Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Xiaoyu Lin,Chunjie Cao,Longjuan Wang,Zhiyuan Liu,Mengqian Li,Haiying Ma

DOI: https://doi.org/10.1007/978-3-031-06788-4_4

2022-01-01

Abstract:In recent years, deep learning has shown excellent performance in the field of computer vision. Nevertheless, researchers have found that the deep learning system does not have good robustness. Adding a insignificant amount of undetectable interference to the input of the deep learning system can lead to deep learning models fail, and these examples that make the model fail are called adversarial examples by researchers. The existence of adversarial examples will hinder the application and popularization of artificial intelligence-based deep learning systems. Therefore, we propose a denoising convolutional autoencoder incorporated with label knowledge (DCAL), a new method for defending against adversarial examples. The principle of which is DCAL as a pre-processing module before image classification, the image to be classified is denoised and reconstructed to obtain a innovative image, which is then sent to the classifier for classification. If we let the innovative image obtained by the adversarial examples through DCAL can make the classifier classify correctly, we will achieve the role of defending against the adversarial examples. The experimental results on two benchmark datasets including MNIST, CIFAR-10. Our experimental principally resisting the white-box attacks. The experimental results show that the proposed DCAL is superior to state-of-the-art defense methods in a white-box setting.

Mengqian Li,Chunjie Cao

DOI: https://doi.org/10.1109/icbda55095.2022.9760353

2022-01-01

Abstract:The Deep Neural Networks models have been extensively applied to many real-world areas due to their outstanding performance, especially to safety-critical applications such as autonomous vehicles, healthcare and face recognition. However, many types of research showed that they are easily disturbed by some carefully crafted tiny perturbations, which are called adversarial examples. Therefore, in this paper, a novel method is proposed as image preprocessing. When preprocessing, without discriminating the input images clean images or adversarial examples, the adaptive parameters adjust the images of label loss and pixel-level loss to jointly guide the model to generate reconstructed images and eliminate adversarial perturbation without affecting the images quality and classification result. Moreover, the model uses an architecture of a sparsity constraint that ensures that a neuron fires only for meaningful patterns, limiting the influence of adversarial perturbation on clean images. The defense proposed against attacks of FGSM, MI-FGSM, C&W, PGD, RAND+FGSM under the MNIST and CIFAR-10 datasets. The experimental results show that the target model can reach the average accuracy of 98% and 92% separately when the MNIST and CIFAR-10 datasets are attacked through the defense proposed, demonstrating the effectiveness of the proposed method.

Anouar Kherchouche,Sid Ahmed Fezza,Wassim Hamidouche

DOI: https://doi.org/10.1007/s00521-021-06330-x

2021-07-21

Neural Computing and Applications

Abstract:Despite the enormous performance of deep neural networks (DNNs), recent studies have shown their vulnerability to adversarial examples (AEs), i.e., carefully perturbed inputs designed to fool the targeted DNN. Currently, the literature is rich with many effective attacks to craft such AEs. Meanwhile, many defense strategies have been developed to mitigate this vulnerability. However, these latter showed their effectiveness against specific attacks and does not generalize well to different attacks. In this paper, we propose a framework for defending DNN classifier against adversarial samples. The proposed method is based on a two-stage framework involving a separate detector and a denoising block. The detector aims to detect AEs by characterizing them through the use of natural scene statistic (NSS), where we demonstrate that these statistical features are altered by the presence of adversarial perturbations. The denoiser is based on block matching 3D (BM3D) filter fed by an optimum threshold value estimated by a convolutional neural network (CNN) to project back the samples detected as AEs into their data manifold. We conducted a complete evaluation on three standard datasets, namely MNIST, CIFAR-10 and Tiny-ImageNet. The experimental results show that the proposed defense method outperforms the state-of-the-art defense techniques by improving the robustness against a set of attacks under black-box, gray-box and white-box settings. The source code is available at: https://github.com/kherchouche-anouar/2DAE.

