[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"similar-P2333--Papers-of-Robust-ML":3,"tool-P2333--Papers-of-Robust-ML":65},[4,23,32,40,49,57],{"id":5,"name":6,"github_repo":7,"description_zh":8,"stars":9,"difficulty_score":10,"last_commit_at":11,"category_tags":12,"status":22},2268,"ML-For-Beginners","microsoft\u002FML-For-Beginners","ML-For-Beginners 是由微软推出的一套系统化机器学习入门课程,旨在帮助零基础用户轻松掌握经典机器学习知识。这套课程将学习路径规划为 12 周,包含 26 节精炼课程和 52 道配套测验,内容涵盖从基础概念到实际应用的完整流程,有效解决了初学者面对庞大知识体系时无从下手、缺乏结构化指导的痛点。\n\n无论是希望转型的开发者、需要补充算法背景的研究人员,还是对人工智能充满好奇的普通爱好者,都能从中受益。课程不仅提供了清晰的理论讲解,还强调动手实践,让用户在循序渐进中建立扎实的技能基础。其独特的亮点在于强大的多语言支持,通过自动化机制提供了包括简体中文在内的 50 多种语言版本,极大地降低了全球不同背景用户的学习门槛。此外,项目采用开源协作模式,社区活跃且内容持续更新,确保学习者能获取前沿且准确的技术资讯。如果你正寻找一条清晰、友好且专业的机器学习入门之路,ML-For-Beginners 将是理想的起点。",85267,2,"2026-04-18T11:00:28",[13,14,15,16,17,18,19,20,21],"图像","数据工具","视频","插件","Agent","其他","语言模型","开发框架","音频","ready",{"id":24,"name":25,"github_repo":26,"description_zh":27,"stars":28,"difficulty_score":29,"last_commit_at":30,"category_tags":31,"status":22},5784,"funNLP","fighting41love\u002FfunNLP","funNLP 是一个专为中文自然语言处理(NLP)打造的超级资源库,被誉为\"NLP 民工的乐园”。它并非单一的软件工具,而是一个汇集了海量开源项目、数据集、预训练模型和实用代码的综合性平台。\n\n面对中文 NLP 领域资源分散、入门门槛高以及特定场景数据匮乏的痛点,funNLP 提供了“一站式”解决方案。这里不仅涵盖了分词、命名实体识别、情感分析、文本摘要等基础任务的标准工具,还独特地收录了丰富的垂直领域资源,如法律、医疗、金融行业的专用词库与数据集,甚至包含古诗词生成、歌词创作等趣味应用。其核心亮点在于极高的全面性与实用性,从基础的字典词典到前沿的 BERT、GPT-2 模型代码,再到高质量的标注数据和竞赛方案,应有尽有。\n\n无论是刚刚踏入 NLP 领域的学生、需要快速验证想法的算法工程师,还是从事人工智能研究的学者,都能在这里找到急需的“武器弹药”。对于开发者而言,它能大幅减少寻找数据和复现模型的时间;对于研究者,它提供了丰富的基准测试资源和前沿技术参考。funNLP 以开放共享的精神,极大地降低了中文自然语言处理的开发与研究成本,是中文 AI 社区不可或缺的宝藏仓库。",79857,1,"2026-04-08T20:11:31",[19,14,18],{"id":33,"name":34,"github_repo":35,"description_zh":36,"stars":37,"difficulty_score":29,"last_commit_at":38,"category_tags":39,"status":22},5773,"cs-video-courses","Developer-Y\u002Fcs-video-courses","cs-video-courses 是一个精心整理的计算机科学视频课程清单,旨在为自学者提供系统化的学习路径。它汇集了全球知名高校(如加州大学伯克利分校、新南威尔士大学等)的完整课程录像,涵盖从编程基础、数据结构与算法,到操作系统、分布式系统、数据库等核心领域,并深入延伸至人工智能、机器学习、量子计算及区块链等前沿方向。\n\n面对网络上零散且质量参差不齐的教学资源,cs-video-courses 解决了学习者难以找到成体系、高难度大学级别课程的痛点。该项目严格筛选内容,仅收录真正的大学层级课程,排除了碎片化的简短教程或商业广告,确保用户能接触到严谨的学术内容。\n\n这份清单特别适合希望夯实计算机基础的开发者、需要补充特定领域知识的研究人员,以及渴望像在校生一样系统学习计算机科学的自学者。其独特的技术亮点在于分类极其详尽,不仅包含传统的软件工程与网络安全,还细分了生成式 AI、大语言模型、计算生物学等新兴学科,并直接链接至官方视频播放列表,让用户能一站式获取高质量的教育资源,免费享受世界顶尖大学的课堂体验。",79792,"2026-04-08T22:03:59",[18,13,14,20],{"id":41,"name":42,"github_repo":43,"description_zh":44,"stars":45,"difficulty_score":46,"last_commit_at":47,"category_tags":48,"status":22},3128,"ragflow","infiniflow\u002Fragflow","RAGFlow 是一款领先的开源检索增强生成(RAG)引擎,旨在为大语言模型构建更精准、可靠的上下文层。它巧妙地将前沿的 RAG 技术与智能体(Agent)能力相结合,不仅支持从各类文档中高效提取知识,还能让模型基于这些知识进行逻辑推理和任务执行。\n\n在大模型应用中,幻觉问题和知识滞后是常见痛点。RAGFlow 通过深度解析复杂文档结构(如表格、图表及混合排版),显著提升了信息检索的准确度,从而有效减少模型“胡编乱造”的现象,确保回答既有据可依又具备时效性。其内置的智能体机制更进一步,使系统不仅能回答问题,还能自主规划步骤解决复杂问题。\n\n这款工具特别适合开发者、企业技术团队以及 AI 研究人员使用。无论是希望快速搭建私有知识库问答系统,还是致力于探索大模型在垂直领域落地的创新者,都能从中受益。RAGFlow 提供了可视化的工作流编排界面和灵活的 API 接口,既降低了非算法背景用户的上手门槛,也满足了专业开发者对系统深度定制的需求。作为基于 Apache 2.0 协议开源的项目,它正成为连接通用大模型与行业专有知识之间的重要桥梁。",77062,3,"2026-04-04T04:44:48",[17,13,20,19,18],{"id":50,"name":51,"github_repo":52,"description_zh":53,"stars":54,"difficulty_score":46,"last_commit_at":55,"category_tags":56,"status":22},519,"PaddleOCR","PaddlePaddle\u002FPaddleOCR","PaddleOCR 是一款基于百度飞桨框架开发的高性能开源光学字符识别工具包。它的核心能力是将图片、PDF 等文档中的文字提取出来,转换成计算机可读取的结构化数据,让机器真正“看懂”图文内容。\n\n面对海量纸质或电子文档,PaddleOCR 解决了人工录入效率低、数字化成本高的问题。尤其在人工智能领域,它扮演着连接图像与大型语言模型(LLM)的桥梁角色,能将视觉信息直接转化为文本输入,助力智能问答、文档分析等应用场景落地。\n\nPaddleOCR 适合开发者、算法研究人员以及有文档自动化需求的普通用户。其技术优势十分明显:不仅支持全球 100 多种语言的识别,还能在 Windows、Linux、macOS 等多个系统上运行,并灵活适配 CPU、GPU、NPU 等各类硬件。作为一个轻量级且社区活跃的开源项目,PaddleOCR 既能满足快速集成的需求,也能支撑前沿的视觉语言研究,是处理文字识别任务的理想选择。",75916,"2026-04-19T10:54:02",[19,13,20,18],{"id":58,"name":59,"github_repo":60,"description_zh":61,"stars":62,"difficulty_score":29,"last_commit_at":63,"category_tags":64,"status":22},3215,"awesome-machine-learning","josephmisiti\u002Fawesome-machine-learning","awesome-machine-learning 是一份精心整理的机器学习资源清单,汇集了全球优秀的机器学习框架、库和软件工具。面对机器学习领域技术迭代快、资源分散且难以甄选的痛点,这份清单按编程语言(如 Python、C++、Go 等)和应用场景(如计算机视觉、自然语言处理、深度学习等)进行了系统化分类,帮助使用者快速定位高质量项目。\n\n它特别适合开发者、数据科学家及研究人员使用。无论是初学者寻找入门库,还是资深工程师对比不同语言的技术选型,都能从中获得极具价值的参考。此外,清单还延伸提供了免费书籍、在线课程、行业会议、技术博客及线下聚会等丰富资源,构建了从学习到实践的全链路支持体系。\n\n其独特亮点在于严格的维护标准:明确标记已停止维护或长期未更新的项目,确保推荐内容的时效性与可靠性。作为机器学习领域的“导航图”,awesome-machine-learning 以开源协作的方式持续更新,旨在降低技术探索门槛,让每一位从业者都能高效地站在巨人的肩膀上创新。",72149,"2026-04-03T21:50:24",[20,18],{"id":66,"github_repo":67,"name":68,"description_en":69,"description_zh":70,"ai_summary_zh":71,"readme_en":72,"readme_zh":73,"quickstart_zh":74,"use_case_zh":75,"hero_image_url":76,"owner_login":77,"owner_name":78,"owner_avatar_url":79,"owner_bio":80,"owner_company":81,"owner_location":82,"owner_email":83,"owner_twitter":84,"owner_website":85,"owner_url":86,"languages":87,"stars":88,"forks":89,"last_commit_at":90,"license":87,"difficulty_score":29,"env_os":91,"env_gpu":92,"env_ram":92,"env_deps":93,"category_tags":96,"github_topics":87,"view_count":10,"oss_zip_url":87,"oss_zip_packed_at":87,"status":22,"created_at":97,"updated_at":98,"faqs":99,"releases":100},9827,"P2333\u002FPapers-of-Robust-ML","Papers-of-Robust-ML"," Related papers for robust machine learning","Papers-of-Robust-ML 是一个专注于鲁棒机器学习领域的开源论文合集,尤其侧重于对抗防御技术的研究。在人工智能安全面临严峻挑战的当下,对抗攻击手段层出不穷,研究人员往往难以从海量的学术会议论文中快速筛选出具有洞察力的核心成果。Papers-of-Robust-ML 正是为了解决这一信息过载与筛选难题而生,它系统性地整理了发表于 ICML、NeurIPS、CVPR 等顶级会议及 arXiv 上的高质量文献。\n\n该资源库内容结构清晰,涵盖了从训练阶段到推理阶段的通用防御策略、对抗样本检测、可认证防御、理论与实证分析,甚至包括“化敌为友”的前沿探索及基准数据集。其独特亮点在于不仅罗列标题,还对每篇论文的核心贡献进行了精炼解读,例如如何利用扩散模型提升训练效果、通过频域处理防止灾难性过拟合,或结合控制理论构建稳定神经网络等。此外,项目采用开放的社区协作模式,鼓励全球研究者共同更新与维护,确保内容的时效性与前沿性。\n\nPapers-of-Robust-ML 非常适合从事人工智能安全研究的学者、算法工程师以及希望深入了解模型鲁棒性的开发者使用。无论是为了追踪最新学术动态,还是寻找具体","Papers-of-Robust-ML 是一个专注于鲁棒机器学习领域的开源论文合集,尤其侧重于对抗防御技术的研究。在人工智能安全面临严峻挑战的当下,对抗攻击手段层出不穷,研究人员往往难以从海量的学术会议论文中快速筛选出具有洞察力的核心成果。Papers-of-Robust-ML 正是为了解决这一信息过载与筛选难题而生,它系统性地整理了发表于 ICML、NeurIPS、CVPR 等顶级会议及 arXiv 上的高质量文献。\n\n该资源库内容结构清晰,涵盖了从训练阶段到推理阶段的通用防御策略、对抗样本检测、可认证防御、理论与实证分析,甚至包括“化敌为友”的前沿探索及基准数据集。其独特亮点在于不仅罗列标题,还对每篇论文的核心贡献进行了精炼解读,例如如何利用扩散模型提升训练效果、通过频域处理防止灾难性过拟合,或结合控制理论构建稳定神经网络等。此外,项目采用开放的社区协作模式,鼓励全球研究者共同更新与维护,确保内容的时效性与前沿性。