├── 2024
├── ICML
│ └── Readme.md
└── CVPR
│ └── Readme.md
├── GenerativeModel-based
├── Generating-Natural-Adversarial-Examples.md
├── Towards-Feature-Space-Adversarial-Attack.md
├── AAAI2018.md
├── CVPR2018.md
├── Constructing-Unrestricted-Adversarial-Examples-with-Generative-Models.md
├── Rob-GAN.md
├── AdvGAN++.md
├── ICCV2023.md
├── IJCAI2018.md
├── AdvDiffuser.md
├── AdvDiff.md
└── Diff-PGD.md
├── Gradient-based
├── Intriguing-properties-of-neural-networks.md
└── FGSM.md
├── Semantic-Methods
├── Cont_UAA.md
├── SAE.md
├── AMT_GAN.md
├── SemanticAdv.md
├── semantic_adv_via_dm.md
├── Color_Texture_Attack.md
└── SAA.md
├── Video_attack
└── SVA.md
├── LargeScaleModel
├── SAM_Meets_UAP.md
├── Black-box_Attack_SAM.md
└── Attack-SAM.md
└── README.md
/GenerativeModel-based/Generating-Natural-Adversarial-Examples.md:
--------------------------------------------------------------------------------
1 | # [Generating Natural Adversarial Examples](https://arxiv.org/abs/1710.11342)
2 |
--------------------------------------------------------------------------------
/GenerativeModel-based/Towards-Feature-Space-Adversarial-Attack.md:
--------------------------------------------------------------------------------
1 | # [Towards Feature Space Adversarial Attack](https://arxiv.org/abs/2004.12385)
2 |
--------------------------------------------------------------------------------
/GenerativeModel-based/AAAI2018.md:
--------------------------------------------------------------------------------
1 | # [Learning to Attack: Adversarial Transformation Networks](https://ojs.aaai.org/index.php/AAAI/article/view/11672)
2 |
--------------------------------------------------------------------------------
/GenerativeModel-based/CVPR2018.md:
--------------------------------------------------------------------------------
1 | # [NAG: Network for adversary generation](https://arxiv.org/abs/1712.03390)
2 |
3 | 总结:也是通过生成网络在一个数据集上训练得到一个通用的对抗扰动,而非针对每一张图片产生一个特定的扰动。
4 |
--------------------------------------------------------------------------------
/Gradient-based/Intriguing-properties-of-neural-networks.md:
--------------------------------------------------------------------------------
1 | # [Intriguing Properties of Neural Networks](https://arxiv.org/abs/1312.6199)
2 |
3 | 总结:对抗样本的开山之作,发现向目标样本添加难以察觉的扰动可以显著影响神经网络的结果。
4 |
--------------------------------------------------------------------------------
/Semantic-Methods/Cont_UAA.md:
--------------------------------------------------------------------------------
1 | # [Content-based Unrestricted Adversarial Attack](https://arxiv.org/abs/2305.10665)
2 |
3 | ## 总结
4 | **Semantic-attack / White-and-black-box / StableDiffusion**
5 |
6 |
--------------------------------------------------------------------------------
/GenerativeModel-based/Constructing-Unrestricted-Adversarial-Examples-with-Generative-Models.md:
--------------------------------------------------------------------------------
1 | # [Constructing Unrestricted Adversarial Examples with Generative Models](https://arxiv.org/abs/1805.07894)
2 |
3 |
--------------------------------------------------------------------------------
/GenerativeModel-based/Rob-GAN.md:
--------------------------------------------------------------------------------
1 | # [Rob-GAN: Generator, Discriminator, and Adversarial Attacker](https://openaccess.thecvf.com/content_CVPR_2019/html/Liu_Rob-GAN_Generator_Discriminator_and_Adversarial_Attacker_CVPR_2019_paper.html)
2 |
--------------------------------------------------------------------------------
/GenerativeModel-based/AdvGAN++.md:
--------------------------------------------------------------------------------
1 | # [AdvGAN++: Harnessing Latent Layers for Adversary Generation](https://openaccess.thecvf.com/content_ICCVW_2019/html/NeurArch/Jandial_AdvGAN_Harnessing_Latent_Layers_for_Adversary_Generation_ICCVW_2019_paper.html)
2 |
--------------------------------------------------------------------------------
/Gradient-based/FGSM.md:
--------------------------------------------------------------------------------
1 | # FGSM: [Explaining and Harnessing Adversarial Examples](https://arxiv.org/abs/1412.6572)
2 |
3 | 总结:提出了对抗样本的线性解释,并设计了基于梯度反向传播,获取每个像素对loss贡献的大小,然后对每个像素添加不同大小的扰动以使得loss增大(与传统的训练目标相反)的经典对抗攻击方法。这被称为快速梯度符号法(Fast Gradient Sign Method,FGSM)。
4 |
--------------------------------------------------------------------------------
/Semantic-Methods/SAE.md:
--------------------------------------------------------------------------------
1 | # [Semantic Adversarial Examples](https://openaccess.thecvf.com/content_cvpr_2018_workshops/w32/html/Hosseini_Semantic_Adversarial_Examples_CVPR_2018_paper.html)
2 |
3 | ## 总结
4 | 通过颜色空间变换,将原始图像从RGB空间转换到HSV空间以达到使目标模型误分类的效果。语义层面攻击比较早期的工作,方法很简单,图像的变化很大。
5 |
--------------------------------------------------------------------------------
/Video_attack/SVA.md:
--------------------------------------------------------------------------------
1 | # Sparse Black-Box Video Attack with Reinforcement Learning
2 |
3 | ## Abstract
4 | 传统的视频攻击方法要么是将每一帧视为平等的进行攻击,要么是使用一些独立于攻击手段之外的策略选出关键帧来攻击。而本文作者提出,关键帧选择应该是一个与攻击手段紧密相关的过程。因此,本文将黑盒视频攻击嵌入到RL框架中,将视频识别model视为RL的environment,由RL的agent来选取帧。通过对两个视频分类模型(C3D和LRCN)进行测试,证明了方法的有效性。
5 |
6 |
--------------------------------------------------------------------------------
/Semantic-Methods/AMT_GAN.md:
--------------------------------------------------------------------------------
1 | # [Protecting Facial Privacy: Generating Adversarial Identity Masks via Style-robust Makeup Transfer](https://openaccess.thecvf.com/content/CVPR2022/html/Hu_Protecting_Facial_Privacy_Generating_Adversarial_Identity_Masks_via_Style-Robust_Makeup_CVPR_2022_paper.html)
2 |
3 | ## [Github repository](https://github.com/CGCL-codes/AMT-GAN)
4 |
--------------------------------------------------------------------------------
/GenerativeModel-based/ICCV2023.md:
--------------------------------------------------------------------------------
1 | # Downstream-agnostic Adversarial Examples
2 |
3 | ## Abstract
4 | 文章针对传统任务中“先预训练再微调”的思路,提出:是否可以直接攻击预训练的Encoder,在下游任务和下游数据都未知的情况下得到一个通用对抗扰动(Universal Adversarial Perturbation, UAP)?文章甚至还假设可以在下游任务上微调以及可以采用防御性的对抗训练策略,进一步加大了任务难度。
5 |
6 | ## Method
7 | 训练一个生成器 $\mathcal{G}$ ,该生成器接受一个固定的噪声分布 $z$ 作为输入,并产生一个通用的攻击噪声,将它与一张干净图像结合则得到一个对抗样本。其本质是找了一个数据集,然后在该数据集上通过优化一个生成网络来得到一个UAP,并不是对每一张输入图片都产生一个与其对应的扰动。该训练过程使用3个loss来监督:
8 |
9 | 1)Quality loss:该扰动是否足够微小不可察觉?
10 | 2)HFC loss:该扰动是否破坏了原图像中的高频特征?(本文作者认为图像中的高频特征,例如纹理等,对分类器的正确识别至关重要)
11 | 3)Adv loss:预训练编码器提取到的特征是否有差别?