computer science, artificial intelligence

Chai Xiuli,Wei Tongtong,Chen Zhen,He Xin,Gan Zhihua,Wu Xiangjun

DOI: https://doi.org/10.1007/s10489-022-03847-z

IF: 5.3

2022-01-01

Applied Intelligence

Abstract:Deep neural networks (DNNs) are prone to produce incorrect prediction results under the attack of adversarial samples. To cope with this problem, some defense methods are presented. However, most of them are based on adversarial training, which has great computational consumption and does not start from strengthening the architecture of the network model itself to resist the adversarial attack. Recent studies have shown that feature denoising can remove the adversarial perturbations in the adversarial samples. In this paper, we propose a lightweight denoising network with residual connection (LDN-RC), on which the internal denoising block and the intermediate denoising block are introduced for feature denoising and sample denoising, respectively; the two denoising blocks are combined in the network model, which can withstand the interference of the adversarial perturbations in the adversarial samples to a large extent and also save computational resources. In the training strategy, a two-stage denoising approach and fine-tuning are presented to train the RESNET network model on MNIST, CIFAR-10, and SVHN datasets, and the accuracy of the enhanced network model exceeds 60% on all three datasets under the $${L}_{\infty }$$ -PGD white-box attack, which demonstrate that LDN-RC can effectively improve the adversarial robustness of the network model.

Jinhui Li,Dahao Xu,Yining Qin,Xinyang Deng

DOI: https://doi.org/10.1109/ICUS55513.2022.9986817

2022-01-01

Abstract:As neural networks are playing a more and more significant role in many fields, they are also under the risk of being attacked by adversarial examples, which becomes a great challenge to the whole community. Due to this problem, networks cannot provide the guaranteed security when they are used in some security-sensitive scenarios. In this paper, a feature guided denoising network for adversarial defense is studied. Specifically, a denoising network is designed to remove possible adversarial perturbations on the input image. And a novel training method of the denoising network is proposed to improve the performance, in which deep features extracted from clean examples by the pretrained classifier is used as supervision information in the training process. Experimental results reveal that the proposed method shows satisfactory performance on defending against several white-box adversarial attacks. Besides, combination of the proposed method and adversarial training is studied, which achieves very good results compared to the other experiments reported in this paper.

Sandhya Aneja,Nagender Aneja,Pg Emeroylariffion Abas,Abdul Ghani Naim

DOI: https://doi.org/10.11591/ijai.v11.i3.pp961-968

2022-06-26

Abstract:Despite substantial advances in network architecture performance, the susceptibility of adversarial attacks makes deep learning challenging to implement in safety-critical applications. This paper proposes a data-centric approach to addressing this problem. A nonlocal denoising method with different luminance values has been used to generate adversarial examples from the Modified National Institute of Standards and Technology database (MNIST) and Canadian Institute for Advanced Research (CIFAR-10) data sets. Under perturbation, the method provided absolute accuracy improvements of up to 9.3% in the MNIST data set and 13% in the CIFAR-10 data set. Training using transformed images with higher luminance values increases the robustness of the classifier. We have shown that transfer learning is disadvantageous for adversarial machine learning. The results indicate that simple adversarial examples can improve resilience and make deep learning easier to apply in various applications.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Xuehu Liu,Zhixi Feng,Yue Ma,Shuyuan Yang,Zhihao Chang,Licheng Jiao

DOI: https://doi.org/10.1109/tgrs.2024.3412790

IF: 8.2

2024-06-21

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Deep learning models (algorithms) have demonstrated their superior performance in interpreting Earth science and remote sensing data. However, adversarial examples generated with perturbations imperceptible to humans could render deep learning algorithms ineffective. This significant vulnerability of deep learning models, thus, inspires the exploration of defense methods resistible to adversarial examples. Although numerous countermeasures against adversarial examples have been proposed, the design of a universally applicable defense method across multiple scenarios still remains to be explored. In this study, we propose an effective denoising diffusion-based defense restore network (D3R-Net) based on the denoising diffusion model from the perspective of adversarial restoration, which transforms the adversarial examples into clean samples. Utilizing a highly effective denoising diffusion probabilistic model (DDPM), our D3R-Net transforms input adversarial examples into a state of noise, where diverse forms of adversarial noise transition into Gaussian noise. Subsequently, it captures semantic information through a series of iterative denoising steps. The pixel distribution of adversarial examples is restored in the proposed network to match the original distribution, enabling the classifier to identify adversarial examples correctly. Furthermore, we introduce a combined filtering module to preserve the semantic information of the original image, thereby further enhancing the defensive performance. Instead of modifying the model structure or excluding suspected samples, the proposed method restores the adversarial examples, making it simple yet effective and applicable to a broader range of scenarios. Extensive experiments are conducted on four benchmark datasets, and the results demonstrate that D3R-Net has significant defense capabilities against known and unknown attacks. Our source code is available at https://github.com/SIM-xidian/D3R-Net.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Chengxuan Li,Zhou Yang,Yang Xiao,Haozhao Liu,Yuning Zhang,Qingqi Pei

