MAPE: Defending Against Transferable Adversarial Attacks Using Multi-Source Adversarial Perturbations Elimination
Pith reviewed 2026-07-01 05:41 UTC · model grok-4.3
The pith
A channel-attention U-Net trained on perturbations from multiple scheduled pre-trained models eliminates those from unknown attackers in black-box settings.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
MAPE comprises the single-source adversarial perturbation elimination mechanism that trains a channel-attention U-Net on adversarial examples generated by pre-trained models and the pre-trained models probabilistic scheduling algorithm that uses model difference quantification and negative momentum to select multiple sources, thereby training the defense model to eliminate perturbations crafted by a range of substitute models not encountered in training.
What carries the argument
Channel-attention U-Net defense model whose training is diversified by probabilistic scheduling across multiple pre-trained models.
If this is right
- The defense operates without any queries to the target model or its outputs.
- Average defense rates exceed 95.1 percent on CIFAR-10 and 71.5 percent on Mini-ImageNet when ResNet-34 is the target.
- Performance holds across attacks generated by different substitute models because training maximizes source diversity.
- The method requires no modification to the target classifier itself.
Where Pith is reading between the lines
- The same scheduling principle could be tested on detection of adversarial examples rather than their removal.
- If model-difference quantification proves reliable, the number of required source models during training might be reduced without loss of coverage.
- The approach suggests that explicit diversity in training sources may be more important than volume of examples for generalization to unknown attackers.
Load-bearing premise
Training exclusively on adversarial examples from a known set of pre-trained models will enable the U-Net to remove perturbations generated by substitute models never used in training.
What would settle it
Defense success rate falls below 70 percent on CIFAR-10 when the attack is generated by a substitute model whose architecture family was withheld from the training sources.
Figures
read the original abstract
Neural networks are vulnerable to meticulously crafted adversarial examples, leading to high-confidence misclassifications in image classification tasks. Due to their consistency with regular input patterns and the absence of reliance on the target model and its output information, transferable adversarial attacks exhibit a notably high stealthiness and detection difficulty, making them a significant focus of defense. In this work, we propose a deep learning defense known as multi-source adversarial perturbations elimination (MAPE) to counter diverse transferable attacks. MAPE comprises the single-source adversarial perturbation elimination (SAPE) mechanism and the pre-trained models probabilistic scheduling algorithm (PPSA). SAPE utilizes a thoughtfully designed channel-attention U-Net as the defense model and employs adversarial examples generated by a pre-trained model (e.g., ResNet) for its training, thereby enabling the elimination of known adversarial perturbations. PPSA introduces model difference quantification and negative momentum to strategically schedule multiple pre-trained models, thereby maximizing the differences among adversarial examples during the defense model's training and enhancing its robustness in eliminating adversarial perturbations. MAPE effectively eliminates adversarial perturbations in various adversarial examples, providing a robust defense against attacks from different substitute models. In a black-box attack scenario utilizing ResNet-34 as the target model, our approach achieves average defense rates of over 95.1\% on CIFAR-10 and over 71.5\% on Mini-ImageNet, demonstrating state-of-the-art performance.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes MAPE for defending against transferable adversarial attacks. It consists of SAPE, which trains a channel-attention U-Net on adversarial examples generated from pre-trained models (e.g., ResNet), and PPSA, which uses model difference quantification and negative momentum to schedule multiple pre-trained models during training to maximize diversity. The method claims to eliminate perturbations from diverse substitute models, achieving average defense rates over 95.1% on CIFAR-10 and 71.5% on Mini-ImageNet in black-box settings with ResNet-34 as the target model, reported as state-of-the-art.
Significance. If the generalization to unseen substitute models is demonstrated, the approach would meaningfully advance defenses against transferable attacks, which are stealthy and model-independent. The PPSA scheduling provides a concrete mechanism for multi-source training that could improve robustness beyond single-source methods.
major comments (1)
- [Abstract] Abstract: The central claim of >95.1% defense rates against attacks from 'unknown substitute models not seen during training' is load-bearing for the contribution, yet the training uses a closed set of pre-trained models scheduled via PPSA. No evidence is given that the substitute models used to generate test attacks are disjoint from this training ensemble, nor are ablations reported on held-out architectures. Without this, the results may reflect interpolation within the trained perturbation manifold rather than elimination of novel transferable perturbations.
minor comments (2)
- The abstract states high defense rates and SOTA performance but omits details on the number of attack methods, exact substitute models, clean accuracy impact, or statistical significance of the reported averages.
- Clarify the precise set of pre-trained models used in PPSA training versus those used as substitutes in the black-box evaluation experiments.
Simulated Author's Rebuttal
We thank the referee for the careful reading and the important observation on the generalization claim. We address the major comment below.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central claim of >95.1% defense rates against attacks from 'unknown substitute models not seen during training' is load-bearing for the contribution, yet the training uses a closed set of pre-trained models scheduled via PPSA. No evidence is given that the substitute models used to generate test attacks are disjoint from this training ensemble, nor are ablations reported on held-out architectures. Without this, the results may reflect interpolation within the trained perturbation manifold rather than elimination of novel transferable perturbations.
Authors: We agree that the abstract claim requires clarification and that explicit evidence of disjoint test models plus held-out ablations is needed to support generalization. The current experiments train on a closed ensemble scheduled by PPSA and evaluate on attacks from other architectures, but this distinction and the corresponding ablations are not stated or reported. We will revise the abstract to accurately describe the training and test model sets and add a new ablation subsection evaluating performance on held-out architectures. These changes will appear in the revised manuscript. revision: yes
Circularity Check
No significant circularity; empirical defense claims rest on measured performance rather than definitional reduction.
full rationale
The paper describes an empirical training procedure (channel-attention U-Net trained on adversarial examples generated via PPSA scheduling from a set of known pre-trained models) and reports measured defense rates on CIFAR-10 and Mini-ImageNet. No equations, uniqueness theorems, or self-citations are presented that would make the reported rates equivalent to the training inputs by construction. The generalization claim to unseen substitutes is an empirical assertion whose validity depends on whether test substitutes are disjoint, but this is a question of experimental design rather than a self-referential derivation. No load-bearing step reduces to a fitted parameter renamed as prediction or an ansatz smuggled via self-citation.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
LeCun, Y., Bengio, Y., Hinton, G., 2015. Deep learning. Nature 521, 436–444. doi:10.1038/nature14539
-
[2]
Deep Residual Learning for Image Recognition,
He, K., Zhang, X., Ren, S., Sun, J., 2016. Deep residual learning for image recognition, in: 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778. doi:10.1109/CVPR.2016.90
-
[3]
In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, virtual, June 19-25, 2021
Guo, J., Han, K., Wang, Y., Wu, H., Chen, X., Xu, C., Xu, C., 2021. Distilling object detectors via decoupled features, in: 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 2154–2164. doi:10.1109/CVPR46437.2021.00219
-
[4]
Siam, M., Gamal, M., Abdel-Razek, M., Yogamani, S., Jagersand, M., Zhang, H., 2018. A comparative study of real-time semantic segmentation for autonomous driving, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp. 700–70010. doi:10.1109/CVPRW.2018.00101
-
[5]
Zhou,Y.,Han,M.,Liu,L.,He,J.,Gao,X.,2019.Theadversarialattacksthreatsoncomputervision:Asurvey,in:2019IEEE16thInternational Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), pp. 25–30. doi:10.1109/MASSW.2019.00012
-
[6]
Threat of adversarial attacks on deep learning in computer vision: Survey II
Akhtar, N., Mian, A., Kardan, N., Shah, M., 2021. Threat of adversarial attacks on deep learning in computer vision: Survey II. CoRR abs/2108.00401.arXiv:2108.00401
-
[7]
Applied Soft Computing 162, 111778
Gao,H.,Yang,X.,Hu,Y.,Liang,Z.,Xu,H.,Wang,B.,Mu,H.,Wang,Y.,2024.Adversarialsampleattacksalgorithmbasedoncycle-consistent generative networks. Applied Soft Computing 162, 111778. doi:https://doi.org/10.1016/j.asoc.2024.111778
-
[8]
Attack-cosm:attackingthecamouflagedobjectsegmentationmodelthroughdigitalworldadversarial examples
Li,Q.,Wang,Z.,Zhang,X.,Li,Y.,2024. Attack-cosm:attackingthecamouflagedobjectsegmentationmodelthroughdigitalworldadversarial examples. Complex & Intelligent Systems 10, 5445–5457. doi:https://doi.org/10.1007/s40747-024-01455-7
-
[9]
Adversarial examples in the physical world, in: 2017 International Conference on Learning Representations (ICLR), OpenReview.net
Kurakin, A., Goodfellow, I.J., Bengio, S., 2017. Adversarial examples in the physical world, in: 2017 International Conference on Learning Representations (ICLR), OpenReview.net
2017
-
[10]
Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks, in: 2020 International Conference on Machine Learning (ICML), PMLR
Croce, F., Hein, M., 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks, in: 2020 International Conference on Machine Learning (ICML), PMLR. pp. 2206–2216
2020
-
[11]
Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., Yuille, A.L., 2019. Improving transferability of adversarial examples with input diversity,in:2019IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.2725–2734. doi:10.1109/CVPR.2019. 00284
-
[12]
Nesterov accelerated gradient and scale invariance for adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
Lin, J., Song, C., He, K., Wang, L., Hopcroft, J.E., 2020. Nesterov accelerated gradient and scale invariance for adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
2020
-
[13]
In: IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2021, virtual, June 19-25, 2021
Wang, X., He, K., 2021. Enhancing the transferability of adversarial attacks through variance tuning, in: 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1924–1933. doi:10.1109/CVPR46437.2021.00196
-
[14]
Zhu, H., Ren, Y., Liu, C., Sui, X., Zhang, L., 2024. Frequency-based methods for improving the imperceptibility and transferability of adversarial examples. Applied Soft Computing 150, 111088. doi:https://doi.org/10.1016/j.asoc.2023.111088
-
[15]
Comprehensive comparisons of gradient-based multi-label adversarial attacks
Chen, Z., Luo, W., Naseem, M.L., Kong, L., Yang, X., 2024. Comprehensive comparisons of gradient-based multi-label adversarial attacks. Complex & Intelligent Systems 10, 6667–6692. doi:https://doi.org/10.1007/s40747-024-01506-z
-
[16]
Bhagoji, A.N., He, W., Li, B., Song, D., 2018. Practical black-box attacks on deep neural networks using efficient query mechanisms, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (Eds.), Computer Vision - ECCV 2018 - 15th European Conference, Munich, Germany, September 8-14, 2018, Proceedings, Part XII, Springer. pp. 158–174. URL:https://doi.or...
-
[17]
Li, H., Xu, X., Zhang, X., Yang, S., Li, B., 2020. QEBA: query-efficient boundary-based blackbox attack, in: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020, Seattle, WA, USA, June 13-19, 2020, Computer Vision Founda- tion / IEEE. pp. 1218–1227. URL:https://openaccess.thecvf.com/content_CVPR_2020/html/Li_QEBA_Query-Efficient...
-
[18]
Query-efficient black-box adversarial attack with customized iteration and sampling
Shi, Y., Han, Y., Hu, Q., Yang, Y., Tian, Q., 2023. Query-efficient black-box adversarial attack with customized iteration and sampling. IEEETrans.PatternAnal.Mach.Intell.45,2226–2245.URL:https://doi.org/10.1109/TPAMI.2022.3169802,doi:10.1109/TPAMI. 2022.3169802
-
[19]
Towards deep learning models resistant to adversarial attacks, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A., 2018. Towards deep learning models resistant to adversarial attacks, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net
2018
-
[20]
Zhang,H.,Yu,Y.,Jiao,J.,Xing,E.P.,Ghaoui,L.E.,Jordan,M.I.,2019. Theoreticallyprincipledtrade-offbetweenrobustnessandaccuracy,in: Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, PMLR. pp. 7472–7482
2019
-
[21]
Adversarial attacks and defenses against deep neural networks: A survey
Ozdag, M., 2018. Adversarial attacks and defenses against deep neural networks: A survey. Procedia Computer Science 140, 152–161. doi:https://doi.org/10.1016/j.procs.2018.10.315. cyber Physical Systems and Deep Learning Chicago, November 5-7, 2018
-
[22]
Raff, E., Sylvester, J., Forsyth, S., McLean, M., 2019. Barrage of random transforms for adversarially robust defense, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 6521–6530. doi:10.1109/CVPR.2019.00669
-
[23]
Mixup inference: Better exploiting mixup to defend adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
Pang, T., Xu, K., Zhu, J., 2020. Mixup inference: Better exploiting mixup to defend adversarial attacks, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
2020
-
[24]
Natural and Adversarial Error Detection using Invariance to Image Transformations
Bahat, Y., Irani, M., Shakhnarovich, G., 2019. Natural and adversarial error detection using invariance to image transformations. CoRR abs/1902.00236.arXiv:1902.00236
work page internal anchor Pith review Pith/arXiv arXiv 2019
-
[25]
Learning defense transformations for counterattacking adversarial examples
Li, J., Zhang, S., Cao, J., Tan, M., 2023. Learning defense transformations for counterattacking adversarial examples. Neural Networks 164, 177–185. doi:https://doi.org/10.1016/j.neunet.2023.03.008
-
[26]
Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., Zhu, J., 2018. Defense against adversarial attacks using high-level representation guided denoiser,in:2018IEEE/CVFConferenceonComputerVisionandPatternRecognition(CVPR),pp.1778–1787. doi:10.1109/CVPR.2018. 00191
-
[27]
Xie, C., Wu, Y., Maaten, L.v.d., Yuille, A.L., He, K., 2019. Feature denoising for improving adversarial robustness, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 501–509. doi:10.1109/CVPR.2019.00059
-
[28]
Explaining and harnessing adversarial examples, in: Bengio, Y., LeCun, Y
Goodfellow, I.J., Shlens, J., Szegedy, C., 2015. Explaining and harnessing adversarial examples, in: Bengio, Y., LeCun, Y. (Eds.), 2015 International Conference on Learning Representations (ICLR)
2015
-
[29]
Backpropagating linearly improves transferability of adversarial examples, in: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H
Guo, Y., Li, Q., Chen, H., 2020. Backpropagating linearly improves transferability of adversarial examples, in: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., Lin, H. (Eds.), 2020 Neural Information Processing Systems(NeurIPS)
2020
-
[30]
Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J., 2018. Boosting adversarial attacks with momentum, in: 2018 IEEE Conference on Computer Vision and Pattern Recognition CVPR 2018, Salt Lake City, UT, USA, June 18-22, 2018, Computer Vision Foundation / IEEE Computer Society. pp. 9185–9193. doi:10.1109/CVPR.2018.00957
-
[31]
Gubri, M., Cordy, M., Papadakis, M., Traon, Y.L., Sen, K., 2022. LGV: boosting adversarial example transferability from large geometric vicinity,in:Avidan,S.,Brostow,G.J.,Cissé,M.,Farinella,G.M.,Hassner,T.(Eds.),2022EuropeanConferenceonComputerVision(ECCV), Springer. pp. 603–618. doi:10.1007/978-3-031-19772-7\_35
-
[32]
Huang, Y., Kong, A.W., 2022. Transferable adversarial attack based on integrated gradients, in: The Tenth International Conference on Learning Representations, ICLR 2022, Virtual Event, April 25-29, 2022, OpenReview.net
2022
-
[33]
Chen, B., Yin, J., Chen, S., Chen, B., Liu, X., 2023. An adaptive model ensemble adversarial attack for boosting adversarial transferability, in: IEEE/CVF International Conference on Computer Vision, ICCV 2023, Paris, France, October 1-6, 2023, IEEE. pp. 4466–4475. doi:10. 1109/ICCV51070.2023.00414
-
[34]
Countering adversarial images using input transformations, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net
Guo, C., Rana, M., Cissé, M., van der Maaten, L., 2018. Countering adversarial images using input transformations, in: 2018 International Conference on Learning Representations (ICLR), OpenReview.net
2018
-
[35]
Prakash, A., Moran, N., Garber, S., DiLillo, A., Storer, J.A., 2018. Deflecting adversarial attacks with pixel deflection, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Computer Vision Foundation / IEEE Computer Society. pp. 8571–8580. doi:10.1109/CVPR.2018.00894
-
[36]
A study of the effect of JPG compression on adversarial images
Dziugaite, G.K., Ghahramani, Z., Roy, D.M., 2016. A study of the effect of JPG compression on adversarial images. CoRR abs/1608.00853. arXiv:1608.00853
work page internal anchor Pith review Pith/arXiv arXiv 2016
-
[37]
Wang, L., 2021. Adversarial perturbation suppression using adaptive gaussian smoothing and color reduction, in: IEEE International SymposiumonMultimedia,ISM2021,Naple,Italy,November29-Dec.1,2021,IEEE.pp.158–165. URL:https://doi.org/10.1109/ ISM52913.2021.00033, doi:10.1109/ISM52913.2021.00033
-
[38]
Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A., 2015. Going deeper with convolutions, in: 2015 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1–9. doi:10.1109/CVPR.2015. 7298594
-
[39]
Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C., 2018. Mobilenetv2: Inverted residuals and linear bottlenecks, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4510–4520. doi:10.1109/CVPR.2018.00474
-
[40]
Ronneberger, O., Fischer, P., Brox, T., 2015. U-net: Convolutional networks for biomedical image segmentation, in: Navab, N., Hornegger, J., III, W.M.W., Frangi, A.F. (Eds.), 2015 Medical Image Computing and Computer-Assisted Intervention (MICCAI), Springer. pp. 234–241. doi:10.1007/978-3-319-24574-4
-
[41]
Hu,J.,Shen,L.,Sun,G.,2018.Squeeze-and-excitationnetworks,in:2018IEEE/CVFConferenceonComputerVisionandPatternRecognition (CVPR), Computer Vision Foundation / IEEE Computer Society. pp. 7132–7141. doi:10.1109/CVPR.2018.00745
-
[42]
Generative adversarial nets, in: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q
Goodfellow, I.J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A.C., Bengio, Y., 2014. Generative adversarial nets, in: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q. (Eds.), 2014 Neural Information Processing Systems(NeurIPS), pp. 2672–2680. Xinlei Liu et al.:Accepted by Complex & Intelligent Sy...
2014
-
[43]
Denoising diffusion probabilistic models, in: Larochelle, H., Ranzato, M., Hadsell, R., Bal- can, M., Lin, H
Ho, J., Jain, A., Abbeel, P., 2020. Denoising diffusion probabilistic models, in: Larochelle, H., Ranzato, M., Hadsell, R., Bal- can, M., Lin, H. (Eds.), Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Process- ing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual. URL:https://proceedings.neurips.cc/pap...
2020
-
[44]
, year = 2017, month = jul, pages =
Huang,G.,Liu,Z.,VanDerMaaten,L.,Weinberger,K.Q.,2017. Denselyconnectedconvolutionalnetworks,in:2017IEEE/CVFConference on Computer Vision and Pattern Recognition (CVPR), pp. 2261–2269. doi:10.1109/CVPR.2017.243
-
[45]
Dual path networks, in: Guyon, I., von Luxburg, U., Bengio, S., Wallach, H.M., Fergus, R., Vishwanathan, S.V.N., Garnett, R
Chen, Y., Li, J., Xiao, H., Jin, X., Yan, S., Feng, J., 2017. Dual path networks, in: Guyon, I., von Luxburg, U., Bengio, S., Wallach, H.M., Fergus, R., Vishwanathan, S.V.N., Garnett, R. (Eds.), 2017 Neural Information Processing Systems (NeurIPS), pp. 4467–4475
2017
-
[46]
Han, D., Kim, J., Kim, J., 2017. Deep pyramidal residual networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 6307–6315. doi:10.1109/CVPR.2017.668
-
[47]
Radosavovic, I., Kosaraju, R.P., Girshick, R., He, K., Dollár, P., 2020. Designing network design spaces, in: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 10425–10433. doi:10.1109/CVPR42600.2020.01044
-
[48]
Xie, S., Girshick, R., Dollár, P., Tu, Z., He, K., 2017. Aggregated residual transformations for deep neural networks, in: 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 5987–5995. doi:10.1109/CVPR.2017.634
-
[49]
Wide residual networks, in: Wilson, R.C., Hancock, E.R., Smith, W.A.P
Zagoruyko, S., Komodakis, N., 2016. Wide residual networks, in: Wilson, R.C., Hancock, E.R., Smith, W.A.P. (Eds.), 2016 British Machine Vision Conference (BMVC), BMVA Press
2016
-
[50]
He, K., Zhang, X., Ren, S., Sun, J., 2016. Identity mappings in deep residual networks, in: Leibe, B., Matas, J., Sebe, N., Welling, M. (Eds.), 2016 European Conference on Computer Vision (ECCV), Springer. pp. 630–645. doi:10.1007/978-3-319-46493-0\_38
-
[51]
Ma, N., Zhang, X., Zheng, H., Sun, J., 2018. Shufflenet V2: practical guidelines for efficient CNN architecture design, in: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (Eds.), 2018 European Conference on Computer Vision (ECCV), Springer. pp. 122–138. doi:10.1007/978-3-030-01264-9\_8
-
[52]
Very deep convolutional networks for large-scale image recognition, in: Bengio, Y., LeCun, Y
Simonyan, K., Zisserman, A., 2015. Very deep convolutional networks for large-scale image recognition, in: Bengio, Y., LeCun, Y. (Eds.), 2015 International Conference on Learning Representations (ICLR)
2015
-
[53]
Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit,J.,Houlsby,N.,2021. Animageisworth16x16words:Transformersforimagerecognitionatscale,in:9thInternationalConference on Learning Representations, ICLR 2021, Virtual Event, Austria, May 3-7, 2021, OpenReview.net
2021
-
[54]
Athalye,A.,Carlini,N.,Wagner,D.A.,2018. Obfuscatedgradientsgiveafalsesenseofsecurity:Circumventingdefensestoadversarialexam- ples,in:Dy,J.G.,Krause,A.(Eds.),Proceedingsofthe35thInternationalConferenceonMachineLearning,ICML2018,Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018, PMLR. pp. 274–283
2018
-
[55]
Improving adversarial robustness requires revisiting misclassified examples, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., Gu, Q., 2020. Improving adversarial robustness requires revisiting misclassified examples, in: 2020 International Conference on Learning Representations (ICLR), OpenReview.net
2020
-
[56]
Better diffusion models further improve adversarial training, in: International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, PMLR
Wang, Z., Pang, T., Du, C., Lin, M., Liu, W., Yan, S., 2023. Better diffusion models further improve adversarial training, in: International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, PMLR. pp. 36246–36263. URL:https: //proceedings.mlr.press/v202/wang23ad.html
2023
-
[57]
Bartoldson, B.R., Diffenderfer, J., Parasyris, K., Kailkhura, B., 2024. Adversarial robustness limits via scaling-law and human-alignment studies,in:Forty-firstInternationalConferenceonMachineLearning,ICML2024,Vienna,Austria,July21-27,2024,OpenReview.net. URL: https://openreview.net/forum?id=HQtTg1try7
2024
-
[58]
Wang,Z.,Wang,H.,Tian,C.,Jin,Y.,2024. Preventingcatastrophicoverfittinginfastadversarialtraining:Abi-leveloptimizationperspective, in: Computer Vision - ECCV 2024 - 18th European Conference, Milan, Italy, September 29-October 4, 2024, Proceedings, Part XXVIII, Springer. pp. 144–160. URL:https://doi.org/10.1007/978-3-031-73390-1_9, doi:10.1007/978-3-031-733...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.