12 |
--------------------------------------------------------------------------------
/Semantic-Methods/SemanticAdv.md:
--------------------------------------------------------------------------------
1 | # [SemanticAdv: Generating Adversarial Examples via Attribute-conditioned Image Editing](https://www.ecva.net/papers/eccv_2020/papers_ECCV/papers/123590018.pdf)
2 |
3 | ## [Github repository](https://github.com/AI-secure/SemanticAdv)
4 |
5 | ## 总结
6 | 通过对原始图片进行语义层面的编辑实现攻击目的。
7 |
8 | ## 方法
9 | 给定一张原始图片,首先使用一个属性控制的(attribute-conditioned)图像编辑模型(文中使用的是StarGAN)对其进行语义编辑,得到一张与原图非常接近、只在某一个语义维度上有区别的合成图像。然后在特征空间中对原图和编辑后的图像的特征图做插值即可得到一张介于原图和合成图像之间的对抗样本。
10 |
11 | ## 实验
12 | 在一个人脸识别数据集和CityScape数据集上分别进行了分类和分割任务的攻击,局限性比较大,似乎StarGAN在人脸上的表现比较好。分类攻击效果较好,分割攻击效果不太明显,且给出的例子也有限。
13 |
--------------------------------------------------------------------------------
/Semantic-Methods/semantic_adv_via_dm.md:
--------------------------------------------------------------------------------
1 | # [Semantic Adversarial Attacks via Diffusion Models](https://arxiv.org/abs/2309.07398)
2 |
3 | ## [Github repository](https://github.com/steven202/semantic_adv_via_dm)
4 |
5 | ## 总结
6 | **Semantic-attack / White-and-black-box / Diffusion**
7 |
8 | 目前基于语义攻击的方法有两大方向:1)转换色彩和纹理特征;2)在潜在空间里进行操作以实现语义编辑。作者认为过去的方法存在以下问题:1)基于GAN的方法不够真实;2)生成过程耗时很长,无法实现大规模攻击。因此,基于diffusion model,本文提出了ST(Semantic Transformation)方法和LM(Latent Masking)方法。
9 |
10 | ## 方法
11 | ST方法是基于DiffusionCLIP,给定一张原图 $\text{x}\_{0}$ 和一个属性prompt $t$ , 通过DiffusionCLIP生成编辑后的图像,然后计算分类器与真实标签之间的loss以反向传播并更新latent space中的 $\text{x}\_{T}$ . 这种方法可以说跟之前基于attribute-conditioned GAN的方法非常相似,仅仅是把GAN换成了DM。
12 |
13 | 至于LM方法则是基于图像合成的思想,通过Grad-CAM或saliency maps方法找到原图中对于目标分类器贡献较大的部分,然后将其替换(或部分替换)为另一张类似图片的对应部分,以实现误导分类器的效果。**缺点是仍然需要待攻击模型的梯度信息,并且对待攻击图像和目标图像的相似度要求较高**。
14 |
--------------------------------------------------------------------------------
/GenerativeModel-based/IJCAI2018.md:
--------------------------------------------------------------------------------
1 | # AdvGAN: [Generating adversarial examples with adversarial networks](https://arxiv.org/abs/1801.02610)
2 |
3 | GAN / Black-box / One-shot attack
4 | ### 摘要
5 | 本文提出AdvGAN,旨在通过生成网络来学习和模拟原始数据的分布,以高效率地产生高质量的对抗样本。文章在半白盒(Semi-white box)和黑盒(Black box)场景下测试了模型的攻击性能。
6 | 主要贡献:
7 | 1. 不同于以往的基于优化的方法,本文训练了一个条件对抗网络来生成对抗样本;
8 | 2. 提出了一种基于蒸馏模型的黑盒攻击方法;
9 | 3. 在使用SOTA defense方法的场景下,AdvGAN实现了最高的攻击成功率;
10 | 4. 在MNIST challenge(2017)拿到了了Top精度。
11 |
12 | ### 方法
13 | 本质上还是一个简单的GAN网络,原始输入通过一个生成器网络 $\mathcal{G}$ 得到扰动 $\mathcal{G}(x)$ , 与原图叠加得到对抗样本 $\mathcal{G}(x) + x$ , 然后分别输入一个判别器 $\mathcal{D}$ 和要攻击的目标模型 $f$ , 得到与原始输入相似性的损失 $\mathcal{L}\_{GAN}$ 以及与真实标签差异的损失 $\mathcal{L}\_{adv}$ 。此外,为了将产生的扰动限制在一个较小范围内,再添加一个损失 $\mathcal{L}\_{hingn}$ 。优化的目标loss为三者的加权和。
14 |
15 | ### 实验
16 | 在MNIST和CIFAR-10上面进行了semi-whitebox和black-box攻击测试,并在ImageNet上实验了semi-whitebox attack。
17 |
--------------------------------------------------------------------------------
/LargeScaleModel/SAM_Meets_UAP.md:
--------------------------------------------------------------------------------
1 | # [Segment Anything Meets Universal Adversarial Perturbation](https://arxiv.org/abs/2310.12431)
2 |
3 | ## 摘要
4 | 不同于传统的image-centric的攻击方法,本文提出了一种perturbation-centric的通用攻击方法(Universal Adversarial Perturbation, UAP)。
5 |
6 | ## 方法
7 | 传统的基于梯度攻击的方法是针对每张特定的图片生成一个扰动,而image-agnostic方法意图找到一个对绝大部分输入图片都生效的扰动。有些方法通过在PGD每次迭代过程中更改初始图片的方法来防止生成的扰动对某一张特定图片过拟合,以提高生成的扰动的泛化能力。但是,这种方法生成的扰动的攻击效果很不好,文章推测是因为在每次迭代中更换图片导致其优化目标发生了更改,不利于优化。本文舍弃了之前着重于 $x\_{clean}$ 和 $x\_{adv}$ 各自生成的mask的角度,而将UAP视为一个独立的输入,并提出用自监督对比学习的方法来优化UAP。
8 |
9 | 但是,文章中对方法的描述非常不清晰。从Figure.1(b)中我们可以看到,待优化的perturbation被视为anchor sample,其augmented后的结果为positive sample,自然图片经image encoder处理后的feature maps作为negative sample,优化目标是最小化anchor sample和positive sample的距离而最大化anchor sample与negative sample之间的距离。然而,图中没有解释此处的model究竟是什么(是SAM?),以及perturbation是以什么样的形式输入model?如果是噪声图,噪声图为何要直接输入SAM?又如何能保证它加在自然图像上能起到攻击效果?如果是叠加输入,那为什么要最小化一个对抗样本和一个augmented对抗样本的predict之间的距离?
10 |
--------------------------------------------------------------------------------
/Semantic-Methods/Color_Texture_Attack.md:
--------------------------------------------------------------------------------
1 | # [Unrestricted Adversarial Examples via Semantic Manipulation](https://arxiv.org/abs/1904.06347)
2 |
3 | ## [Github repository](https://github.com/AI-secure/Big-but-Invisible-Adversarial-Attack)
4 |
5 | ## 总结
6 | **Semantic-attack / White-box**
7 |
8 | 通过语义操作,即改变输入图像的color和texture来实现攻击效果。(为什么是white-box?)
9 |
10 | ## 方法
11 | ### 着色攻击
12 | 使用了一个现有的实时着色模型(Real-Time User-Guided Image Colorization with Learned Deep Priors), 通过用户点击来改变原图中的灰色区域。
13 | ### 纹理攻击
14 | 纹理迁移(Text Transfer)任务可以认为是风格迁徙(Style Transfer)的相似任务。据作者解释,他们所采用的方法是最小化两张图像的层间格拉姆矩阵(cross-layer gram matrices)的距离。优化 $\mathcal{Loss}$ 由两部分组成:
15 |
16 | $$ L\^{\mathcal{A}}\_{\text{tAdv}} = \alpha L\_{t}\^{\mathcal{A}} (I\_{v}, I\_{t}) + \beta J\_{adv}(\mathcal{F}(I\_{v}), t) $$
17 |
18 | 其中 $L\_{t}\^{\mathcal{A}}$ 表示纹理迁移损失(texture transfer loss), $J\_{adv}$ 是一个cross-entropy损失,该损失中的 $t$ 似乎是提供纹理的源图像的类别,作者在文中提到该损失可以帮助优化过程。