DOI: https://doi.org/10.1109/NaNA60121.2023.00092

2023-01-01

Abstract:Deep learning-based image recognition technology has significantly advanced the development of modern industrial intelligence. However, the issue of image adversarial examples that follows has gradually garnered the attention of researchers. By injecting adversarial disturbances that are difficult for humans to detect into the image, the deep learning model generates incorrect results, severely impacting the security of deep learning applications. To address this problem and improve the accuracy and robustness of deep learning image recognition models, a combined adversarial examples detection method based on residual learning and difference assessment has been proposed. To start, an image denoising module, based on residual learning and named ANDNet, is designed. This method incorporates a depth separable convolution structure and conducts step processing on the channel number of the hidden layer in ANDNet, which significantly reduces the model's memory consumption and improves its computational efficiency. In addition, the difference assessment involves computing the l <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</inf> norm distance between the original image and the denoised image softmax output of the classification model, to measure the disparity between the input image before and after denoising. The obtained detection threshold from the training dataset is integrated with this difference evaluation to accomplish the task of testing the input image for adversarial detection. Both theoretical analysis and experimental results confirm the effectiveness of the ANDNet noise reduction network, as well as the efficacy of the adversarial examples detection scheme in identifying adversarial examples. The model exhibits exceptional performance in terms of detection accuracy and F1 value.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Bin Liang,Hongcheng Li,Miaoqiang Su,Xirong Li,Wenchang Shi,Xiaofeng Wang

DOI: https://doi.org/10.1109/tdsc.2018.2874243

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, many studies have demonstrated deep neural network (DNN) classifiers can be fooled by the adversarial example, which is crafted via introducing some perturbations into an original sample. Accordingly, some powerful defense techniques were proposed. However, existing defense techniques often require modifying the target model or depend on the prior knowledge of attacks. In this paper, we propose a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models. We consider the perturbation to images as a kind of noise and introduce two classic image processing techniques, scalar quantization and smoothing spatial filter, to reduce its effect. The image entropy is employed as a metric to implement an adaptive noise reduction for different kinds of images. Consequently, the adversarial example can be effectively detected by comparing the classification results of a given sample and its denoised version, without referring to any prior knowledge of attacks. More than 20,000 adversarial examples against some state-of-the-art DNN models are used to evaluate the proposed method, which are crafted with different attack techniques. The experiments show that our detection method can achieve a high overall F1 score of 96.39 percent and certainly raises the bar for defense-aware attacks.

Lu, Fang,Wang, Bin,Zhou, Boyang

DOI: https://doi.org/10.1007/s10489-023-05253-5

IF: 5.3

2024-01-14

Applied Intelligence

Abstract:Recent studies have shown that deep neural networks (DNNs) are vulnerable to adversarial examples (AEs). Denoising based on the input pre-processing is one of the defenses against adversarial attacks. However, it is hard to remove multiple adversarial perturbations, especially in the presence of evolving attacks. To address this challenge, we attempt to extract the commonality of adversarial perturbations. Due to the imperceptibility of adversarial perturbations in the input space, we conduct the extraction in the deep feature space where the perturbations become more apparent. Through the obtained common characteristics, we craft common adversarial examples (CAEs) to train the denoiser. Furthermore, to prevent image distortion while removing as much of the adversarial perturbation as possible, we propose a hybrid loss function that guides the training process at both the pixel level and the deep feature space. Our experiments show that our defense method can eliminate multiple adversarial perturbations, significantly enhancing adversarial robustness compared to previous state-of-the-art methods. Moreover, it can be plug-and-play for various classification models, which demonstrates the generalizability of our defense method.

