周志阳 等: 谛听: 面向鲁棒分布外样本检测的半监督对抗训练方法                                                2949


                     86523-8_26]
                 [17]  Szegedy  C,  Zaremba  W,  Sutskever  I,  Bruna  J,  Erhan  D,  Goodfellow  I,  Fergus  R.  Intriguing  properties  of  neural  networks.  arXiv:
                     1312.6199, 2014.
                 [18]  Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. arXiv:1412.6572, 2015.
                 [19]  Xu H, Ma Y, Liu HC, Deb D, Liu H, Tang JL, Jain AK. Adversarial attacks and defenses in images, graphs and text: A review. Int’l
                     Journal of Automation and Computing, 2020, 17(2): 151–178. [doi: 10.1007/s11633-019-1211-x]
                 [20]  Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083,
                     2019.
                 [21]  Zhang HY, Yu YD, Jiao JT, Xing E, El Ghaoui L, Jordan MI. Theoretically principled trade-off between robustness and accuracy. In:
                     Proc. of the 36th Int’l Conf. on Machine Learning. Long Beach: PMLR, 2019. 7472–7482.
                 [22]  Tsipras D, Santurkar S, Engstrom L, Turner A, Madry A. Robustness may be at odds with accuracy. arXiv:1805.12152, 2019.
                 [23]  Bai Y, Feng Y, Wang YS, Dai T, Xia ST, Jiang Y. Hilbert-based generative defense for adversarial examples. In: Proc. of the 2019
                     IEEE/CVF Int’l Conf. on Computer Vision (ICCV). Seoul: IEEE, 2019. 4783–4792. [doi: 10.1109/ICCV.2019.00488]
                 [24]  Ma XJ, Li B, Wang YS, Erfani SM, Wijewickrema S, Schoenebeck G, Song D, Houle ME, Bailey J. Characterizing adversarial subspaces
                     using local intrinsic dimensionality. arXiv:1801.02613, 2018.

                 [25]  Xu WL, Evans D, Qi YJ. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv:1704.01155, 2017.
                 [26]  Grosse K, Manoharan P, Papernot N, Backes M, McDaniel P. On the (statistical) detection of adversarial examples. arXiv:1702.06280,
                     2017.
                 [27]  Carlini  N,  Wagner  D.  Adversarial  examples  are  not  easily  detected:  Bypassing  ten  detection  methods.  In:  Proc.  of  the  10th  ACM
                     Workshop on Artificial Intelligence and Security. Dallas: ACM, 2017. 3–14. [doi: 10.1145/3128572.3140444]
                 [28]  Croce F, Hein M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: Proc. of the 37th
                     Int’l Conf. on Machine Learning. Virtual Event: JMLR.org, 2020. 2206–2216.
                 [29]  Tramèr  F,  Kurakin  A,  Papernot  N,  Goodfellow  I,  Boneh  D,  McDaniel  P.  Ensemble  adversarial  training:  Attacks  and  defenses.
                     arXiv:1705.07204, 2020.
                 [30]  Moosavi-Dezfooli SM, Fawzi A, Fawzi O, Frossard P. Universal adversarial perturbations. In: Proc. of the 2017 IEEE Conf. on Computer
                     Vision and Pattern Recognition. Honolulu: IEEE, 2017. 86–94. [doi: 10.1109/CVPR.2017.17]
                 [31]  Moosavi-Dezfooli SM, Fawzi A, Frossard P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proc. of the 2016
                     IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). Las Vegas: IEEE, 2016. 2574–2582. [doi: 10.1109/CVPR.2016.282]
                 [32]  Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world. arXiv:1607.02533, 2017.
                 [33]  Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Swami A. Practical black-box attacks against machine learning. In: Proc. of the
                     2017  ACM  on  Asia  Conf.  on  Computer  and  Communications  Security.  Abu  Dhabi:  ACM,  2017.  506 –519.  [doi:  10.1145/3052973.
                     3053009]
                 [34]  Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In: Proc. of
                     the 2016 IEEE European Symp. on Security and Privacy (EuroS&P). Saarbruecken: IEEE, 2016. 372–387. [doi: 10.1109/EuroSP.2016.
                     36]
                 [35]  Pan WW, Wang XY, Song ML, Chen C. Survey on generating adversarial examples. Ruan Jian Xue Bao/Journal of Software, 2020,
                     31(1): 67–81 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5884.htm [doi: 10.13328/j.cnki.jos.005884]
                 [36]  Tramèr F, Carlini N, Brendel W, Madry A. On adaptive attacks to adversarial example defenses. In: Proc. of the 34th Int’l Conf. on
                     Neural Information Processing Systems. Vancouver: Curran Associates Inc., 2020. 1633–1645.
                 [37]  Kurakin A, Goodfellow I, Bengio S. Adversarial machine learning at scale. arXiv:1611.01236, 2017.
                 [38]  Athalye A, Carlini N, Wagner D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In:
                     Proc. of the 35th Int’l Conf. on Machine Learning. Stockholm: PMLR, 2018. 274–283.
                 [39]  Papernot N, McDaniel P, Wu X, Jha S, Swami A. Distillation as a defense to adversarial perturbations against deep neural networks. In:
                     Proc. of the 2016 IEEE Symp. on Security and Privacy (SP). San Jose: IEEE, 2016. 582–597. [doi: 10.1109/SP.2016.41]
                 [40]  Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: Proc. of the 2017 IEEE Symp. on Security and Privacy
                     (SP). San Jose: IEEE, 2017. 39–57. [doi: 10.1109/SP.2017.49]
                 [41]  Gowal  S,  Uesato  J,  Qin  CL,  Huang  PS,  Mann  T,  Kohli  P.  An  alternative  surrogate  loss  for  PGD-based  adversarial  testing.
                     arXiv:1910.09338, 2019.
                 [42]  Gowal S, Qin CL, Uesato J, Mann T, Kohli P. Uncovering the limits of adversarial training against norm-bounded adversarial examples.
                     arXiv:2010.03593, 2021.