19 |
20 | ## 实验
21 | 在ImageNet上随机选择了10个差异较大的class的图像进行了分类攻击测试,并且在MSCOCO数据集上随机选择图像进行了Image Captioning攻击测试。
22 |
--------------------------------------------------------------------------------
/GenerativeModel-based/AdvDiffuser.md:
--------------------------------------------------------------------------------
1 | # [AdvDiffuser: Natural Adversarial Example Synthesis with Diffusion Models](https://openaccess.thecvf.com/content/ICCV2023/html/Chen_AdvDiffuser_Natural_Adversarial_Example_Synthesis_with_Diffusion_Models_ICCV_2023_paper.html)
2 |
3 | 总结:第一个使用扩散模型实现自然对抗样本合成的工作。
4 |
5 | ## 3.Method
6 | 其方法包含两个部分:Adversarial guidance(对抗性引导)和Adversarial inpainting(对抗性修补)。给定一个原图 **x** ,先求解其相对于目标分类器 $f$ 的Grad-CAM以得到一个Mask $m$ ,然后将其反转得到Mask-Inv $(1-m)$ .,两者分别控制着重添加扰动的部分和其他部分。在Diffusion的反向过程中, $t$ 时刻的噪声样本 $x_t$ 经去噪网络 $p\_{\theta}$ 处理后得到 $\widetilde{x}\_{t-1}$ , 然后将其放入目标分类器 $f$ 使用PGD算法得到扰动。使用Mask和Mask-Inv.来分别控制图像主体和背景的扰动强度:
7 |
8 | $$ x\_{t-1} = m \odot x\^{obj}\_{t-1} + (1-m) \odot \hat{x}\_{t-1} $$
9 |
10 | 其中
11 |
12 | $$ x\^{obj}\_{t-1} \thicksim \mathcal{N} (\sqrt{\overline{\alpha}\_{t}} \textbf{x}\_{0}, (1 - \overline{\alpha}\_{t} )\textbf{I} ), $$
13 |
14 | $$ \hat{x}\_{t-1} = PGD( \widetilde{x}\_{t-1}, f, \sigma \beta\_{t-1}, I ), $$
15 |
16 | $$ \widetilde{x}\_{t-1} \thicksim p\_{\theta}( \textbf{x}\_{t-1} | \textbf{x}\_t ) $$
17 |
--------------------------------------------------------------------------------
/Semantic-Methods/SAA.md:
--------------------------------------------------------------------------------
1 | # [Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers](https://arxiv.org/abs/1904.08489)
2 |
3 | ## 总结:
4 | **Semantic-attack / White-box / GAN**
5 |
6 | 本文提出了一种针对特殊输入进行语义攻击的方法。对于一类具有显著的、不变的特征以及可变属性的输入图像(例如人脸,其中肤色、比例、五官都是显著且不变的特征,而发色、是否带眼镜都是可变的属性,改变可变属性并不影响对图像整体的识别), 改变其中一部分属性同样可以产生对抗样本。尽管这些样本与原图的差别很大,但在人眼看来它与原图确实是属于同一个人,同时它又能误导分类器。这种形式的攻击更有现实意义,因为我们需要人脸识别系统不受发色、眼镜或口罩的影响,以及自动驾驶系统不受天气、路面状况、光线条件的影响。但文章的实验结果很有限,仅仅统计了对一个通过人脸进行性别识别的二分类模型进行攻击的效果(作者称他们的框架transparently extends to multi-class models)。此外,这篇文章之所以称为"parametric transformation"或者说是"parametric space"的攻击,是因为其需要更改的视觉特征需要先参数化为一个输入向量,因此其编辑空间是一个参数空间。
7 |
8 | ## 方法
9 | 给定一张输入图片 $\text{x}\_{0}$ 以及一个attribute vector $\text{a}\_{0}$ , 首先使用一个现成的Attribute encoder $E(\cdot)$ 将其编码至参数空间得到 $\overline{\text{a}}\_{0}$ ,然后输入现成的参数生成器 $G(\cdot, \cdot)$ 以生成编辑后的样本 $\text{x}\_{i}$ , 并输入要攻击的分类器 $f(\cdot)$ 得到当下的预测类别 $h\_{i}$ 。若 $h\_{i}=\text{y}$, 计算其与真实类别 $\text{y}$ 之间的loss $l\_{adv}$ ,通过该loss进行梯度反传以更新attribute vector并得到 $\overline{\text{a}}\_{i}$,重复上述步骤直到预测类别不等于真实类别 $h\_{i} \not= \text{y}$ .
10 |
11 | 具体使用的模型是Fader Networks和Attribute GANs。
12 |
--------------------------------------------------------------------------------
/GenerativeModel-based/AdvDiff.md:
--------------------------------------------------------------------------------
1 | # [AdvDiff: Generating Unrestricted Adversarial Examples using Diffusion Models](https://arxiv.org/abs/2307.12499)
2 |
3 | ## 摘要
4 | 文章认为过去基于GAN的对抗样本生成方法理论上可解释性差,且生成结果不够真实,与自然数据有较大差异。同时,现有的基于Attack Success Rate(ASR)的评价方法无法体现生成质量的好坏。扩散模型的生成质量比较高且可解释性更强,因此文章提出了一种基于扩散模型产生无限制对抗样本的方法,通过向扩散过程的每一步采样中逐渐添加不可察觉的微小扰动来保证生成结果的质量。所提出的方法在MNIST和ImageNet上的表现超过了基于GAN的方法。
5 |
6 | ## 方法-Adversarial Diffusion Sampling
7 | ### Adversarial Guidance
8 | 在Classifier Guidance Diffusion Model中,通过向Diffusion Model添加一个分类器的梯度引导,实现了根据类别生成样本。与Classifier-guided Guidance diffusion model类似,文章将对抗梯度注入到扩散过程中,从而使模型在基于给定标签 $y$ 的同时向攻击目标 $y\_{adv}$ 靠近。文章希望使用一个conditional diffusion model来生成符合ground truth $y$ 的样本 $x\_{0}$ ,同时该样本可以骗过目标分类器使得 $p\_{f}(x\_{0}) \not= y$ 。其关键在于将反向扩散过程中每一步生成样本关于分类器的梯度替换为攻击目标的对抗梯度,并注入到每一步的扩散过程中。文章发现给定一个攻击标签 $y\_a$ 有助于这一过程:
9 |
10 | $$ x\_{t-1} = \mu(x\_{t}, y) + \sigma\_{t} \varepsilon, $$
11 |
12 | $$ x\_{t-1}\^{*} = x\_{t-1} + \sigma\_{t}\^{2} s \nabla\_{x\_{t-1}} \text{log}\_{p\_{f}} (y\_{a} | x\_{t-1}) $$
13 |
14 | 通过上述过程,原本属于类别 $y$ (例如狗)的初始样本 $x$ (狗的图片)和假类别 $y\_a$ (猫)被一起输入,而diffusion model在分类器的错误引导下将狗的视觉特征与分类器的结果“猫”建立起了联系,从而可以生成很多会被分类器识别为“猫”的狗图片。
15 |
16 | ## 实验
17 | 在MNIST和ImageNet数据集上进行了测试。
18 |
--------------------------------------------------------------------------------
/LargeScaleModel/Black-box_Attack_SAM.md:
--------------------------------------------------------------------------------
1 | # [Black-Box Targeted Adversarial Attack on Segment Anything](https://arxiv.org/abs/2310.10010)
2 |
3 | ## 主要内容
4 | 在black-box的情景下实现targeted adversarial attack,即产生一个对抗样本,使得SAM的预测结果与另一张参照的自然图像的mask类似。
5 |
6 | ## Boosting Cross-prompt Transferability
7 | ### Cross-prompt Attack-SAM
8 | 正如之前Attack-SAM的工作中所展现的那样,想要减小adversarial example对于prompt位置的依赖性,最直接的方法就是增加adversarial example生成过程中给定的prompt的数量,实验中训练时的prompt point取值范围为1~100。而为了让SAM的预测与给定的mask相接近,直接用其作为优化目标:
9 |
10 | $$ \delta\^{*} = \mathop{\text{min}}\_{ \delta \in \mathbb{S} } \sum\_{k} \parallel SAM(prompt\^{(k)}, x\_{clean} + \delta) - Thres( SAM( prompt\^{(k)}, x\_{target} ) ) \parallel\^{2} $$
11 |
12 | 此处的图表没有看懂……为什么随着训练时prompt point的增加,训练损失下降而测试损失上升?
13 |
14 | ### Our Proposed Method
15 | 无论如何,通过增加训练时的prompt point的数量的方法来提升adversarial example的泛化性的做法是有限的。而考虑到SAM的网络结构,如果直接攻击其image encoder部分,使其产生与参照图像接近的feature maps,就可以无视prompt的位置,即针对任何prompt都具有泛化性:
16 |
17 | $$ \delta\^{*} = \mathop{\text{min}}_{\delta \in \mathbb{S}} \mathcal{L}( SAM\_{embedding}(prompt, x\_{clean} + \delta), SAM\_{embedding}(prompt, x\_{target}) ) $$
18 |
19 | 此外,文章还探讨了black-box的情景,即在无法获取模型内部参数梯度的情况下的攻击效果。通过引入Relative Feature Strength的概念,发现随着迭代次数的增加,adversarial example的feature dominance是下降的,即泛化能力减弱。为此,文章在原有的MES loss项之后又加了一个regularization loss,但文中并没有给出具体的形式。本文的black-box情景被设置为可以使用SAM-B来得到adversarial examples,然后测试它们在SAM-L和SAM-H上的表现。
20 |
--------------------------------------------------------------------------------
/GenerativeModel-based/Diff-PGD.md:
--------------------------------------------------------------------------------
1 | # [Diffusion-Based Adversarial Sample Generation for Improved Stealthiness and Controllability](https://arxiv.org/abs/2305.16494)
2 |
3 | ## 方法-Diffusion-based PGD
4 | ### 1.SDEdit方法
5 | Stochastic Differential Editing方法的基本思想是:给定一个不属于真实图像分布的样本(如一张简笔画 $Stroke$ ),我们希望将它转换成一个真实图像 $Image$ 。通过前向加噪过程扩大两个分布的支撑集,直到两者产生交集。然后从交集中的一点出发,用在真实图像上预训练好的扩散模型逆向去噪,回到真实分布。
6 | 
7 |
8 | ### 2.传统PGD方法
9 | Projected Gradient Descent通过梯度反向传播迭代优化初始输入。给定一个干净图像 $x$ 和其对应的真实标签 $y$ ,期望生成一个对抗样本 $x\_{adv}$ 来欺骗目标分类器 $f\_{\theta}$ 。对抗梯度的损失表示为 $g=\nabla\_{x} l ( f\_{\theta}(x), y )$ 。PGD中步长为 $\eta$ 且迭代次数为 $n$ 的第 $t$ 步更新为:
10 |
11 | $$ x\^{t+1} = \mathcal{P}\_{B\_{\infty} (x,\epsilon) } \[ x\^{t} + \eta \ \text{sign} \nabla\_{x\^{t}} l (f\_{\theta}(x\^{t}),y) \] $$
12 |
13 | 但文章认为这种方法会使样本远离决策边界,从而偏离真实样本分布 $p(x\_{0})$ 。因此,文章提出,对于PGD的第 $t$ 步迭代中,先使用扩散模型的SDEdit方法求解一个符合真实图像分布的纯化样本 $x\_{0}\^{t}$ ,然后使用该纯化样本 $x\_{0}\^{t}$ 和原始标签 $y$ 来计算对抗梯度损失:
14 |
15 | $$ x\_{0}\^{t} = \text{SDEdit} (x\^{t},K) \quad \text{and} \quad x\^{t+1} = \mathcal{P}\_{B\_{\infty} (x,\epsilon) } \[ x\^{t} + \eta \ \text{sign} \nabla\_{x\^{t}} l (f\_{\theta}(x\^{t}\_{0}),y) \] $$
16 |
17 | 最终,经过 $n$ 次迭代之后,Diff-PGD会生成两个彼此略有不同的输出 $(x\_{0}\^{n}, x\^{n})$ ,其中 $x\^{n}$ 是仅通过PGD方法得到的对抗样本,与真实样本分布有差异; 而 $x\_{0}\^{n}$ 是通过SDEdit迭代纯化后的样本,它从属于对抗样本和真实样本两个分布的支撑集交集,因而是现实的和对抗的。
18 |
--------------------------------------------------------------------------------
/LargeScaleModel/Attack-SAM.md:
--------------------------------------------------------------------------------
1 | # [Attack-SAM: Towards Attacking Segment Anything Model with Adversarial Examples](https://arxiv.org/abs/2305.00866)
2 |
3 | ## 摘要
4 | 文章研究了以SAM为代表的视觉基础模型面对对抗样本时的稳健性,通过基础的FGSM和PGD方法,实现了语义掩码移除和生成指定的掩码。局限性是方法没什么创新,只是利用已有的FGSM和PGD方法在SAM上做了测试,换了个Loss函数,实验也不够充分;整体上都是white-box attack,只有cross-task部分勉强可以看成是black-box attack;此外没有测试physical world attack。
5 |
6 | ## 方法
7 | ### Task definition
8 | 在本研究中,由于SAM生成的masks是没有语义标签的,因此没有办法计算其生成结果与对应类别之间的loss。一个相对简易的方法是直接使其移除所有的masks,即识别不到任何内容。一个输入图片 $x$ ,当其像素 $x\_{ij}$ 位置的预测值 $y\_{ij} > 0$ 时即被识别为mask,否则被识别为background。研究的目标是让SAM在所有像素位置的预测值均为 $y\_{ij} < 0$ 。
9 |
10 | ### Loss design
11 | 为了实现上述目标,期望设计一个loss以实现如下目标:1)可以把SAM的预测值 $y$ 降为负数;2)对原本较大的正预测值 $y\_{ij}$ 施加更大的惩罚,而对较小的正值或非正值施加较小的惩罚;3)为降低随机性,将预测值降低到一个特定的负值,而不是仅仅比0小一点。综合上述要求,可以使用带有特定负阈值的MSE loss:
12 |
13 | $$ \delta\^{*} = \mathop{\text{min}}\_{\delta \in \mathbb{S}} \parallel SAM(prompt, x\_{clean} + \delta) - Neg\_{th} \parallel \^{2} $$
14 |
15 | 但是,上述Loss会使得已经小于 $Neg\_{th}$ 的预测值在迭代更新时逐渐接近 $Neg\_{th}$ ,而实际上这个行为是没有意义的。因此,文章提出直接裁切掉原本已经小于 $Neg\_{th}$ 的那些预测值,从而使得这些地方的梯度为0。这被称为ClipMSE loss:
16 |
17 | $$ \delta\^{*} = \mathop{\text{min}}\_{\delta \in \mathbb{S}} \parallel Clip(SAM(prompt, x\_{clean} + \delta), min=Neg\_{th}) - Neg\_{th} \parallel \^{2} $$
18 |
19 | ### Attack details
20 | 主要使用了FGSM和PGD两种基本的攻击方法,扰动强度被设置为8/255,步长分别为8/255和2/255。PGD的迭代次数为10次,阈值 $Neg\_{th}$ 设置为-10。
21 |
22 | ## Experiment
23 | 实验部分主要给出的是使用point prompt的情况下SAM受对抗样本影响的结果。实验的定量结果其实并不充分,没有在特定的数据集上进行严格的定量评估,而感觉仅仅是拿几张图随便测试了一下。实验结果显示使用ClipMSE作为loss时PGD-10的攻击效果会明显优于MSE loss,而FGSM受影响不大。
24 |
25 | ## Transfer-based attacks
26 | 这里文章探索了两种迁移场景:1)cross-prompt transfer,即在 $(prompt\_{i}, x\_{adv})$ 的前提下攻击成功的话,将输入换成 $(prompt\_{j}, x\_{adv})$ ;2)cross-task transfer,即将针对分类器的对抗样本输入SAM,看是否会影响它的分割效果。
27 |
28 | Cross-Prompt transfer情境下,发现在更换point prompt的位置之后攻击效果大大下降,认为攻击只对 $prompt\_{source}$ 的周边作用比较明显。尝试增加 $prompt\_{source}$ 的数量 $K$ 之后,发现对于全图的攻击效果都显著提升。
29 |
30 | Cross-Task transfer情境下,发现使用针对分类模型的对抗样本也能一定程度上干扰SAM的分割结果,尽管干扰效果非常有限。此处使用的分类模型是ViT。
31 |
32 | ## Beyond mask removel
33 | 上述实验仅仅探讨了mask移除的目标。这里探讨了是否可能生成指定的mask,包括mask扩大、mask操纵(偏移、翻转等)以及生成指定mask。
34 |
35 | 针对mask扩大,通过与mask移除类似的思路,只是将原本loss中的阈值 $Neg\_{th}$ 从负数换成正数:
36 |
37 | $$ \delta\^{*} = \mathop{\text{min}}\_{\delta \in \mathbb{S}} \parallel Clip(SAM(prompt, x\_{clean} + \delta), max=Pos\_{th}) - Pos\_{th} \parallel \^{2} $$
38 |
39 | 文章发现,仅仅通过变换阈值就可以实现从mask到background以及从background到mask的转换。
40 |
41 | 其中比较有意思的是实现了mask的移动、翻转和指定形状mask的生成,然而遗憾的是,正文包括附录中都没有具体介绍实现的方法和loss设计。猜测其实现方法应该就是把指定的mask当作PGD的优化target。
42 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Adversarial-Attack-Methods-Summary
2 |
3 | ## News
4 | 🔥[2024-07-24] Papers of ICML 2024 have been updated [here](2024/ICML/Readme.md)!
5 |
6 | 🔥[2024-07-04] Papers of CVPR 2024 have been updated [here](2024/CVPR/Readme.md)!
7 |
8 | ## 2023
9 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
10 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
11 | | Content-based Unrestricted Adversarial Attack | *NeurIPS* | - | [](https://arxiv.org/abs/2305.10665) | [summary](Semantic-Methods/Cont_UAA.md) |
12 | | Diff-PGD: Diffusion-Based Adversarial Sample Generation for Improved Stealthiness and Controllability | *NeurIPS* | [](https://github.com/xavihart/Diff-PGD) | [](https://arxiv.org/abs/2305.16494) | [summary](GenerativeModel-based/Diff-PGD.md) |
13 | | Downstream-agnostic Adversarial Examples | *ICCV* | [](https://github.com/CGCL-codes/AdvEncoder) | [](https://arxiv.org/abs/2307.12280)
[](https://openaccess.thecvf.com/content/ICCV2023/html/Zhou_Downstream-agnostic_Adversarial_Examples_ICCV_2023_paper.html) | |
14 | | AdvDiffuser: Natural Adversarial Example Synthesis with Diffusion Models | *ICCV* | [](https://github.com/lafeat/advdiffuser) | [](https://arxiv.org/abs/2307.12499)
[](https://openaccess.thecvf.com/content/ICCV2023/html/Chen_AdvDiffuser_Natural_Adversarial_Example_Synthesis_with_Diffusion_Models_ICCV_2023_paper.html) | [summary](GenerativeModel-based/AdvDiffuser.md) |
15 | | Frequency-aware GAN for Adversarial Manipulation Generation | *ICCV* | - | [](https://openaccess.thecvf.com/content/ICCV2023/html/Zhu_Frequency-aware_GAN_for_Adversarial_Manipulation_Generation_ICCV_2023_paper.html) | |
16 | | AdvDiff: Generating Unrestricted Adversarial Examples using Diffusion Models | - | [](https://github.com/EricDai0/advdiff) | [](https://arxiv.org/abs/2307.12499) | [summary](GenerativeModel-based/AdvDiff.md) |
17 | | Diffusion Models for Imperceptible and Transferable Adversarial Attack | - | [](https://github.com/WindVChen/DiffAttack) | [](https://arxiv.org/abs/2305.08192) | |
18 | | Improving Adversarial Transferability by Stable Diffusion | - | - | [](https://arxiv.org/abs/2311.11017) |
19 | | Semantic Adversarial Attacks via Diffusion Models | *BMVC* | [](https://github.com/steven202/semantic_adv_via_dm) | [](https://arxiv.org/abs/2309.07398) | [summary](Semantic-Methods/semantic_adv_via_dm.md) |
20 |
21 | ## 2022
22 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
23 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
24 | | SegPGD: An Effective and Efficient Adversarial Attack for Evaluating and Boosting Segmentation Robustness | *ECCV* | | [](https://arxiv.org/abs/2207.12391) | - |
25 | | Natural color fool: Towards boosting black-box unrestricted attacks | *NeurIPS* | - | - | - |
26 | | Sparse Black-Box Video Attack with Reinforcement Learning | *IJCV* | | [](https://link.springer.com/article/10.1007/s11263-022-01604-w) | |
27 | | Attacking Video Recognition Models with Bullet-Screen Comments | *AAAI* | | [](https://arxiv.org/abs/2110.15629)
[](https://ojs.aaai.org/index.php/AAAI/article/view/19907) | |
28 |
29 | ## 2021
30 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
31 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
32 | | Towards Feature Space Adversarial Attack | ** | | | [summary]((GenerativeModel-based/Towards-Feature-Space-Adversarial-Attack.md)) |
33 |
34 | ## 2020
35 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
36 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
37 | | Unrestricted Adversarial Examples via Semantic Manipulation | *ICLR* | | | [summary](Semantic-Methods/Color_Texture_Attack.md) |
38 | | SemanticAdv: Generating Adversarial Examples via Attribute-conditioned Image Editing | *ECCV* | | | [summary](Semantic-Methods/SemanticAdv.md) |
39 | | Colorfool: Semantic adversarial colorization | *CVPR* | - | - | - |
40 |
41 | ## 2019
42 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
43 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
44 | | Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers | *ICCV* | | | [summary](Semantic-Methods/SAA.md) |
45 | | Rob-GAN: Generator, Discriminator, and Adversarial Attacker | *CVPR* | | | [summary](GenerativeModel-based/Rob-GAN.md) |
46 | | ADef: an Iterative Algorithm to Construct Adversarial Deformations | *ICLR* | - | - | - |
47 | | AdvGAN++: Harnessing Latent Layers for Adversary Generation | *CVPRW* | | | [summary](GenerativeModel-based/AdvGAN++.md) |
48 | | One pixel attack for fooling deep neural networks | *IEEE TEVC* | - | - | - |
49 |
50 | ## ~2018
51 |
52 | | **Title** | **Publish** | **Repo** | **Paper** | **Summary** |
53 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
54 | | Intriguing Properties of Neural Networks. | *ICLR 2014* | - | [](https://arxiv.org/abs/1312.6199)
[](https://openreview.net/forum?id=kklr_MTHMRQjG) | [summary](Gradient-based/Intriguing-properties-of-neural-networks.md) |
55 | | FGSM: Explaining and Harnessing Adversarial Examples | *ICLR 2015* | - | | [summary](Gradient-based/FGSM.md) |
56 | | Deepfool: a simple and accurate method to fool deep neural networks | *CVPR 2016* | | [](https://openaccess.thecvf.com/content_cvpr_2016/html/Moosavi-Dezfooli_DeepFool_A_Simple_CVPR_2016_paper.html) | - |
57 | | Universal adversarial perturbations | *CVPR 2017* | - | [](https://openaccess.thecvf.com/content_cvpr_2017/html/Moosavi-Dezfooli_Universal_Adversarial_Perturbations_CVPR_2017_paper.html) | |
58 | | Towards evaluating the robustness of neural networks | *2017 IEEE Symposium on Security and Privacy (SP)* | - | - | - |
59 | | Ensemble Adversarial Training: Attacks and Defenses | *ICLR 2018* | - | []([https://arxiv.org/abs/1706.06083](https://arxiv.org/abs/1705.07204)) | - |
60 | | PGD: Towards Deep Learning Models Resistant to Adversarial Attacks | *ICLR 2018* | | [](https://arxiv.org/abs/1706.06083) | - |
61 | | Generating Natural Adversarial Examples | *ICLR 2018* | | | [summary](GenerativeModel-based/Generating-Natural-Adversarial-Examples.md) |
62 | | Constructing Unrestricted Adversarial Examples with Generative Models | *NeurIPS 2018* | | | [summary](GenerativeModel-based/Constructing-Unrestricted-Adversarial-Examples-with-Generative-Models.md) |
63 | | NAG: Network for Adversary Generation | *CVPR 2018* | [](https://github.com/val-iisc/nag) | [](https://openaccess.thecvf.com/content_cvpr_2018/html/Mopuri_NAG_Network_for_CVPR_2018_paper.html) | [summary](GenerativeModel-based/CVPR2018.md) |
64 | | Semantic Adversarial Examples | *CVPRW 2018* | | | [summary](Semantic-Methods/SAE.md) |
65 | | AdvGAN: Generating adversarial examples with adversarial networks | *IJCAI 2018* | [](https://github.com/mathcbc/advGAN_pytorch) | [](https://arxiv.org/abs/1801.02610)
[](https://www.ijcai.org/proceedings/2018/0543) | [summary](GenerativeModel-based/AdvGAN.md) |
66 | | ATN: Learning to Attack: Adversarial Transformation Networks | *AAAI 2018* | [](https://github.com/RanTaimu/Adversarial-Transformation-Network) | [](https://arxiv.org/abs/1703.09387)
[](https://ojs.aaai.org/index.php/AAAI/article/view/11672) | [summary](GenerativeModel-based/AAAI2018.md) |
67 |
--------------------------------------------------------------------------------
/2024/ICML/Readme.md:
--------------------------------------------------------------------------------
1 | | **Title** | **Category** | **Repo** | **Paper** | **Key words** |
2 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
3 | | Online Matching with Stochastic Rewards: Provable Better Bound via Adversarial Reinforcement Learning | **Oral** | - | [](https://proceedings.mlr.press/v235/zhang24bf.html) | - |
4 | | Robust CLIP: Unsupervised Adversarial Fine-Tuning of Vision Embeddings for Robust Large Vision-Language Models | **Oral** | [](https://github.com/chs20/RobustVLM) | [](https://proceedings.mlr.press/v235/schlarmann24a.html) | - |
5 | | Towards Optimal Adversarial Robust Q-learning with Bellman Infinity-error | **Oral** | - | [](https://proceedings.mlr.press/v235/li24cl.html) | - |
6 | | Low-Cost High-Power Membership Inference Attacks | **Oral** | - | [](https://proceedings.mlr.press/v235/zarifzadeh24a.html) | - |
7 | | The Stronger the Diffusion Model, the Easier the Backdoor: Data Poisoning to Induce Copyright BreachesWithout Adjusting Finetuning Pipeline | **Oral** | - | [](https://proceedings.mlr.press/v235/wang24bm.html) | - |
8 | | Private Truly-Everlasting Robust-Prediction | **Oral** | - | [](https://proceedings.mlr.press/v235/stemmer24a.html) | - |
9 | | Position: On the Societal Impact of Open Foundation Models | **Oral** | - | [](https://proceedings.mlr.press/v235/kapoor24a.html) | - |
10 | | Trained Random Forests Completely Reveal your Dataset | **Oral** | - | [](https://proceedings.mlr.press/v235/ferry24a.html) | - |
11 | | Stealing part of a production language model | **Oral** | - | [](https://proceedings.mlr.press/v235/carlini24a.html) | - |
12 | | AI Control: Improving Safety Despite Intentional Subversion | **Oral** | - | [](https://proceedings.mlr.press/v235/greenblatt24a.html) | - |
13 | | Bridging Data Gaps in Diffusion Models with Adversarial Noise-Based Transfer Learning | **Spotlight** | - | [](https://proceedings.mlr.press/v235/wang24ap.html) | - |
14 | | A Theoretical Analysis of Backdoor Poisoning Attacks in Convolutional Neural Networks | **Spotlight** | - | [](https://proceedings.mlr.press/v235/li24at.html) | - |
15 | | Improving Interpretation Faithfulness for Vision Transformers | **Spotlight** | - | [](https://proceedings.mlr.press/v235/hu24k.html) | - |
16 | | Fool Your (Vision and) Language Model with Embarrassingly Simple Permutations | Poster | [](https://github.com/ys-zong/FoolyourVLLMs) | [](https://proceedings.mlr.press/v235/zong24b.html) | - |
17 | | Safety Fine-Tuning at (Almost) No Cost: A Baseline for Vision Large Language Models | Poster | [](https://github.com/ys-zong/VLGuard) | [](https://proceedings.mlr.press/v235/zong24a.html) | - |
18 | | RAUCA: A Novel Physical Adversarial Attack on Vehicle Detectors via Robust and Accurate Camouflage Generation | Poster | - | [](https://proceedings.mlr.press/v235/zhou24n.html) | - |
19 | | Attack-free Evaluating and Enhancing Adversarial Robustness on Categorical Data | Poster | [](https://github.com/YujunZhou/IGSG) | [](https://proceedings.mlr.press/v235/zhou24i.html) | - |
20 | | Towards Efficient Training and Evaluation of Robust Models against $𝑙_0$ Bounded Adversarial Perturbation | Poster | [](https://github.com/CityU-MLO/sPGD) | [](https://proceedings.mlr.press/v235/zhong24c.html) | - |
21 | | Rethinking Adversarial Robustness in the Context of the Right to be Forgotten | Poster | - | [](https://proceedings.mlr.press/v235/zhao24k.html) | - |
22 | | On the Duality Between Sharpness-Aware Minimization and Adversarial Training | Poster | [](https://github.com/weizeming/SAM_AT) | [](https://proceedings.mlr.press/v235/zhang24w.html) | - |
23 | | Transferable Facial Privacy Protection against Blind Face Restoration via Domain-Consistent Adversarial Obfuscation | Poster | [](https://github.com/CityU-MLO/sPGD) | [](https://proceedings.mlr.press/v235/zhang24co.html) | - |
24 | | Improving Accuracy-robustness Trade-off via Pixel Reweighted Adversarial Training | Poster | - | [](https://proceedings.mlr.press/v235/zhang24am.html) | - |
25 | | Manifold Integrated Gradients: Riemannian Geometry for Feature Attribution | Poster | - | [](https://proceedings.mlr.press/v235/zaher24a.html) | - |
26 | | RigorLLM: Resilient Guardrails for Large Language Models against Undesired Content | Poster | - | [](https://proceedings.mlr.press/v235/yuan24f.html) | - |
27 | | Improving Sharpness-Aware Minimization by Lookahead | Poster | - | [](https://proceedings.mlr.press/v235/yu24q.html) | - |
28 | | Purify Unlearnable Examples via Rate-Constrained Variational Autoencoders | Poster | [](https://github.com/yuyi-sd/D-VAE) | [](https://proceedings.mlr.press/v235/yu24m.html) | - |
29 | | Generalization Bound and New Algorithm for Clean-Label Backdoor Attack | Poster | - | [](https://proceedings.mlr.press/v235/yu24i.html) | - |
30 | | Towards Robust Model-Based Reinforcement Learning Against Adversarial Corruption | Poster | - | [](https://proceedings.mlr.press/v235/ye24a.html) | - |
31 | | Robust Universal Adversarial Perturbations | Poster | - | [](https://proceedings.mlr.press/v235/xu24v.html) | - |
32 | | Uniformly Stable Algorithms for Adversarial Training and Beyond | Poster | - | [](https://proceedings.mlr.press/v235/xiao24e.html) | - |
33 | | Delving into the Convergence of Generalized Smooth Minimax Optimization | Poster | - | [](https://proceedings.mlr.press/v235/xian24a.html) | - |
34 | | Adversarially Robust Hypothesis Transfer Learning | Poster | - | [](https://proceedings.mlr.press/v235/wang24d.html) | - |
35 | | Benign Overfitting in Adversarial Training of Neural Networks | Poster | - | [](https://proceedings.mlr.press/v235/wang24cn.html) | - |
36 | | Collapse-Aware Triplet Decoupling for Adversarially Robust Image Retrieval | Poster | - | [](https://proceedings.mlr.press/v235/tian24a.html) | - |
37 | | IOI: Invisible One-Iteration Adversarial Attack on No-Reference Image- and Video-Quality Metrics | Poster | - | [](https://proceedings.mlr.press/v235/shumitskaya24a.html) | - |
38 | | Fast Adversarial Attacks on Language Models In One GPU Minute | Poster | - | [](https://proceedings.mlr.press/v235/sadasivan24a.html) | - |
39 | | SignSGD with Federated Defense: Harnessing Adversarial Attacks through Gradient Sign Decoding | Poster | - | [](https://proceedings.mlr.press/v235/park24h.html) | - |
40 | | Two Heads are Actually Better than One: Towards Better Adversarial Robustness via Transduction and Rejection | Poster | - | [](https://proceedings.mlr.press/v235/palumbo24a.html) | - |
41 | | Can Implicit Bias Imply Adversarial Robustness? | Poster | - | [](https://proceedings.mlr.press/v235/min24a.html) | - |
42 | | The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks | Poster | - | [](https://proceedings.mlr.press/v235/liu24m.html) | - |
43 | | Enhancing Adversarial Robustness in SNNs with Sparse Gradients | Poster | - | [](https://proceedings.mlr.press/v235/liu24f.html) | - |
44 | | OODRobustBench: a Benchmark and Large-Scale Analysis of Adversarial Robustness under Distribution Shift | Poster | [](https://github.com/OODRobustBench/OODRobustBench) | [](https://proceedings.mlr.press/v235/li24bp.html) | - |
45 | | DataFreeShield: Defending Adversarial Attacks without Training Data | Poster | - | [](https://proceedings.mlr.press/v235/lee24f.html) | - |
46 | | Adversarially Robust Deep Multi-View Clustering: A Novel Attack and Defense Framework | Poster | - | [](https://proceedings.mlr.press/v235/huang24ai.html) | - |
47 | | Be Your Own Neighborhood: Detecting Adversarial Examples by the Neighborhood Relations Built on Self-Supervised Learning | Poster | - | [](https://proceedings.mlr.press/v235/he24l.html) | - |
48 | | Consistent Adversarially Robust Linear Classification: Non-Parametric Setting | Poster | - | [](https://proceedings.mlr.press/v235/dohmatob24a.html) | - |
49 | | Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples | Poster | - | [](https://proceedings.mlr.press/v235/cullen24a.html) | - |
50 | | Efficient Black-box Adversarial Attacks via Bayesian Optimization Guided by a Function Prior | Poster | [](https://github.com/yibo-miao/PBO-Attack) | [](https://proceedings.mlr.press/v235/cheng24h.html) | - |
51 | | BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks | Poster | - | [](https://proceedings.mlr.press/v235/cheng24e.html) | - |
52 | | Robust Classification via a Single Diffusion Model | Poster | - | [](https://proceedings.mlr.press/v235/chen24k.html) | - |
53 | | Adversarial Robustness Limits via Scaling-Law and Human-Alignment Studies | Poster | - | [](https://proceedings.mlr.press/v235/bartoldson24a.html) | - |
54 | | Adversarial Attacks on Combinatorial Multi-Armed Bandits | Poster | - | [](https://proceedings.mlr.press/v235/balasubramanian24a.html) | - |
55 | | Image Hijacks: Adversarial Images can Control Generative Models at Runtime | Poster | - | [](https://proceedings.mlr.press/v235/bailey24a.html) | - |
56 | | Diffusion Models Demand Contrastive Guidance for Adversarial Purification to Advance | Poster | - | [](https://proceedings.mlr.press/v235/bai24b.html) | - |
57 | | CosPGD: an efficient white-box adversarial attack for pixel-wise prediction tasks | Poster | [](https://github.com/shashankskagnihotri/cospgd) | [](https://proceedings.mlr.press/v235/agnihotri24b.html) | - |
58 | | Revisiting Character-level Adversarial Attacks for Language Models | Poster | [](https://github.com/LIONS-EPFL/Charmer) | [](https://proceedings.mlr.press/v235/abad-rocamora24a.html) | - |
59 |
--------------------------------------------------------------------------------
/2024/CVPR/Readme.md:
--------------------------------------------------------------------------------
1 | | **Title** | **Publisher** | **Repo** | **Paper** | **Key words** |
2 | |-----------|:-----------:|:--------:|:---------:|:-----------:|
3 | | Towards Transferable Targeted 3D Adversarial Attack in the Physical World | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Huang_Towards_Transferable_Targeted_3D_Adversarial_Attack_in_the_Physical_World_CVPR_2024_paper.html) | 3D, physical attack |
4 | | VA3: Virtually Assured Amplification Attack on Probabilistic Copyright Protection for Text-to-Image Generative Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_VA3_Virtually_Assured_Amplification_Attack_on_Probabilistic_Copyright_Protection_for_CVPR_2024_paper.html) | - |