computer science, artificial intelligence

Dhairya Vyas,Viral V. Kapadia

DOI: https://doi.org/10.7717/peerj-cs.1868

2024-03-09

PeerJ Computer Science

Abstract:Adversarial attacks pose a significant challenge to deep neural networks used in image classification systems. Although deep learning has achieved impressive success in various tasks, it can easily be deceived by adversarial patches created by adding subtle yet deliberate distortions to natural images. These attacks are designed to remain hidden from both human and computer-based classifiers. Considering this, we propose novel model designs that enhance adversarial strength with incorporating feature denoising blocks. Exclusively, proposed model utilizes Gaussian data augmentation (GDA) and spatial smoothing (SS) to denoise the features. These techniques are reasonable and can be mixed in a joint finding context to accomplish superior recognition levels versus adversarial assaults while also balancing other defenses. We tested the proposed approach on the ImageNet and CIFAR-10 datasets using 10-iteration projected gradient descent (PGD), fast gradient sign method (FGSM), and DeepFool attacks. The proposed method achieved an accuracy of 95.62% in under four minutes, which is highly competitive compared to existing approaches. We also conducted a comparative analysis with existing methods.

computer science, information systems, artificial intelligence, theory & methods

Wenqing Liu,Miaojing Shi,Teddy Furon,Li Li

DOI: https://doi.org/10.1145/3394171.3413604

2020-01-01

Abstract:This paper presents a DNN bottleneck reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. Typical DNN classifiers encode the input image into a compressed latent representation more suitable for inference. This information bottleneck makes a trade-off between the image-specific structure and class-specific information in an image. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. Hence, this paper proposes to jointly train an auto-encoder (AE) sharing the same encoding weights with the visual classifier. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network. Unlike existing approaches, our scheme is the first reforming defense per se which keeps the classifier structure untouched without appending any pre-processing head and is trained with clean images only. Extensive experiments on MNIST, CIFAR-10 and ImageNet demonstrate the strong defense of our method against various adversarial attacks.

Fangzhou Liao,Ming Liang,Yinpeng Dong,Tianyu Pang,Xiaolin Hu,Jun Zhu

DOI: https://doi.org/10.1109/cvpr.2018.00191

2018-01-01

Abstract:Neural networks are vulnerable to adversarial examples, which poses a threat to their application in security sensitive systems. We propose high-level representation guided denoiser (HGD) as a defense for image classification. Standard denoiser suffers from the error amplification effect, in which small residual adversarial noise is progressively amplified and leads to wrong classifications. HGD overcomes this problem by using a loss function defined as the difference between the target model's outputs activated by the clean image and denoised image. Compared with ensemble adversarial training which is the state-of-the-art defending method on large images, HGD has three advantages. First, with HGD as a defense, the target model is more robust to either white-box or black-box adversarial attacks. Second, HGD can be trained on a small subset of the images and generalizes well to other images and unseen classes. Third, HGD can be transferred to defend models other than the one guiding it. In NIPS competition on defense against adversarial attacks, our HGD solution won the first place and outperformed other models by a large margin.

Qingan Da,Guoyin Zhang,Wenshan Wang,Yingnan Zhao,Dan Lu,Sizhao Li,Dapeng Lang

DOI: https://doi.org/10.3390/e25091306

IF: 2.738

2023-01-01

Entropy

Abstract:Deep neural networks have made great achievements in remote sensing image analyses; however, previous studies have shown that deep neural networks exhibit incredible vulnerability to adversarial examples, which raises concerns about regional safety and production safety. In this paper, we propose an adversarial denoising method based on latent representation guidance for remote sensing image scene classification. In the training phase, we train a variational autoencoder to reconstruct the data using only the clean dataset. At test time, we first calculate the normalized mutual information between the reconstructed image using the variational autoencoder and the reference image as denoised by a discrete cosine transform. The reconstructed image is selectively utilized according to the result of the image quality assessment. Then, the latent representation of the current image is iteratively updated according to the reconstruction loss so as to gradually eliminate the influence of adversarial noise. Because the training of the denoiser only involves clean data, the proposed method is more robust against unknown adversarial noise. Experimental results on the scene classification dataset show the effectiveness of the proposed method. Furthermore, the method achieves better robust accuracy compared with state-of-the-art adversarial defense methods in image classification tasks.

