Epoch 20. Initially, Layer 1 exhibits an LVS of 0.1562 and Layer 2 shows an LV… view at source ↗

**Figure 4.** Figure 4: Ablation study showing incremental contribution of each component. 20 [PITH_FULL_IMAGE:figures/full_fig_p020_4.png] view at source ↗

**Figure 5.** Figure 5: summarizes the merits of our methodology in a succinct manner because it shows the percentage change of LARAR versus Base ADVNN of various attack types. It boosts FGSM attacks by 16.5%, PGD attacks by 15.4%, and transfer attacks by 11.0%. The layer-wise adaptive approach of LARAR offers a strong defense that has been generalized with various adversarial approaches as documented by the stable, substantial p… view at source ↗

read the original abstract

The new wave of adversarial attacks that utilize gradient-related vulnerabilities in neural network-based classifiers makes Network Intrusion Detection Systems more open to such threats. Although state-of-the-art adversarial training methods have shown promising results in producing more robust classifiers, their interpretability and defense ability are limited due to their lack of understanding of how adversarial attacks propagate in different layers of network classifiers. In this paper, we present an insightful approach, called LARAR (Layer-wise Adversarial Robustness using Adaptive Regularization), that incorporates additional layer-wise vulnerability analysis and adaptive weighting in conventional adversarial training methods. Additionally, we utilize 'Auxiliary Classifiers' in our approach. LARAR provides interpretable layer-wise vulnerability scores, achieves a clean accuracy of 95.01%, and provides better robustness against adversarial attacks (FGSM, PGD, and transfer attacks) on the UNSW-NB15 dataset. Through the identification of vulnerable layers, the proposed framework reduces computational complexity and enables the early detection of adversarial samples, thus enhancing the effectiveness and interpretability of adversarial defense mechanisms in NIDS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This adds layer-wise vulnerability scoring and adaptive regularization to standard adversarial training for NIDS, but the gains look tied to one dataset and three attacks with no clear baselines or ablations.

read the letter

The main thing to know is that this paper takes standard adversarial training for network intrusion detection and adds layer-wise analysis plus adaptive regularization to make it more interpretable and supposedly more robust. They report 95.01% clean accuracy and gains against FGSM, PGD, and transfer attacks on UNSW-NB15, plus the idea that spotting vulnerable layers can cut compute and flag attacks earlier.

Referee Report

4 major / 2 minor

Summary. The manuscript proposes LARAR (Layer-wise Adversarial Robustness using Adaptive Regularization), which augments standard adversarial training for neural network-based network intrusion detection systems (NIDS) by adding layer-wise vulnerability scoring, adaptive per-layer regularization weights, and auxiliary classifiers. It claims this yields interpretable vulnerability scores per layer, a clean accuracy of 95.01%, and superior robustness to FGSM, PGD, and transfer attacks on the UNSW-NB15 dataset, while also enabling early adversarial sample detection and reduced computational cost.

Significance. If the empirical claims hold after proper validation, the work would be moderately significant for the NIDS security community: it attempts to combine robustness gains with interpretability via layer-wise analysis, which could help practitioners identify and mitigate vulnerabilities in specific network layers rather than treating the model as a black box. The use of auxiliary classifiers and adaptive weighting is a reasonable extension of existing adversarial training literature, but the absence of ablations, stronger attack evaluations, and cross-dataset results currently prevents assessing whether the contribution is incremental or genuinely advances the state of the art.

major comments (4)

[Experimental evaluation section] Experimental evaluation section: The manuscript reports a clean accuracy of 95.01% and improved robustness metrics but provides no baseline comparisons (e.g., standard adversarial training, Madry-style PGD training, or other NIDS-specific defenses), no statistical significance tests, and no ablation isolating the layer-wise adaptive regularization term from the auxiliary classifiers. Without these, the central claim that LARAR 'provides better robustness' cannot be substantiated.
[Method section on adaptive regularization] Method section on adaptive regularization: The derivation and optimization of the layer-wise adaptive weights is not shown; if these weights are fitted using the same training or validation splits used for the reported robustness numbers, the gains may be circular. The paper must clarify whether the weights are computed in a parameter-free manner, via a separate validation set, or through a closed-form expression independent of the test attacks.
[Robustness evaluation subsection] Robustness evaluation subsection: Claims are supported only for FGSM, PGD, and transfer attacks on UNSW-NB15. Standard practice requires evaluation against stronger, adaptive attacks (AutoAttack, CW) and at least one additional dataset (e.g., CIC-IDS2017) to rule out attack-specific gradient masking or dataset overfitting. The current scope leaves open the possibility that observed gains are not generalizable.
[Auxiliary classifiers and early detection claim] Auxiliary classifiers and early detection claim: The paper states that auxiliary classifiers enable early detection and complexity reduction, yet no quantitative results (e.g., detection rate at intermediate layers, FLOPs saved, or comparison with/without auxiliaries) are provided. This component is load-bearing for the interpretability and efficiency claims but remains unsupported.

minor comments (2)

[Method section] Notation for layer-wise vulnerability scores should be defined explicitly with an equation; the current description is informal and makes reproducibility difficult.
[Abstract] The abstract states specific numerical results (95.01% accuracy) without referencing the corresponding table or figure in the main text; this should be cross-referenced.

Simulated Author's Rebuttal

4 responses · 0 unresolved

We thank the referee for the thorough and constructive review. The comments highlight important areas for strengthening the empirical validation and methodological clarity of our work on LARAR. We address each major comment below and commit to revising the manuscript to incorporate the suggested improvements where feasible.

read point-by-point responses

Referee: The manuscript reports a clean accuracy of 95.01% and improved robustness metrics but provides no baseline comparisons (e.g., standard adversarial training, Madry-style PGD training, or other NIDS-specific defenses), no statistical significance tests, and no ablation isolating the layer-wise adaptive regularization term from the auxiliary classifiers. Without these, the central claim that LARAR 'provides better robustness' cannot be substantiated.

Authors: We agree that the absence of these elements weakens the substantiation of our central claims. In the revised manuscript, we will add direct comparisons against standard adversarial training, Madry-style PGD adversarial training, and other relevant NIDS defenses from the literature. We will also include statistical significance testing (e.g., paired t-tests across multiple runs) and dedicated ablation studies that isolate the contribution of the layer-wise adaptive regularization from the auxiliary classifiers. These additions will be placed in an expanded experimental evaluation section. revision: yes
Referee: The derivation and optimization of the layer-wise adaptive weights is not shown; if these weights are fitted using the same training or validation splits used for the reported robustness numbers, the gains may be circular. The paper must clarify whether the weights are computed in a parameter-free manner, via a separate validation set, or through a closed-form expression independent of the test attacks.

Authors: We apologize for the insufficient detail in the method section. The layer-wise adaptive weights are derived via a closed-form expression that depends on per-layer vulnerability scores, which are computed exclusively on a held-out validation set that is disjoint from both the training data and the test set used for robustness reporting. This design avoids circularity with the reported attack results. In the revision, we will explicitly present the full derivation, the optimization procedure, and confirmation of the separate validation split to make the process transparent and reproducible. revision: yes
Referee: Claims are supported only for FGSM, PGD, and transfer attacks on UNSW-NB15. Standard practice requires evaluation against stronger, adaptive attacks (AutoAttack, CW) and at least one additional dataset (e.g., CIC-IDS2017) to rule out attack-specific gradient masking or dataset overfitting. The current scope leaves open the possibility that observed gains are not generalizable.

Authors: We acknowledge that limiting evaluation to FGSM, PGD, and transfer attacks on a single dataset limits the strength of the generalizability claims. In the revised manuscript, we will expand the robustness evaluation subsection to include results against AutoAttack and Carlini-Wagner (CW) attacks. We will also report performance on the CIC-IDS2017 dataset in addition to UNSW-NB15. These additions will help address concerns regarding potential gradient masking or dataset-specific effects. revision: yes
Referee: The paper states that auxiliary classifiers enable early detection and complexity reduction, yet no quantitative results (e.g., detection rate at intermediate layers, FLOPs saved, or comparison with/without auxiliaries) are provided. This component is load-bearing for the interpretability and efficiency claims but remains unsupported.

Authors: We agree that the efficiency and early-detection claims require quantitative backing to be credible. In the revised manuscript, we will add a dedicated subsection with quantitative results, including adversarial detection rates at each intermediate layer, measured FLOPs savings from early exit on detected samples, and side-by-side performance comparisons of the full model with and without the auxiliary classifiers. These metrics will directly support the interpretability and complexity-reduction aspects of the approach. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper introduces LARAR as a method that adds layer-wise vulnerability analysis and adaptive weighting to standard adversarial training plus auxiliary classifiers. All reported outcomes (95.01% clean accuracy, improved robustness on FGSM/PGD/transfer attacks for UNSW-NB15) are presented as empirical results of the proposed training procedure. No equations, parameter-fitting steps, or self-citations are supplied in the available text that would reduce any claimed prediction or uniqueness result back to the inputs by construction. The central claims therefore rest on experimental evaluation rather than a closed definitional or self-referential loop.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no explicit free parameters, axioms, or invented entities can be identified.

pith-pipeline@v0.9.0 · 5500 in / 1118 out tokens · 58635 ms · 2026-05-12T01:46:12.568500+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

LARAR employs learnable weights per layer{w(l)}L l=1 to automatically focus on vulnerable layers... Ltotal = LCE + λaux Laux + λGA LGA + λFS LFS + β ∑ w(l)·LVS(l)
IndisputableMonolith/Foundation/ArithmeticFromLogic.lean embed_injective unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Layer Vulnerability Score (LVS) ... normalized difference between clean and adversarial activations

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages · 3 internal anchors

[1]

IEEE Access (2025)

Ennaji, S., De Gaspari, F., Hitaj, D., Kbidi, A., Mancini, L.V.: Adversarial challenges in network intrusion detection systems: Research insights and future prospects. IEEE Access (2025)

work page 2025
[2]

Discover Artificial Intelligence5(1), 314 (2025)

Hozouri, A., Mirzaei, A., Effatparvar, M.: A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges. Discover Artificial Intelligence5(1), 314 (2025)

work page 2025
[3]

In: 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp

Tafreshian, B., Zhang, S.: A defensive framework against adversarial attacks on machine learning-based network intrusion detection systems. In: 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 2436–2441 (2024). IEEE

work page 2024
[4]

Scientific Reports 15(1), 8297 (2025)

Kim, T.-h., Srinivasulu, A., Chinthaginjala, R., Dhakshayani, J., Zhao, X., Obaidur Rab, S.: Enhancing cybersecurity through script development using machine and deep learning for advanced threat mitigation. Scientific Reports 15(1), 8297 (2025)

work page 2025
[5]

Electronics 14(16), 3249 (2025)

Heydari, V., Nyarko, K.: Enhancing adversarial robustness in network intrusion detection: A novel adversarially trained neural network approach. Electronics 14(16), 3249 (2025)

work page 2025
[6]

Scientific Reports 15(1), 14177 (2025) 23

Awad, Z., Zakaria, M., Hassan, R.: An enhanced ensemble defense framework for boosting adversarial robustness of intrusion detection systems. Scientific Reports 15(1), 14177 (2025) 23

work page 2025
[7]

In: 2025 1st International Conference on Secure IoT, Assured and Trusted Computing (SATC), pp

Gurung, K., Ghimire, A., Amsaad, F.: Enhancing iot intrusion detection systems through adversarial training. In: 2025 1st International Conference on Secure IoT, Assured and Trusted Computing (SATC), pp. 1–6 (2025). IEEE

work page 2025
[8]

Engineering Proceedings123(1), 23 (2026)

Mart´ ınez Hern´ andez, L.A., P´ erez Arteaga, S., Sandoval Orozco, A.L., Garc´ ıa Vil- lalba, L.J.: Adversarial attacks on machine learning models for network traffic filtering. Engineering Proceedings123(1), 23 (2026)

work page 2026
[9]

arXiv preprint arXiv:2509.20411 (2025)

Ndayipfukamiye, T., Ding, J., Sarwatt, D.S., Philipo, A.G., Ning, H.: Adversarial defense in cybersecurity: A systematic review of gans for threat detection and mitigation. arXiv preprint arXiv:2509.20411 (2025)

work page arXiv 2025
[10]

Engineering Reports7(9), 70415 (2025)

Morshedi, R., Matinkhah, S.M.: A comprehensive review of deep learning tech- niques for anomaly detection in iot networks: Methods, challenges, and datasets. Engineering Reports7(9), 70415 (2025)

work page 2025
[11]

Engineering Proceedings112(1), 15 (2025)

Jamiri, H., Zyane, A.: Adversarial attacks in iot: A performance assessment of ml and dl models. Engineering Proceedings112(1), 15 (2025)

work page 2025
[12]

ICT Express11(1), 181–215 (2025)

Chinnasamy, R., Subramanian, M., Easwaramoorthy, S.V., Cho, J.: Deep learning-driven methods for network-based intrusion detection systems: A sys- tematic review. ICT Express11(1), 181–215 (2025)

work page 2025
[13]

In: 2025 IEEE 15th Annual Com- puting and Communication Workshop and Conference (CCWC), pp

Bhati, D., Neha, F., Amiruzzaman, M., Guercio, A., Shukla, D.K., Ward, B.: Neural network interpretability with layer-wise relevance propagation: novel tech- niques for neuron selection and visualization. In: 2025 IEEE 15th Annual Com- puting and Communication Workshop and Conference (CCWC), pp. 00441–00447 (2025). IEEE

work page 2025
[14]

Scientific Reports15(1), 13940 (2025)

Singh, G., Stefenon, S.F., Yow, K.-C.: The shallowest transparent and inter- pretable deep neural network for image recognition. Scientific Reports15(1), 13940 (2025)

work page 2025
[15]

arXiv preprint arXiv:2404.14082 (2024)

Bereska, L., Gavves, E.: Mechanistic interpretability for ai safety–a review. arXiv preprint arXiv:2404.14082 (2024)

work page arXiv 2024
[16]

Intriguing properties of neural networks

Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., Fer- gus, R.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

work page internal anchor Pith review Pith/arXiv arXiv 2013
[17]

Explaining and Harnessing Adversarial Examples

Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

work page internal anchor Pith review Pith/arXiv arXiv 2014
[18]

Towards Deep Learning Models Resistant to Adversarial Attacks

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017) 24

work page internal anchor Pith review Pith/arXiv arXiv 2017
[19]

In: 2018 IEEE Security and Privacy Workshops (SPW), pp

Rigaki, M., Garcia, S.: Bringing a gan to a knife-fight: Adapting malware com- munication to avoid detection. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 70–75 (2018). IEEE

work page 2018
[20]

In: MILCOM 2018-2018 Ieee Military Communications Conference (MILCOM), pp

Yang, K., Liu, J., Zhang, C., Fang, Y.: Adversarial examples against the deep learning based network intrusion detection systems. In: MILCOM 2018-2018 Ieee Military Communications Conference (MILCOM), pp. 559–564 (2018). IEEE

work page 2018
[21]

In: 2016 IEEE Symposium on Security and Privacy (SP), pp

Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 582–597 (2016). IEEE

work page 2016
[22]

arXiv preprint arXiv:1705.07204 , year=

Tram` er, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)

work page arXiv 2017
[23]

In: International Conference on Machine Learning, pp

Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., Jordan, M.: Theoret- ically principled trade-off between robustness and accuracy. In: International Conference on Machine Learning, pp. 7472–7482 (2019). PMLR

work page 2019
[24]

Expert Systems with Applications186, 115782 (2021)

Alhajjar, E., Maxwell, P., Bastian, N.: Adversarial machine learning in net- work intrusion detection systems. Expert Systems with Applications186, 115782 (2021)

work page 2021
[25]

IEEE Journal on Selected Areas in Communications39(8), 2632–2647 (2021)

Han, D., Wang, Z., Zhong, Y., Chen, W., Yang, J., Lu, S., Shi, X., Yin, X.: Eval- uating and improving adversarial robustness of machine learning-based network intrusion detectors. IEEE Journal on Selected Areas in Communications39(8), 2632–2647 (2021)

work page 2021
[26]

IEEE/ACM Transactions on Networking30(3), 1294–1311 (2022)

Zhang, C., Costa-Perez, X., Patras, P.: Adversarial attacks against deep learning- based network intrusion detection systems and defense mechanisms. IEEE/ACM Transactions on Networking30(3), 1294–1311 (2022)

work page 2022
[27]

Advances in neural information processing systems30(2017)

Raghu, M., Gilmer, J., Yosinski, J., Sohl-Dickstein, J.: Svcca: Singular vector canonical correlation analysis for deep learning dynamics and interpretability. Advances in neural information processing systems30(2017)

work page 2017
[28]

Advances in neural information processing systems32(2019)

Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adver- sarial examples are not bugs, they are features. Advances in neural information processing systems32(2019)

work page 2019
[29]

Computers & Security137, 103644 (2024)

Yuan, X., Han, S., Huang, W., Ye, H., Kong, X., Zhang, F.: A simple framework to enhance the adversarial robustness of deep learning-based intrusion detection system. Computers & Security137, 103644 (2024)

work page 2024
[30]

Computers & Security128, 103141 (2023) 25

Xiong, W.D., Luo, K.L., Li, R.: Aidtf: Adversarial training framework for network intrusion detection. Computers & Security128, 103141 (2023) 25

work page 2023
[31]

In: The Eleventh International Conference on Learning Representations (2023)

Chen, Y., Yuille, A., Zhou, Z.: Which layer is learning faster? a systematic explo- ration of layer-wise convergence rate for deep neural networks. In: The Eleventh International Conference on Learning Representations (2023)

work page 2023
[32]

In: 2015 Military Communications and Information Systems Conference (MilCIS), pp

Moustafa, N., Slay, J.: Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In: 2015 Military Communications and Information Systems Conference (MilCIS), pp. 1–6 (2015). Ieee

work page 2015
[33]

Advances in neural information processing systems30(2017)

Bartlett, P.L., Foster, D.J., Telgarsky, M.J.: Spectrally-normalized margin bounds for neural networks. Advances in neural information processing systems30(2017)

work page 2017
[34]

Artificial intelligence review22(2), 85–126 (2004) 26

Hodge, V., Austin, J.: A survey of outlier detection methodologies. Artificial intelligence review22(2), 85–126 (2004) 26

work page 2004