5 | | Attack To Defend: Exploiting Adversarial Attacks for Detecting Poisoned Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Fares_Attack_To_Defend_Exploiting_Adversarial_Attacks_for_Detecting_Poisoned_Models_CVPR_2024_paper.html) | Poisoning/Trojan/Backdoor attack defense |
6 | | On the Robustness of Large Multimodal Models Against Image Adversarial Attacks | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Cui_On_the_Robustness_of_Large_Multimodal_Models_Against_Image_Adversarial_CVPR_2024_paper.html) | - |
7 | | PAD: Patch-Agnostic Defense against Adversarial Patch Attacks | *CVPR* | [](https://github.com/Lihua-Jing/PAD) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Jing_PAD_Patch-Agnostic_Defense_against_Adversarial_Patch_Attacks_CVPR_2024_paper.html) | - |
8 | | LOTUS: Evasive and Resilient Backdoor Attacks through Sub-Partitioning | *CVPR* | [](https://github.com/Megum1/LOTUS) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Cheng_LOTUS_Evasive_and_Resilient_Backdoor_Attacks_through_Sub-Partitioning_CVPR_2024_paper.html) | - |
9 | | A Stealthy Wrongdoer: Feature-Oriented Reconstruction Attack against Split Learning | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Xu_A_Stealthy_Wrongdoer_Feature-Oriented_Reconstruction_Attack_against_Split_Learning_CVPR_2024_paper.html) | - |
10 | | BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Bai_BadCLIP_Trigger-Aware_Prompt_Learning_for_Backdoor_Attacks_on_CLIP_CVPR_2024_paper.html) | - |
11 | | Deep-TROJ: An Inference Stage Trojan Insertion Algorithm through Efficient Weight Replacement Attack | *CVPR* | [](https://github.com/ML-Security-Research-LAB/Deep-TROJ) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Ahmed_Deep-TROJ_An_Inference_Stage_Trojan_Insertion_Algorithm_through_Efficient_Weight_CVPR_2024_paper.html) | - |
12 | | MMCert: Provable Defense against Adversarial Attacks to Multi-modal Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wang_MMCert_Provable_Defense_against_Adversarial_Attacks_to_Multi-modal_Models_CVPR_2024_paper.html) | - |
13 | | Physical Backdoor: Towards Temperature-based Backdoor Attacks in the Physical World | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yin_Physical_Backdoor_Towards_Temperature-based_Backdoor_Attacks_in_the_Physical_World_CVPR_2024_paper.html) | - |
14 | | Physical 3D Adversarial Attacks against Monocular Depth Estimation in Autonomous Driving | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zheng_Physical_3D_Adversarial_Attacks_against_Monocular_Depth_Estimation_in_Autonomous_CVPR_2024_paper.html) | - |
15 | | Re-thinking Data Availability Attacks Against Deep Neural Networks | *CVPR* | [](https://github.com/EuterpeK/Rethinking-Data-Availability-Attacks) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Fang_Re-thinking_Data_Availability_Attacks_Against_Deep_Neural_Networks_CVPR_2024_paper.html) | - |
16 | | Leak and Learn: An Attacker's Cookbook to Train Using Leaked Data from Federated Learning | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhao_Leak_and_Learn_An_Attackers_Cookbook_to_Train_Using_Leaked_CVPR_2024_paper.html) | - |
17 | | Defense Against Adversarial Attacks on No-Reference Image Quality Models with Gradient Norm Regularization | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Liu_Defense_Against_Adversarial_Attacks_on_No-Reference_Image_Quality_Models_with_CVPR_2024_paper.html) | - |
18 | | Semantic-Aware Multi-Label Adversarial Attacks | *CVPR* | [](https://github.com/hassan-mahmood/SemanticMLLAttacks) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Mahmood_Semantic-Aware_Multi-Label_Adversarial_Attacks_CVPR_2024_paper.html) | - |
19 | | Nearest is Not Dearest: Towards Practical Defense against Quantization-conditioned Backdoor Attacks | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_Nearest_is_Not_Dearest_Towards_Practical_Defense_against_Quantization-conditioned_Backdoor_CVPR_2024_paper.html) | - |
20 | | Overload: Latency Attacks on Object Detection for Edge Devices | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Chen_Overload_Latency_Attacks_on_Object_Detection_for_Edge_Devices_CVPR_2024_paper.html) | - |
21 | | Data Poisoning based Backdoor Attacks to Contrastive Learning | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhang_Data_Poisoning_based_Backdoor_Attacks_to_Contrastive_Learning_CVPR_2024_paper.html) | - |
22 | | Intriguing Properties of Diffusion Models: An Empirical Study of the Natural Attack Capability in Text-to-Image Generative Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Sato_Intriguing_Properties_of_Diffusion_Models_An_Empirical_Study_of_the_CVPR_2024_paper.html) | - |
23 | | MMA-Diffusion: MultiModal Attack on Diffusion Models | *CVPR* | [](https://github.com/cure-lab/MMA-Diffusion) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yang_MMA-Diffusion_MultiModal_Attack_on_Diffusion_Models_CVPR_2024_paper.html) | - |
24 | | Strong Transferable Adversarial Attacks via Ensembled Asymptotically Normal Distribution Learning | *CVPR* | [](https://github.com/CLIAgroup/ANDA) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Fang_Strong_Transferable_Adversarial_Attacks_via_Ensembled_Asymptotically_Normal_Distribution_Learning_CVPR_2024_paper.html) | Perturbation attack, Optimization, Transferability Enhancement |
25 | | Transferable Structural Sparse Adversarial Attack Via Exact Group Sparsity Training | *CVPR* | [](https://github.com/MisterRpeng/EGS-TSSA) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Ming_Transferable_Structural_Sparse_Adversarial_Attack_Via_Exact_Group_Sparsity_Training_CVPR_2024_paper.html) | - |
26 | | Adversarial Backdoor Attack by Naturalistic Data Poisoning on Trajectory Prediction in Autonomous Driving | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Pourkeshavarz_Adversarial_Backdoor_Attack_by_Naturalistic_Data_Poisoning_on_Trajectory_Prediction_CVPR_2024_paper.html) | - |
27 | | SlowFormer: Adversarial Attack on Compute and Energy Consumption of Efficient Vision Transformers | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Navaneet_SlowFormer_Adversarial_Attack_on_Compute_and_Energy_Consumption_of_Efficient_CVPR_2024_paper.html) | - |
28 | | Not All Prompts Are Secure: A Switchable Backdoor Attack Against Pre-trained Vision Transfomers | *CVPR* | [](https://github.com/UCDvision/SlowFormer) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Navaneet_SlowFormer_Adversarial_Attack_on_Compute_and_Energy_Consumption_of_Efficient_CVPR_2024_paper.html) | - |
29 | | GLOW: Global Layout Aware Attacks on Object Detection | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Bao_GLOW_Global_Layout_Aware_Attacks_on_Object_Detection_CVPR_2024_paper.html) | - |
30 | | Improving Transferable Targeted Adversarial Attacks with Model Self-Enhancement | *CVPR* | [](https://github.com/g4alllf/SASD) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wu_Improving_Transferable_Targeted_Adversarial_Attacks_with_Model_Self-Enhancement_CVPR_2024_paper.html) | - |
31 | | BrainWash: A Poisoning Attack to Forget in Continual Learning | *CVPR* | [](https://github.com/mint-vu/Brainwash) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Abbasi_BrainWash_A_Poisoning_Attack_to_Forget_in_Continual_Learning_CVPR_2024_paper.html) | - |
32 | | BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive Learning | *CVPR* | [](https://github.com/LiangSiyuan21/BadCLIP) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Liang_BadCLIP_Dual-Embedding_Guided_Backdoor_Attack_on_Multimodal_Contrastive_Learning_CVPR_2024_paper.html) | - |
33 | | Towards Fairness-Aware Adversarial Learning | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhang_Towards_Fairness-Aware_Adversarial_Learning_CVPR_2024_paper.html) | - |
34 | | Hide in Thicket: Generating Imperceptible and Rational Adversarial Perturbations on 3D Point Clouds | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Lou_Hide_in_Thicket_Generating_Imperceptible_and_Rational_Adversarial_Perturbations_on_CVPR_2024_paper.html) | - |
35 | | Soften to Defend: Towards Adversarial Robustness via Self-Guided Label Refinement | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_Soften_to_Defend_Towards_Adversarial_Robustness_via_Self-Guided_Label_Refinement_CVPR_2024_paper.html) | - |
36 | | Structured Gradient-based Interpretations via Norm-Regularized Adversarial Training | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Gong_Structured_Gradient-based_Interpretations_via_Norm-Regularized_Adversarial_Training_CVPR_2024_paper.html) | - |
37 | | Dispel Darkness for Better Fusion: A Controllable Visual Enhancer based on Cross-modal Conditional Adversarial Learning | *CVPR* | [](https://github.com/HaoZhang1018/DDBF) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhang_Dispel_Darkness_for_Better_Fusion_A_Controllable_Visual_Enhancer_based_CVPR_2024_paper.html) | - |
38 | | ASAM: Boosting Segment Anything Model with Adversarial Tuning | *CVPR* | [](https://github.com/luckybird1994/ASAM) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_ASAM_Boosting_Segment_Anything_Model_with_Adversarial_Tuning_CVPR_2024_paper.html) | - |
39 | | NAPGuard: Towards Detecting Naturalistic Adversarial Patches | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wu_NAPGuard_Towards_Detecting_Naturalistic_Adversarial_Patches_CVPR_2024_paper.html) | - |
40 | | Towards Understanding and Improving Adversarial Robustness of Vision Transformers | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Jain_Towards_Understanding_and_Improving_Adversarial_Robustness_of_Vision_Transformers_CVPR_2024_paper.html) | - |
41 | | Infrared Adversarial Car Stickers | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhu_Infrared_Adversarial_Car_Stickers_CVPR_2024_paper.html) | - |
42 | | Boosting Adversarial Transferability by Block Shuffle and Rotation | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wang_Boosting_Adversarial_Transferability_by_Block_Shuffle_and_Rotation_CVPR_2024_paper.html) | - |
43 | | One Prompt Word is Enough to Boost Adversarial Robustness for Pre-trained Vision-Language Models | *CVPR* | [](https://github.com/TreeLLi/APT) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_One_Prompt_Word_is_Enough_to_Boost_Adversarial_Robustness_for_CVPR_2024_paper.html) | - |
44 | | Adversarial Score Distillation: When score distillation meets GAN | *CVPR* | [](https://github.com/2y7c3/ASD) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wei_Adversarial_Score_Distillation_When_score_distillation_meets_GAN_CVPR_2024_paper.html) | - |
45 | | Focus on Hiders: Exploring Hidden Threats for Enhancing Adversarial Training | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_Focus_on_Hiders_Exploring_Hidden_Threats_for_Enhancing_Adversarial_Training_CVPR_2024_paper.html) | - |
46 | | Robust Image Denoising through Adversarial Frequency Mixup | *CVPR* | [](https://github.com/dhryougit/AFM) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Ryou_Robust_Image_Denoising_through_Adversarial_Frequency_Mixup_CVPR_2024_paper.html) | - |
47 | | Towards Robust 3D Pose Transfer with Adversarial Learning | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Chen_Towards_Robust_3D_Pose_Transfer_with_Adversarial_Learning_CVPR_2024_paper.html) | - |
48 | | Robust Distillation via Untargeted and Targeted Intermediate Adversarial Samples | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Dong_Robust_Distillation_via_Untargeted_and_Targeted_Intermediate_Adversarial_Samples_CVPR_2024_paper.html) | - |
49 | | PeerAiD: Improving Adversarial Distillation from a Specialized Peer Tutor | *CVPR* | [](https://github.com/jaewonalive/PeerAiD) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Jung_PeerAiD_Improving_Adversarial_Distillation_from_a_Specialized_Peer_Tutor_CVPR_2024_paper.html) | - |
50 | | Adversarial Distillation Based on Slack Matching and Attribution Region Alignment | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yin_Adversarial_Distillation_Based_on_Slack_Matching_and_Attribution_Region_Alignment_CVPR_2024_paper.html) | - |
51 | | Adversarially Robust Few-shot Learning via Parameter Co-distillation of Similarity and Class Concept Learners | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Dong_Adversarially_Robust_Few-shot_Learning_via_Parameter_Co-distillation_of_Similarity_and_CVPR_2024_paper.html) | - |
52 | | Revisiting Adversarial Training at Scale | *CVPR* | [](https://github.com/UCSC-VLAA/AdvXL) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wang_Revisiting_Adversarial_Training_at_Scale_CVPR_2024_paper.html) | - |
53 | | Structure-Guided Adversarial Training of Diffusion Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yang_Structure-Guided_Adversarial_Training_of_Diffusion_Models_CVPR_2024_paper.html) | - |
54 | | Defense without Forgetting: Continual Adversarial Defense with Anisotropic & Isotropic Pseudo Replay | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhou_Defense_without_Forgetting_Continual_Adversarial_Defense_with_Anisotropic__Isotropic_CVPR_2024_paper.html) | - |
55 | | Learning to Transform Dynamically for Better Adversarial Transferability | *CVPR* | [](https://github.com/ZhangAIPI/TransferAttack) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhu_Learning_to_Transform_Dynamically_for_Better_Adversarial_Transferability_CVPR_2024_paper.html) | Input transformation, Reinforcement learning |
56 | | Ensemble Diversity Facilitates Adversarial Transferability | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Tang_Ensemble_Diversity_Facilitates_Adversarial_Transferability_CVPR_2024_paper.html) | - |
57 | | Revisiting Adversarial Training Under Long-Tailed Distributions | *CVPR* | [](https://github.com/NISPLab/AT-BSL) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yue_Revisiting_Adversarial_Training_Under_Long-Tailed_Distributions_CVPR_2024_paper.html) | - |
58 | | DAP: A Dynamic Adversarial Patch for Evading Person Detectors | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Guesmi_DAP_A_Dynamic_Adversarial_Patch_for_Evading_Person_Detectors_CVPR_2024_paper.html) | - |
59 | | Pre-trained Model Guided Fine-Tuning for Zero-Shot Adversarial Robustness | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wang_Pre-trained_Model_Guided_Fine-Tuning_for_Zero-Shot_Adversarial_Robustness_CVPR_2024_paper.html) | - |
60 | | Revisiting Adversarial Training Under Long-Tailed Distributions | *CVPR* | [](https://github.com/NISPLab/AT-BSL) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yue_Revisiting_Adversarial_Training_Under_Long-Tailed_Distributions_CVPR_2024_paper.html) | - |
61 | | Initialization Matters for Adversarial Transfer Learning | *CVPR* | [](https://github.com/DongXzz/RoLI) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Hua_Initialization_Matters_for_Adversarial_Transfer_Learning_CVPR_2024_paper.html) | - |
62 | | Language-Driven Anchors for Zero-Shot Adversarial Robustness | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Li_Language-Driven_Anchors_for_Zero-Shot_Adversarial_Robustness_CVPR_2024_paper.html) | - |
63 | | DiffAM: Diffusion-based Adversarial Makeup Transfer for Facial Privacy Protection | *CVPR* | [](https://github.com/HansSunY/DiffAM) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Sun_DiffAM_Diffusion-based_Adversarial_Makeup_Transfer_for_Facial_Privacy_Protection_CVPR_2024_paper.html) | - |
64 | | ACT-Diffusion: Efficient Adversarial Consistency Training for One-step Diffusion Models | *CVPR* | [](https://github.com/kong13661/ACT) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Kong_ACT-Diffusion_Efficient_Adversarial_Consistency_Training_for_One-step_Diffusion_Models_CVPR_2024_paper.html) | - |
65 | | Adversarial Text to Continuous Image Generation | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Haydarov_Adversarial_Text_to_Continuous_Image_Generation_CVPR_2024_paper.html) | - |
66 | | Robust Overfitting Does Matter: Test-Time Adversarial Purification With FGSM | *CVPR* | [](https://github.com/tly18/TPAP) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Tang_Robust_Overfitting_Does_Matter_Test-Time_Adversarial_Purification_With_FGSM_CVPR_2024_paper.html) | - |
67 | | Boosting Adversarial Training via Fisher-Rao Norm-based Regularization | *CVPR* | [](https://github.com/TrustAI/LOAT) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Yin_Boosting_Adversarial_Training_via_Fisher-Rao_Norm-based_Regularization_CVPR_2024_paper.html) | - |
68 | | MimicDiffusion: Purifying Adversarial Perturbation via Mimicking Clean Diffusion Model | *CVPR* | [](https://github.com/psky1111/MimicDiffusion) | [](https://openaccess.thecvf.com/content/CVPR2024/html/Song_MimicDiffusion_Purifying_Adversarial_Perturbation_via_Mimicking_Clean_Diffusion_Model_CVPR_2024_paper.html) | - |
69 | | Watermark-embedded Adversarial Examples for Copyright Protection against Diffusion Models | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Zhu_Watermark-embedded_Adversarial_Examples_for_Copyright_Protection_against_Diffusion_Models_CVPR_2024_paper.html) | - |
70 | | CAD: Photorealistic 3D Generation via Adversarial Distillation | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Wan_CAD_Photorealistic_3D_Generation_via_Adversarial_Distillation_CVPR_2024_paper.html) | - |
71 | | Random Entangled Tokens for Adversarially Robust Vision Transformer | *CVPR* | - | [](https://openaccess.thecvf.com/content/CVPR2024/html/Gong_Random_Entangled_Tokens_for_Adversarially_Robust_Vision_Transformer_CVPR_2024_paper.html) | - |
72 |
--------------------------------------------------------------------------------