Wang Weidong,Li Zhi,Liu Shuaiwei,Zhang Li,Yang Jin,Wang Yi

DOI: https://doi.org/10.1016/j.imavis.2024.104931

IF: 3.86

2024-02-20

Image and Vision Computing

Abstract:Recently, it was found that deep neural networks (DNNs) are susceptible to adversarial input perturbations. Most defense strategies adopt the denoising method based on preprocessing, which mitigates the impacts of adversarial perturbations on DNNs by learning the distributions of nonadversarial datasets and projecting adversarial inputs into the learned nonadversarial manifolds. However, existing defense strategies commonly focus on reconstructing clean images while ignoring the role of adversarial perturbations, which results in the reconstructed images failing to achieve the visual quality and classification accuracy of the original clean images, and the induced adversarial robustness improvement is limited. This paper proposes a feature decoupling-interaction network (FDIN), which introduces the concepts of clean features and adversarial features to separate the two kinds of features from the input adversarial examples (AEs) in a feature decoupling-interaction manner. The clean features are used to reconstruct the input image so that it is infinitely close to the original clean image, and the adversarial features are used to reconstruct the adversarial perturbations. Adversarial perturbations are removed from the adversarial examples across multiple cross cycles to improve further the reconstructed image's visual quality and classification accuracy. The features of the original clean image are used as prior knowledge to guide the network to learn the clean features of the adversarial examples and improve the classification accuracy of the model on the clean examples. In addition, a classification loss function based on the Carlini & Wagner (CW) attack algorithm is used instead of the conventional cross-entropy loss function to improve the adversarial robustness of the FDIN. The experimental results show that the proposed method achieves better defense performance than the current state-of-the-art methods on both standard tests and various attack tests and even exceeds the test accuracy of the target classifier on the original test set.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics

Sheng-lin Yin,Xing-lan Zhang,Li-yu Zuo

DOI: https://doi.org/10.1016/j.neucom.2021.12.080

IF: 6

2022-03-01

Neurocomputing

Abstract:Although deep neural networks achieve outstanding performance in many tasks, adding very imperceptible perturbations to clean images can easily fool the deep neural network. In this paper, we propose a new defence model: Adversarial Memory Variational AutoEncoder(AdMVAE), that can be used to transform adversarial images into clean images. At inference time, it finds an output that is similar to a given image in a high probability region of the manifold space. And the memory module uses normal features to reconstruct the image in the process of reconstruction. It can effectively prevent the reconstruction of malicious perturbations and avoid defense failure. Our approach is a pre-processing module that does not change the results of the classifier. Therefore, it can be combined with other defence models to jointly improve the performance robustness of the classifier. The experimental results on three benchmark datasets including Fashion-MNIST, CIFAR10 and Imagenet show that the proposed method outperforms the state-of-the-art defense methods.

computer science, artificial intelligence

Han Zhang,Xin Zhang,Yuan Sun,Lixia Ji

DOI: https://doi.org/10.1016/j.imavis.2024.105238

IF: 3.86

2024-08-26

Image and Vision Computing

Abstract:Deep learning models are highly vulnerable to adversarial examples, leading to significant attention on techniques for detecting them. However, current methods primarily rely on detecting image features for identifying adversarial examples, often failing to address the diverse types and intensities of such examples. We propose a novel adversarial example detection method based on perturbation estimation and denoising to overcome this limitation. We develop an autoencoder to predict the latent adversarial perturbations of samples and select appropriately sized noise based on these predictions to cover the perturbations. Subsequently, we employ a non-blind denoising autoencoder to remove noise and residual perturbations effectively. This approach allows us to eliminate adversarial perturbations while preserving the original information, thus altering the prediction results of adversarial examples without affecting predictions on benign samples. Inconsistencies in predictions before and after processing by the model identify adversarial examples. Our experiments on datasets such as MNIST, CIFAR-10, and ImageNet demonstrate that our method surpasses other advanced detection methods in accuracy.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics

Cihang Xie,Yuxin Wu,Laurens van der Maaten,Alan Yuille,Kaiming He

2019-03-26

Abstract:Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9% accuracy, our method achieves 55.7%; even under extreme 2000-iteration PGD white-box attacks, our method secures 42.6% accuracy. Our method was ranked first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 --- it achieved 50.6% classification accuracy on a secret, ImageNet-like test dataset against 48 unknown attackers, surpassing the runner-up approach by ~10%. Code is available at <a class="link-external link-https" href="https://github.com/facebookresearch/ImageNet-Adversarial-Training" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition