3528                                Journal of Software  软件学报 Vol.32, No.11, November 2021

                [11]     Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R. Intriguing properties of neural networks. In: Proc.
                     of the Int’l Conf. on Learning Representations. 2014. 1−10.
                [12]     Esteva A, Kuprel B, Novoa RA, et al. Dermatologist-level classification of skin cancer with deep neural networks. Nature, 2017,
                     542(7639):115−118.
                [13]     Ma YK, Wu LF, Jian M, Liu FH, Yang Z. Algorithm to generate adversarial examples for face-spoofing detection. Ruan Jian Xue
                     Bao/Journal of Software, 2019,30(2):469−480 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5568.htm [doi:
                     10.13328/j.cnki.jos.005568]
                [14]    Wang WQ, Wang R, Wang LN, Tang BX. Adversarial examples generation approach for tendency classification on Chinese texts.
                     Ruan Jian  Xue  Bao/Journal of Software, 2019,30(8):2415−2427  (in  Chinese with English abstract).  http://www.jos.org.cn/1000-
                     9825/5765.htm [doi: 10.13328/j.cnki.jos.005765]
                [15]     Sharif M, Bhagavatula S, Bauer L, et al. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In:
                     Proc. of the ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2016. 1528−1540.
                [16]     Athalye A, Engstrom L, Ilyas A, et al. Synthesizing robust adversarial examples. In: Proc. of the Int’l Conf. on Machine Learning.
                     2018. 284−293.
                [17]    Eykholt K, Evtimov I, Fernandes E, et al. Robust physical-world attacks on deep learning visual classification. In: Proc. of the Conf.
                     on Computer Vision and Pattern Recognition. IEEE, 2018. 1625−1634.
                [18]    Thys S, Van Ranst W, Goedeme T. Fooling automated surveillance cameras: Adversarial patches to attack person detection. In:
                     Proc. of the Conf. on Computer Vision and Pattern Recognition Workshops (CVPRW). IEEE, 2019. 1−7.
                [19]     Goodfellow  IJ, Shlens J, Szegedy S. Explaining  and harnessing  adversarial  examples. In:  Proc. of the  Computer Science. 2014.
                     1−11.
                [20]     Kurakin A, Goodfellow IJ, Bengio S. Adversarial examples in the physical world. In: Proc. of the Artificial Intelligence Safety and
                     Security. Chapman and Hall/CRC, 2018. 99−112.
                [21]     Papernot N, McDaniel P, Jha S, Fredrikson M, Celik Z, Swami A. The limitations of deep learning in adversarial settings. In: Proc.
                     of the IEEE European Symp. on Security and Privacy. IEEE, 2016. 372−387.
                [22]     Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: Proc. of the IEEE Symp. on Security and Privacy.
                     IEEE, 2017. 39−57.
                [23]     Papernot N, McDaniel P, Goodfellow I, Jha S, Celik Z, Swami A. Practical black-box attacks against machine learning. In: Proc. of
                     the ACM Asia Conf. on Computer and Communications Security. ACM, 2017. 506−519.
                [24]     Dong Y, Pang T, Su H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proc. of the
                     Conf. on Computer Vision and Pattern Recognition. IEEE, 2019. 4312−4321.
                [25]    Zhou  W, Hou X, Chen Y,  et  al. Transferable adversarial  perturbations. In:  Proc.  of  the European Conf.  on Computer Vision
                     (ECCV). 2018. 452−467.
                [26]     Bhagoji AN, He W, Li B, et al. Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Proc. of
                     the European Conf. on Computer Vision. Cham: Springer-Verlag, 2018. 158−174.
                [27]    Chen  PY, Zhang H,  Sharma Y,  et  al.  Zoo:  Zeroth order optimization based black-box  attacks to deep neural networks without
                     training substitute models. In: Proc. of the 10th ACM Workshop on Artificial Intelligence and Security. ACM, 2017. 15−26.
                [28]    Tu CC, Ting P, Chen PY, et al. AutoZOOM: Autoencoder-based zeroth order optimization method for attacking black-box neural
                     networks. In: Proc. of the AAAI Conf. on Artificial Intelligence, Vol.33. 2019. 742−749.
                [29]     Ilyas A, Engstrom L, Athalye A, Lin J. Black-box adversarial attacks with limited queries and information. In Proc. of the 35th Int’l
                     Conf. on Machine Learning. 2018. 2137−2146.
                [30]     Su J, Vargas DV, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Trans. on Evolutionary Computation, 2019,
                     23(5):828−841.
                [31]    Moosavi-Dezfooli SM, Fawzi A, Frossard P. Deepfool: A simple and accurate method to fool deep neural networks. In: Proc. of the
                     Conf. on Computer Vision and Pattern Recognition. IEEE, 2016. 2574−2582.
                [32]     Moosavi-Dezfooli SM, Fawzi A, Fawzi O, et al. Universal adversarial perturbations. In: Proc. of the Conf. on Computer Vision and
                     Pattern Recognition. 2017. 1765−1773.