\n\nPapers-of-Robust-ML 非常适合从事人工智能安全研究的学者、算法工程师以及希望深入了解模型鲁棒性的开发者使用。无论是为了追踪最新学术动态,还是寻找具体的防御算法灵感,这里都是一个高效、专业且免费的知识宝库。","# Papers-of-Robust-ML\nRelated papers for robust machine learning (we mainly focus on defenses).\n \n# Statement\nSince there are tens of new papers on adversarial defense in each conference, we are only able to update those we just read and consider as insightful.\n\nAnyone is welcomed to submit a pull request for the related and unlisted papers on adversarial defense, which are pulished on peer-review conferences (ICML\u002FNeurIPS\u002FICLR\u002FCVPR etc.) or released on arXiv.\n\n## Contents \n- \u003Ca href=\"#General_training\">General Defenses (training phase)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#General_inference\">General Defenses (inference phase)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Detection\">Adversarial Detection\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Certified Defense and Model Verification\">Certified Defense and Model Verification\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Theoretical\">Theoretical Analysis\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Empirical\">Empirical Analysis\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Beyond_Safety\">Beyond Safety (Adversarial for Good)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Seminal_work\">Seminal Work\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Benchmark_Datasets\">Benchmark Datasets\u003C\u002Fa>\u003Cbr>\n\n\n\u003Ca id='General_training'>\u003C\u002Fa>\n## General Defenses (training phase)\n* [Better Diffusion Models Further Improve Adversarial Training](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2302.04638.pdf) (ICML 2023) \u003Cbr\u002F> This paper advocate that better diffusion models such as EDM can further improve adversarial training beyond using DDPM, which achieves new state-of-the-art performance on CIFAR-10\u002F100 as listed on RobustBench.\n\n* [FrequencyLowCut Pooling -- Plug & Play against Catastrophic Overfitting](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136740036.pdf) (ECCV 2022) \u003Cbr\u002F> This paper proposes a novel aliasing-free downsampling layer to prevent catastrophic overfitting during simple Fast Gradient Sign Method (FGSM) adversarial training. \n\n* [Robustness and Accuracy Could Be Reconcilable by (Proper) Definition](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10103.pdf) (ICML 2022) \u003Cbr\u002F> This paper advocate that robustness and accuracy are not at odds, as long as we slightly modify the definition of robust error. Efficient ways of optimizating the new SCORE objective is provided.\n\n* [Stable Neural ODE with Lyapunov-Stable Equilibrium Points for Defending Against Adversarial Attacks](https:\u002F\u002Fopenreview.net\u002Fpdf?id=9CPc4EIr2t1) (NeurIPS 2021) \u003Cbr\u002F> This paper combines the stable conditions in control theory into neural ODE to induce locally stable models. \n\n* [Two Coupled Rejection Metrics Can Tell Adversarial Examples Apart ](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.14785.pdf) (CVPR 2022) \u003Cbr\u002F> This paper proposes a coupling rejection strategy, where two simple but well-designed rejection metrics can be coupled to provabably distinguish any misclassified sample from correclty classified ones.\n\n* [Fixing Data Augmentation to Improve Adversarial Robustness](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.01946.pdf) (NeurIPS 2021) \u003Cbr\u002F> This paper shows that after applying weight moving average, data augmentation (either by transformatons or generative models) can further improve robustness of adversarial training.\n\n* [Robust Learning Meets Generative Models: Can Proxy Distributions Improve Adversarial Robustness?](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.09425.pdf) (ICLR 2022) \u003Cbr\u002F> This paper verifies that leveraging more data sampled from a (high-quality) generative model that was trained on the same dataset (e.g., CIFAR-10) can still improve robustness of adversarially trained models, without using any extra data.\n\n* [Towards Robust Neural Networks via Close-loop Control](https:\u002F\u002Fopenreview.net\u002Fforum?id=2AL06y9cDE-) (ICLR 2021) \u003Cbr\u002F> This paper introduce a close-loop control framework to enhance adversarial robustness of trained networks.\n\n* [Understanding and Improving Fast Adversarial Training](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.02617.pdf) (NeurIPS 2020) \u003Cbr\u002F> A systematic study of catastrophic overfitting in adversarial training, its reasons, and ways of resolving it. The proposed regularizer, *GradAlign*, helps to prevent catastrophic overfitting and scale FGSM training to high Linf-perturbations.\n\n* [Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.06259.pdf) (ICML 2020) \u003Cbr\u002F> This paper uses a perturbation-dependent label smoothing method to generalize adversarially trained models to unseen attacks.\n\n* [Smooth Adversarial Training](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14536.pdf) \u003Cbr\u002F> This paper advocate using smooth variants of ReLU during adversarial training, which can achieve state-of-the-art performance on ImageNet. \n\n* [Rethinking Softmax Cross-Entropy Loss for Adversarial Robustness](https:\u002F\u002Fopenreview.net\u002Fforum?id=Byg9A24tvB) (ICLR 2020) \u003Cbr\u002F> This paper rethink the drawbacks of softmax cross-entropy in the adversarial setting, and propose the MMC method to induce high-density regions in the feature space.\n\n* [Jacobian Adversarially Regularized Networks for Robustness](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Hke0V1rKPS) (ICLR 2020) \u003Cbr\u002F> This paper propose to show that a generally more interpretable model could potentially be more robust against adversarial attacks.\n\n* [Fast is better than free: Revisiting adversarial training](https:\u002F\u002Fopenreview.net\u002Fforum?id=BJx040EFvH¬eId=BJx040EFvH) (ICLR 2020) \u003Cbr\u002F> This paper proposes several tricks to make FGSM-based adversarial training effective.\n\n* [Adversarial Training and Provable Defenses: Bridging the Gap](https:\u002F\u002Fopenreview.net\u002Fforum?id=SJxSDxrKDr) (ICLR 2020) \u003Cbr\u002F> This paper proposes the layerwise adversarial training method, which gradually optimizes on the latent adversarial examples from low-level to high-level layers.\n\n* [Improving Adversarial Robustness Requires Revisiting Misclassified Examples](https:\u002F\u002Fopenreview.net\u002Fforum?id=rklOg6EFwS) (ICLR 2020) \u003Cbr\u002F> This paper proposes a new method MART, which involves a boosted CE loss to further lower down the second-maximal prediction, and a weighted KL term (similar as a focal loss), compared to the formula of TRADES.\n\n* [Adversarial Interpolation Training: A Simple Approach for Improving Model Robustness](https:\u002F\u002Fopenreview.net\u002Fforum?id=Syejj0NYvr¬eId=r1e432RzoS) \u003Cbr\u002F> This paper introduces the mixup method into adversarial training to improve the model performance on clean images.\n\n* [Are labels required for improving adversarial robustness?](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.13725.pdf) (NeurIPS 2019) \u003Cbr\u002F> This paper exploit unlabeled data to better improve adversarial robustness.\n\n* [Adversarial Robustness through Local Linearization](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1907.02610.pdf) (NeurIPS 2019) \u003Cbr\u002F> This paper introduce local linearization in adversarial training process.\n\n* [Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1906.03526.pdf) (NeurIPS 2019) \u003Cbr\u002F> A method to efficiently certify the robustness of GBDTs and to integrate the certificate into training (leads to an upper bound on the worst-case loss). The obtained certified accuracy is higher than for other robust GBDTs and is competitive to provably robust CNNs.\n\n* [You Only Propagate Once: Accelerating Adversarial Training via Maximal Principle](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.00877.pdf) (NeurIPS 2019) \u003Cbr\u002F> This paper provides a fast method for adversarial training from the perspective of optimal control.\n\n* [Adversarial Training for Free!](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1904.12843.pdf) (NeurIPS 2019) \u003Cbr\u002F> A fast method for adversarial training, which shares the back-propogation gradients of updating weighs and crafting adversarial examples.\n\n* [ME-Net: Towards Effective Adversarial Robustness with Matrix Estimation](https:\u002F\u002Farxiv.org\u002Fabs\u002F1905.11971) (ICML 2019) \u003Cbr\u002F> This paper demonstrates the global low-rank structures within images, and leverages matrix estimation to exploit such underlying structures for better adversarial robustness.\n\n* [Using Pre-Training Can Improve Model Robustness and Uncertainty](https:\u002F\u002Farxiv.org\u002Fabs\u002F1901.09960) (ICML 2019) \u003Cbr\u002F>\nThis paper shows adversarial robustness can transfer and that adversarial pretraining can increase adversarial robustness by ~10% accuracy.\n\n* [Theoretically Principled Trade-off between Robustness and Accuracy](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.08573.pdf) (ICML 2019) \u003Cbr\u002F> A variant of adversarial training: TRADES, which won the defense track of NeurIPS 2018 Adversarial Competation.\n\n* [Robust Decision Trees Against Adversarial Examples](http:\u002F\u002Fweb.cs.ucla.edu\u002F~chohsieh\u002FICML_2019_TreeAdvAttack.pdf) (ICML 2019) \u003Cbr\u002F> A method to enhance the robustness of tree models, including GBDTs.\n\n* [Improving Adversarial Robustness via Promoting Ensemble Diversity](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.08846.pdf) (ICML 2019) \u003Cbr\u002F> Previous work constructs ensemble defenses by individually enhancing each memeber and then directly average the predictions. In this work, the authors propose the adaptive diversity promoting (ADP) to further improve the robustness by promoting the ensemble diveristy, as an orthogonal methods compared to other defenses.\n\n* [Feature Denoising for Improving Adversarial Robustness](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.03411.pdf) (CVPR 2019) \u003Cbr\u002F> This paper applies non-local neural network and large-scale adversarial training with 128 GPUs (with training trick in 'Accurate, large minibatch SGD: Training ImageNet in 1 hour'), which shows large improvement than previous SOTA trained with 50 GPUs.\n\n* [Improving the Generalization of Adversarial Training with Domain Adaptation](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1810.00740.pdf) (ICLR 2019) \u003Cbr\u002F> This work proposes to use additional regularization terms to match the domains between clean and adversarial logits in adversarial training.\n\n* [A Spectral View of Adversarially Robust Features](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8217-a-spectral-view-of-adversarially-robust-features.pdf) (NeurIPS 2018) \u003Cbr\u002F> Given the entire dataset X, use the eigenvectors of spectral graph as robust features. [[Appendix](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8217-a-spectral-view-of-adversarially-robust-features-supplemental.zip)]\n\n* [Adversarial Logit Pairing](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1803.06373.pdf) \u003Cbr\u002F> Adversarial training by pairing the clean and adversarial logits.\n\n* [Deep Defense: Training DNNs with Improved Adversarial Robustness](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7324-deep-defense-training-dnns-with-improved-adversarial-robustness.pdf) (NeurIPS 2018) \u003Cbr\u002F> They follow the linear assumption in DeepFool method. DeepDefense pushes decision boundary away from those correctly classified, and pull decision boundary closer to those misclassified.\n\n* [Max-Mahalanobis Linear Discriminant Analysis Networks](http:\u002F\u002Fproceedings.mlr.press\u002Fv80\u002Fpang18a\u002Fpang18a.pdf) (ICML 2018) \u003Cbr\u002F> This is one of our work. We explicitly model the feature distribution as a Max-Mahalanobis distribution (MMD), which has max margin among classes and can lead to guaranteed robustness.\n\n* [Ensemble Adversarial Training- Attacks and Defenses](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1705.07204.pdf) (ICLR 2018) \u003Cbr\u002F> Ensemble adversarial training use sevel pre-trained models, and in each training batch, they randomly select one of the currently trained model or pre-trained models to craft adversarial examples.\n\n* [Pixeldefend: Leveraging generative models to understand and defend against adversarial examples](https:\u002F\u002Farxiv.org\u002Fabs\u002F1710.10766) (ICLR 2018) \u003Cbr\u002F> This paper provided defense by moving adversarial examples back towards the distribution seen in the training data.\n\n\u003Ca id='General_inference'>\u003C\u002Fa>\n## General Defenses (inference phase)\n* [Adversarial Attacks are Reversible with Natural Supervision](https:\u002F\u002Farxiv.org\u002Fabs\u002F2103.14222) (ICCV 2021) \u003Cbr\u002F> This paper proposes to use contrastive loss to restore the natural structure of attacked images, providing a defense.\n\n* [Adversarial Purification with Score-based Generative Models](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06041.pdf) (ICML 2021) \u003Cbr\u002F> This paper proposes to use score-based generative models (e.g., NCSN) to purify adversarial examples.\n\n* [Online Adversarial Purification based on Self-Supervision](https:\u002F\u002Farxiv.org\u002Fabs\u002F2101.09387) (ICLR 2021) \u003Cbr\u002F> This paper proposes to train the network with a label-independent auxiliary task (e.g., rotation prediction), and purify the test inputs dynamically by minimizing the auxiliary loss.\n\n* [Mixup Inference: Better Exploiting Mixup to Defend Adversarial Attacks](https:\u002F\u002Fopenreview.net\u002Fforum?id=ByxtC2VtPB) (ICLR 2020) \u003Cbr\u002F> This paper exploit the mixup mechanism in the inference phase to improve robustness.\n\n* [Barrage of Random Transforms for Adversarially Robust Defense](http:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_CVPR_2019\u002Fpapers\u002FRaff_Barrage_of_Random_Transforms_for_Adversarially_Robust_Defense_CVPR_2019_paper.pdf) (CVPR 2019) \u003Cbr\u002F> This paper applies a set of different random transformations as an off-the-shelf defense.\n\n* [Mitigating Adversarial Effects Through Randomization](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.01991.pdf) (ICLR 2018) \u003Cbr\u002F> Use random resizing and random padding to disturb adversarial examples, which won the 2nd place in th defense track of NeurIPS 2017 Adversarial Competation.\n\n* [Countering Adversarial Images Using Input Transformations](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.00117.pdf) (ICLR 2018) \u003Cbr\u002F> Apply bit-depth reduction, JPEG compression, total variance minimization and image quilting as input preprocessing to defend adversarial attacks.\n\n\u003Ca id='Detection'>\u003C\u002Fa>\n## Adversarial Detection\n* [Detecting adversarial examples is (nearly) as hard as classifying them](https:\u002F\u002Fproceedings.mlr.press\u002Fv162\u002Ftramer22a.html) (ICML 2022) \u003Cbr\u002F> This paper demonstrates that detection and classification of adversarial examples can be mutually converted, and thus many previous works on detection may overclaim their effectiveness.\n\n* [Class-Disentanglement and Applications in Adversarial Detection and Defense](https:\u002F\u002Fopenreview.net\u002Fpdf?id=jFMzBeLyTc0) (NeurIPS 2021) \u003Cbr\u002F> This paper proposes to disentangle the class-dependence and visually reconstruction, and exploit the result as an adversarial detection metric.\n\n* [Towards Robust Detection of Adversarial Examples](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7709-towards-robust-detection-of-adversarial-examples.pdf) (NeurIPS 2018) \u003Cbr\u002F> This is one of our work. We train the networks with reverse cross-entropy (RCE), which can map normal features to low-dimensional manifolds, and then detectors can better separate between adversarial examples and normal ones.\n\n* [A Simple Unified Framework for Detecting Out-of-Distribution Samples and Adversarial Attacks](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7947-a-simple-unified-framework-for-detecting-out-of-distribution-samples-and-adversarial-attacks.pdf) (NeurIPS 2018) \u003Cbr\u002F> Fit a GDA on learned features, and use Mahalanobis distance as the detection metric.\n\n* [Robust Detection of Adversarial Attacks by Modeling the Intrinsic Properties of Deep Neural Networks](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8016-robust-detection-of-adversarial-attacks-by-modeling-the-intrinsic-properties-of-deep-neural-networks.pdf) (NeurIPS 2018) \u003Cbr\u002F> They fit a GMM on learned features, and use the probability as the detection metric.\n\n* [Detecting adversarial samples from artifacts](https:\u002F\u002Farxiv.org\u002Fabs\u002F1703.00410) \u003Cbr\u002F> This paper proposed the kernel density (K-density) metric on the learned features to detect adversarial examples.\n\n\u003Ca id='Certified Defense and Model Verification'>\u003C\u002Fa>\n## Certified Defense and Model Verification\n* [Towards Better Understanding of Training Certifiably Robust Models against Adversarial Examples](https:\u002F\u002Fopenreview.net\u002Fpdf?id=b18Az57ioHn) (NeurIPS 2021) \u003Cbr\u002F> This paper generally study the effciency of different certified defenses, and find that the smoothness of loss landscape matters.\n\n* [Towards Verifying Robustness of Neural Networks against Semantic Perturbations](https:\u002F\u002Farxiv.org\u002Fabs\u002F1912.09533) (CVPR 2020) \u003Cbr\u002F> This paper generalize the pixel-wise verification methods into the semantic transformation space.\n\n* [Neural Network Branching for Neural Network Verification](https:\u002F\u002Farxiv.org\u002Fabs\u002F1912.01329) (ICLR 2020) \u003Cbr\u002F> This paper use GNN to adaptively construct branching strategy for model verification.\n\n* [Towards Stable and Efficient Training of Verifiably Robust Neural Networks](https:\u002F\u002Fopenreview.net\u002Fforum?id=Skxuk1rFwB) (ICLR 2020) \u003Cbr\u002F> This paper combines the previous IBP and CROWN methods.\n\n* [A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F9176-a-convex-relaxation-barrier-to-tight-robustness-verification-of-neural-networks.pdf) (NeurIPS 2019) \u003Cbr\u002F> This paper makes a conprehensive studies on existing robustness verification methods based on convex relaxation.\n\n* [Tight Certificates of Adversarial Robustness for Randomly Smoothed Classifiers](https:\u002F\u002Fguanghelee.github.io\u002Fpub\u002FLee_etal_neurips19.pdf) (NeurIPS 2019) \u003Cbr\u002F> This word extends the robustness certificate of random smoothing from L2 to L0 norm bound.\n\n* [On the Effectiveness of Interval Bound Propagation for Training Verifiably Robust Models](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1810.12715.pdf) (ICCV 2019) \u003Cbr\u002F> This paper proposes the scalable verificatin method with interval bound propagation (IBP).\n\n* [Evaluating Robustness of Neural Networks with Mixed Integer Programming](https:\u002F\u002Farxiv.org\u002Fabs\u002F1711.07356) (ICLR 2019) \u003Cbr\u002F> This paper use mixed integer programming (MIP) method to solve the verification problem.\n\n* [Efficient Neural Network Robustness Certification with General Activation Functions](https:\u002F\u002Farxiv.org\u002Fabs\u002F1811.00866) (NeurIPS 2018) \u003Cbr\u002F> This paper proposes the verification method CROWN for general activation with locally linear or quadratic approximation.\n\n* [A Unified View of Piecewise Linear Neural Network Verification](https:\u002F\u002Farxiv.org\u002Fabs\u002F1711.00455) (NeurIPS 2018) \u003Cbr\u002F> This paper presents a unified framework and an empirical benchmark on previous verification methods\n\n* [Scaling Provable Adversarial Defenses](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8060-scaling-provable-adversarial-defenses.pdf) (NeurIPS 2018) \u003Cbr\u002F> They add three tricks to improve the scalability (to CIFAR-10) of previously proposed method in ICML.\n\n* [Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.00851.pdf) (ICML 2018) \u003Cbr\u002F> By robust optimization (via a linear program), they can get a point-wise bound of robustness, where no adversarial example exists in the bound. Experiments are done on MNIST.\n\n* [Towards Fast Computation of Certified Robustness for ReLU Networks](https:\u002F\u002Farxiv.org\u002Fabs\u002F1804.09699) (ICML 2018) \u003Cbr\u002F> This paper proposes the Fast-Lin and Fast-Lip methods.\n\n* [Evaluating the Robustness of Neural Networks: An Extreme Value Theory Approach](https:\u002F\u002Farxiv.org\u002Fabs\u002F1801.10578) (ICLR 2018) \u003Cbr\u002F> This paper proposes the CLEVER method to estimate the upper bound of specification.\n\n* [Certified Defenses against Adversarial Examples](https:\u002F\u002Farxiv.org\u002Fabs\u002F1801.09344) (ICLR 2018) \u003Cbr\u002F> This paper proposes the certified training with semidefinite relaxation.\n\n* [A Dual Approach to Scalable Verification of Deep Networks](https:\u002F\u002Farxiv.org\u002Fabs\u002F1803.06567) (UAI 2018) \u003Cbr\u002F> This paper solves the dual problem to provide an upper bound of the primary specification problem for verification.\n\n* [Reluplex: An efficient SMT solver for verifying deep neural networks](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1702.01135.pdf) (CAV 2017) \u003Cbr\u002F> This paper use satisfiability modulo theory (SMT) solvers for the verification problem.\n\n* [Automated Verification of Neural Networks: Advances, Challenges and Perspectives](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.09938.pdf) \u003Cbr\u002F> This paper provides an overview of main verification methods, and introduces previous work on combining automated verification with machine learning. They also give some insights on future tendency of the combination between these two domains.\n\n\u003Ca id='Theoretical'>\u003C\u002Fa>\n## Theoretical Analysis\n* [Towards Deep Learning Models Resistant to Large Perturbations](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.13370.pdf) \u003Cbr\u002F> This paper prove that the weight initialization of a already robust model on small perturbation can be helpful for training on large perturbations.\n\n* [Improved Sample Complexities for Deep Neural Networks and Robust Classification via an All-Layer Margin](https:\u002F\u002Fopenreview.net\u002Fforum?id=HJe_yR4Fwr) (ICLR 2020) \u003Cbr\u002F> This paper connect the generalization gap w.r.t all-layer margin, and propose a variant of adversarial training, where the perturbations can be imposed on each layer in network.\n\n* [Adversarial Examples Are Not Bugs, They Are Features](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.02175.pdf) (NeurIPS 2019) \u003Cbr\u002F> They claim that adversarial examples can be directly attributed to the presence of non-robust features, which are highly predictive but locally quite sensitive.\n\n* [First-order Adversarial Vulnerability of Neural Networks and Input Dimension](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1802.01421.pdf) (ICML 2019) \u003Cbr\u002F> This paper demonsrate the relations among adversarial vulnerability and gradient norm and input dimension with comprehensive empirical experiments.\n\n* [Adversarial Examples from Computational Constraints](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.10204.pdf) (ICML 2019) \u003Cbr\u002F> The authors argue that the exsitence of adversarial examples could stem from computational constrations.\n\n* [Adversarial Examples Are a Natural Consequence of Test Error in Noise](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.10513.pdf) (ICML 2019) \u003Cbr\u002F> This paper connects the relation between the general corruption robustness and the adversarial robustness, and recommand the adversarial defenses methods to be also tested on general-purpose noises.\n\n* [PAC-learning in the presence of evasion adversaries](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1806.01471.pdf) (NeurIPS 2018) \u003Cbr\u002F> The authors analyze the adversarial attacks from the PAC-learning framework.\n\n* [Adversarial Vulnerability for Any Classifier](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7394-adversarial-vulnerability-for-any-classifier.pdf) (NeurIPS 2018) \u003Cbr\u002F> Uniform upper bound of robustness for any classifier on the data sampled from smooth genertive models.\n\n* [Adversarially Robust Generalization Requires More Data](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7749-adversarially-robust-generalization-requires-more-data.pdf) (NeurIPS 2018) \u003Cbr\u002F> This paper show that robust generalization requires much more sample complexity compared to standard generlization on two simple data distributional models. \n\n* [Robustness of Classifiers:from Adversarial to Random Noise](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F6331-robustness-of-classifiers-from-adversarial-to-random-noise.pdf) (NeurIPS 2016)\n\n\u003Ca id='Empirical'>\u003C\u002Fa>\n## Empirical Analysis\n* [Aliasing and adversarial robust generalization of CNNs](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs10994-022-06222-8) (ECML 2022) This paper empirically demonstrates that adversarial robust models learn to downsample more accurate and thus suffer significantly less from downsampling artifacts, aka. aliasing, than simple non-robust baseline models.\n\n* [Adversarial Robustness Through the Lens of Convolutional Filters](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022W\u002FArtOfRobust\u002Fhtml\u002FGavrikov_Adversarial_Robustness_Through_the_Lens_of_Convolutional_Filters_CVPRW_2022_paper.html) (CVPR-W 2022) \u003Cbr\u002F> This paper compares the learned convolution filters of a large amount of pretrained robust models against identical networks trained without adversarial defenses. The authors show that robust models form more orthogonal, diverse, and less sparse convolution filters, but differences diminish with increasing dataset complexity.\n\n* [CNN Filter DB: An Empirical Investigation of Trained Convolutional Filters](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fhtml\u002FGavrikov_CNN_Filter_DB_An_Empirical_Investigation_of_Trained_Convolutional_Filters_CVPR_2022_paper.html) (CVPR 2022) \u003Cbr\u002F> This paper performs an empirical analysis of learned 3x3 convolution filters in various CNNs and shows that robust models learn less sparse and more diverse convolution filters.\n\n* [PixMix: Dreamlike Pictures Comprehensively Improve Safety Measures](https:\u002F\u002Farxiv.org\u002Fabs\u002F2112.05135) (CVPR 2022) \u003Cbr\u002F> This paper uses dreamlike pictures as data augmentation to generally improve robustness (remove texture-based confounders).\n\n* [How Benign is Benign Overfitting](https:\u002F\u002Fopenreview.net\u002Fpdf?id=g-wu9TMPODo) (ICLR 2021) \u003Cbr\u002F> This paper shows that adversarial vulnerability may come from bad\ndata and (poorly) trained models, namely, learned representations.\n\n* [Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples](https:\u002F\u002Farxiv.org\u002Fabs\u002F2010.03593) \u003Cbr\u002F> This paper explores the limits of adversarial training on CIFAR-10 by applying large model architecture, weight moving average, smooth activation and more training data to achieve SOTA robustness under norm-bounded constraints.\n\n* [Bag of Tricks for Adversarial Training](https:\u002F\u002Fopenreview.net\u002Fforum?id=Xb8xvrtB8Ce) (ICLR 2021) \u003Cbr\u002F> This paper provides an empirical study on the usually overlooked hyperparameters used in adversarial training, and show that inappropriate settings can largely affect the performance of adversarially trained models.\n\n* [Neural Anisotropy Directions](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.09717.pdf) (NeurIPS 2020) \u003Cbr\u002F> This paper shows that there exist directional inductive biases of model architectures, which can explain the model reaction against certain adversarial perturbation.\n\n* [Hold me tight! Influence of discriminative features on deep network boundaries](https:\u002F\u002Farxiv.org\u002Fabs\u002F2002.06349) (NeurIPS 2020) \u003Cbr\u002F> This paper empirically shows that decision boundaries are constructed along discriminative features, and explain the mechanism of adversarial training.\n\n* [Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks](https:\u002F\u002Farxiv.org\u002Fabs\u002F2003.01690) (ICML 2020) \u003Cbr\u002F> An comprehensive empirical evaluations on some of the existing defense methods. \n\n* [Attacks Which Do Not Kill Training Make Adversarial Learning Stronger](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11242.pdf) (ICML 2020) \u003Cbr\u002F> This paper also advovate for early-stop during adversarial training.\n\n* [Overfitting in adversarially robust deep learning](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11569.pdf) (ICML 2020) \u003Cbr\u002F> This paper shows the phenomena of overfitting when training robust models with sufficient empirical experiments (codes provided in paper).\n\n* [When NAS Meets Robustness: In Search of Robust Architectures against Adversarial Attacks](https:\u002F\u002Farxiv.org\u002Fabs\u002F1911.10695) \u003Cbr\u002F> This paper leverages NAS to understand the influence of network architectures against adversarial attacks. It reveals several useful observations on designing robust network architectures.\n\n* [Adversarial Examples Improve Image Recognition](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.09665.pdf) \u003Cbr\u002F> This paper shows that an auxiliary BN for adversarial examples can improve generalization performance.\n\n* [Intriguing Properties of Adversarial Training at Scale](https:\u002F\u002Fopenreview.net\u002Fforum?id=HyxJhCEFDS¬eId=rJxeamAAKB) (ICLR 2020) \u003Cbr\u002F> This paper investigates the effects of BN and deeper models for adversarial training on ImageNet.\n\n* [A Fourier Perspective on Model Robustness in Computer Vision](https:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F9483-a-fourier-perspective-on-model-robustness-in-computer-vision.pdf) (NeurIPS 2019) \u003Cbr\u002F> This paper analyzes different types of noises (including adversarial ones) from the Fourier perspective, and observes some relationship between the robustness and the Fourier frequency. \n\n* [Interpreting Adversarially Trained Convolutional Neural Networks](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.09797.pdf) (ICML 2019) \u003Cbr\u002F> This paper show that adversarial trained models can alleviate the texture bias and learn a more shape-biased representation.\n\n* [On Evaluating Adversarial Robustness](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.06705.pdf) \u003Cbr\u002F> Some analyses on how to correctly evaluate the robustness of adversarial defenses.\n\n* [Is Robustness the Cost of Accuracy? -- A Comprehensive Study on the Robustness of 18 Deep Image Classification Models](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_ECCV_2018\u002Fhtml\u002FDong_Su_Is_Robustness_the_ECCV_2018_paper.html) \u003Cbr\u002F> This paper empirically studies the effects of model architectures (trained on ImageNet) on robustness and accuracy.\n\n* [Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1706.04701.pdf) \u003Cbr\u002F> This paper tests some ensemble of existing detection-based defenses, and claim that these ensemble defenses could still be evaded by white-box attacks.\n\n\u003Ca id='Beyond_Safety'>\u003C\u002Fa>\n## Beyond Safety\n* [Robust Models are less Over-Confident](https:\u002F\u002Fopenreview.net\u002Fforum?id=5K3uopkizS) (NeurIPS 2022) \u003Cbr\u002F> This paper analyzes the (over)confidence of robust CNNs and concludes that robust models that are significantly less overconfident with their decisions, even on clean data. Further, the authors provide a model zoo of various CNNs trained with and without adversarial defenses.\n\n* [Improved Autoregressive Modeling with Distribution Smoothing](https:\u002F\u002Fopenreview.net\u002Fforum?id=rJA5Pz7lHKb) (ICLR 2021) \u003Cbr\u002F> This paper apply similar idea of randomized smoothing into autoregressive generative modeling, which first modeling a smoothed data distribution and then denoise the sampled data.\n\n* [Defending Against Image Corruptions Through Adversarial Augmentations](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.01086.pdf) \u003Cbr\u002F> This paper proposes AdversarialAugment method to adversarially craft corrupted augmented images during training.\n\n* [On the effectiveness of adversarial training against common corruptions](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.02325.pdf) \u003Cbr\u002F> This paper studies how to use adversarial training (both Lp and a relaxation of perceptual adversarial training) to improve the performance on common image corruptions (CIFAR-10-C \u002F ImageNet-100-C).\n\n\n* [Unadversarial Examples: Designing Objects for Robust Vision](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.12235.pdf) (NeurIPS 2021) \u003Cbr\u002F> This paper turns the weakness of adversarial examples into strength, and proposes to use unadversarial examples to enhance model performance and robustness.\n\n* [Self-supervised Learning with Adversarial Training](https:\u002F\u002Fgithub.com\u002FP2333\u002FPapers-of-Robust-ML) ([1](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002F1f1baa5b8edac74eb4eaa329f14a0361-Abstract.html), [2](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002Fc68c9c8258ea7d85472dd6fd0015f047-Abstract.html), [3](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002Fba7e36c43aff315c00ec2b8625e3b719-Abstract.html)) (NeurIPS 2020) \u003Cbr\u002F> These three papers work on embedding adversarial training mechanism into contrastive-based self-supervised learning. They show that AT mechanism can promote the learned representations.\n\n* [Do Adversarially Robust ImageNet Models Transfer Better?](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002F24357dd085d2c4b1a88a7e0692e60294-Abstract.html) (NeurIPS 2020) \u003Cbr\u002F> This paper show that an adversarially robust model can work better for transfer learning, which encourage the learning process to focus on semantic features.\n\n* [Adversarial Examples Improve Image Recognition](https:\u002F\u002Fcs.jhu.edu\u002F~alanlab\u002FPubs20\u002Fxie2020adversarial.pdf) (CVPR 2020) \u003Cbr\u002F> This paper treat adversarial training as a regularization strategy for traditional classification task, and achieve SOTA clean performance on ImageNet without extra data.\n\n\u003Ca id='Seminal_work'>\u003C\u002Fa>\n## Seminal Work\n* [Unsolved Problems in ML Safety](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.13916.pdf) \u003Cbr\u002F> A comprehensive roadmap for future researches in Trustworthy ML. \n\n* [Towards Deep Learning Models Resistant to Adversarial Attacks](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1706.06083.pdf) (ICLR 2018) \u003Cbr\u002F> This paper proposed projected gradient descent (PGD) attack, and the PGD-based adversarial training.\n\n* [Adversarial examples are not easily detected: Bypassing ten detection methods](https:\u002F\u002Fdl.acm.org\u002Fcitation.cfm?Id=3140444) (AISec 17) \u003Cbr\u002F> This paper first desgined different adaptive attacks for detection-based methods.\n\n* [Explaining and Harnessing Adversarial Examples](https:\u002F\u002Farxiv.org\u002Fabs\u002F1412.6572) (ICLR 2015) \u003Cbr\u002F> This paper proposed fast gradient sign method (FGSM), and the framework of adversarial training.\n\n* [Intriguing properties of neural networks](https:\u002F\u002Farxiv.org\u002Fabs\u002F1312.6199) (ICLR 2014) \u003Cbr\u002F> This paper first introduced the concept of adversarial examples in deep learning, and provided a L-BFGS based attack method.\n\n\u003Ca id='Benchmark_Datasets'>\u003C\u002Fa>\n## Benchmark Datasets\n* [RobustBench: a standardized adversarial robustness benchmark](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.09670.pdf) \u003Cbr\u002F> A standardized robustness benchmark with 50+ models together with the [Model Zoo](https:\u002F\u002Fgithub.com\u002FRobustBench\u002Frobustbench). \n\n* [Natural adversarial examples](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1907.07174.pdf) \u003Cbr\u002F> ImageNet-A dataset.\n\n* [Benchmarking Neural Network Robustness to Common Corruptions and Perturbations](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1903.12261.pdf) (ICLR 2019) \u003Cbr\u002F> ImageNet-C dataset.\n\n* [Imagenet-trained cnns are biased towards texture; increasing shape bias improves accuracy and robustness](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.12231.pdf) (ICLR 2018) \u003Cbr\u002F> This paper empirically demonstrate that shape-based features lead to more robust models. They also provide the Styled-ImageNet dataset.\n","# 鲁棒机器学习论文集\n与鲁棒机器学习相关的论文(我们主要关注防御方法)。\n\n# 声明\n由于每次会议都有数十篇关于对抗防御的新论文,我们目前只能更新那些我们刚刚阅读过并认为具有启发性的论文。\n\n欢迎任何人提交拉取请求,添加在同行评审会议上发表(如 ICML\u002FNeurIPS\u002FICLR\u002FCVPR 等)或在 arXiv 上发布的、尚未列出的对抗防御相关论文。\n\n## 目录\n- \u003Ca href=\"#General_training\">通用防御(训练阶段)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#General_inference\">通用防御(推理阶段)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Detection\">对抗检测\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Certified Defense and Model Verification\">认证防御与模型验证\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Theoretical\">理论分析\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Empirical\">实验分析\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Beyond_Safety\">超越安全性(善用对抗性攻击)\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Seminal_work\">开创性工作\u003C\u002Fa>\u003Cbr>\n- \u003Ca href=\"#Benchmark_Datasets\">基准数据集\u003C\u002Fa>\u003Cbr>\n\n\n\u003Ca id='General_training'>\u003C\u002Fa>\n## 通用防御(训练阶段)\n* [更好的扩散模型进一步提升对抗训练效果](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2302.04638.pdf)(ICML 2023)\u003Cbr\u002F> 本文主张,像 EDM 这样的更优扩散模型能够超越 DDPM,在 RobustBench 上所列的 CIFAR-10\u002F100 数据集上达到新的最先进性能。\n\n* [FrequencyLowCut 池化——应对灾难性过拟合的即插即用方案](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136740036.pdf)(ECCV 2022)\u003Cbr\u002F> 本文提出了一种新颖的无混叠下采样层,用于防止在简单的快速梯度符号法(FGSM)对抗训练过程中出现灾难性过拟合。\n\n* [通过(适当)定义,鲁棒性与准确率可以兼得](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10103.pdf)(ICML 2022)\u003Cbr\u002F> 本文认为,只要对鲁棒误差的定义稍作修改,鲁棒性和准确率并不矛盾。同时,文中还提供了优化新 SCORE 目标的高效方法。\n\n* [具有李雅普诺夫稳定平衡点的稳定神经 ODE 用于防御对抗攻击](https:\u002F\u002Fopenreview.net\u002Fpdf?id=9CPc4EIr2t1)(NeurIPS 2021)\u003Cbr\u002F> 本文将控制理论中的稳定性条件引入神经 ODE,以诱导局部稳定的模型。\n\n* [两种耦合的拒绝指标可区分对抗样本](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.14785.pdf)(CVPR 2022)\u003Cbr\u002F> 本文提出了一种耦合拒绝策略,通过两个简单但精心设计的拒绝指标,可以可靠地区分任何被错误分类的样本与正确分类的样本。\n\n* [修复数据增强以提升对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.01946.pdf)(NeurIPS 2021)\u003Cbr\u002F> 本文表明,在应用权重移动平均后,数据增强(无论是通过变换还是生成模型)都能进一步提升对抗训练的鲁棒性。\n\n* [鲁棒学习与生成模型结合:代理分布能否提升对抗鲁棒性?](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.09425.pdf)(ICLR 2022)\u003Cbr\u002F> 本文验证了,利用在同一数据集(例如 CIFAR-10)上训练的高质量生成模型所采样的更多数据,可以在不使用额外数据的情况下,提升对抗训练模型的鲁棒性。\n\n* [通过闭环控制迈向鲁棒神经网络](https:\u002F\u002Fopenreview.net\u002Fforum?id=2AL06y9cDE-)(ICLR 2021)\u003Cbr\u002F> 本文介绍了一种闭环控制框架,以增强已训练网络的对抗鲁棒性。\n\n* [理解并改进快速对抗训练](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.02617.pdf)(NeurIPS 2020)\u003Cbr\u002F> 对对抗训练中灾难性过拟合现象进行了系统研究,探讨其原因及解决方法。文中提出的正则化器 *GradAlign* 可有效防止灾难性过拟合,并使 FGSM 训练能够扩展到高 Linf 范数扰动。\n\n* [置信度校准的对抗训练:泛化至未见攻击](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.06259.pdf)(ICML 2020)\u003Cbr\u002F> 本文采用一种依赖于扰动大小的标签平滑方法,使对抗训练后的模型能够泛化到未曾见过的攻击。\n\n* [平滑对抗训练](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14536.pdf)\u003Cbr\u002F> 本文主张在对抗训练中使用 ReLU 的平滑变体,从而在 ImageNet 数据集上取得最先进的性能。\n\n* [重新思考 softmax 交叉熵损失在对抗鲁棒性中的作用](https:\u002F\u002Fopenreview.net\u002Fforum?id=Byg9A24tvB)(ICLR 2020)\u003Cbr\u002F> 本文重新审视了 softmax 交叉熵损失在对抗场景下的不足之处,并提出了 MMC 方法,以在特征空间中诱导高密度区域。\n\n* [基于雅可比矩阵的对抗正则化网络以提升鲁棒性](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Hke0V1rKPS)(ICLR 2020)\u003Cbr\u002F> 本文提出,通常更具可解释性的模型可能更能抵御对抗攻击。\n\n* [快比免费更好:重访对抗训练](https:\u002F\u002Fopenreview.net\u002Fforum?id=BJx040EFvH¬eId=BJx040EFvH)(ICLR 2020)\u003Cbr\u002F> 本文提出了一些技巧,使基于 FGSM 的对抗训练更加有效。\n\n* [对抗训练与可证明防御:弥合差距](https:\u002F\u002Fopenreview.net\u002Fforum?id=SJxSDxrKDr)(ICLR 2020)\u003Cbr\u002F> 本文提出了逐层对抗训练方法,逐步优化从低层到高层的潜在对抗样本。\n\n* [提升对抗鲁棒性需要重新审视误分类样本](https:\u002F\u002Fopenreview.net\u002Fforum?id=rklOg6EFwS)(ICLR 2020)\u003Cbr\u002F> 本文提出了一种新的 MART 方法,该方法通过增强的 CE 损失进一步降低次大预测的概率,并引入加权 KL 项(类似于焦点损失),相较于 TRADES 的公式有所改进。\n\n* [对抗插值训练:提升模型鲁棒性的简单方法](https:\u002F\u002Fopenreview.net\u002Fforum?id=Syejj0NYvr¬eId=r1e432RzoS)\u003Cbr\u002F> 本文将 mixup 方法引入对抗训练,以提高模型在干净图像上的表现。\n\n* [提升对抗鲁棒性是否需要标签?](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.13725.pdf)(NeurIPS 2019)\u003Cbr\u002F> 本文利用未标注数据来更好地提升对抗鲁棒性。\n\n* [通过局部线性化提升对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1907.02610.pdf)(NeurIPS 2019)\u003Cbr\u002F> 本文在对抗训练过程中引入了局部线性化技术。\n\n* [可证明鲁棒的增强决策桩和决策树抵御对抗攻击](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1906.03526.pdf)(NeurIPS 2019)\u003Cbr\u002F> 提出了一种高效认证 GBDT 鲁棒性的方法,并将认证结果整合到训练中(从而得到最坏情况损失的上界)。所得的认证准确率高于其他鲁棒 GBDT,并可与可证明鲁棒的 CNN 相媲美。\n\n* [你只需传播一次:基于极大值原理加速对抗训练](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.00877.pdf) (NeurIPS 2019) \u003Cbr\u002F> 本文从最优控制的角度提出了一种快速的对抗训练方法。\n\n* [免费的对抗训练!](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1904.12843.pdf) (NeurIPS 2019) \u003Cbr\u002F> 一种快速的对抗训练方法,它共享更新权重和构造对抗样本的反向传播梯度。\n\n* [ME-Net:通过矩阵估计实现有效的对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fabs\u002F1905.11971) (ICML 2019) \u003Cbr\u002F> 本文展示了图像中的全局低秩结构,并利用矩阵估计来挖掘这些潜在结构,以提高对抗鲁棒性。\n\n* [预训练可以提升模型的鲁棒性和不确定性](https:\u002F\u002Farxiv.org\u002Fabs\u002F1901.09960) (ICML 2019) \u003Cbr\u002F>\n本文表明对抗鲁棒性具有可迁移性,且对抗预训练可以使对抗鲁棒性提升约10%的准确率。\n\n* [理论上合理的鲁棒性与准确性之间的权衡](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.08573.pdf) (ICML 2019) \u003Cbr\u002F> 对抗训练的一种变体:TRADES,该方法在2018年NeurIPS对抗竞赛的防御赛道中获胜。\n\n* [对抗样本下的鲁棒决策树](http:\u002F\u002Fweb.cs.ucla.edu\u002F~chohsieh\u002FICML_2019_TreeAdvAttack.pdf) (ICML 2019) \u003Cbr\u002F> 一种增强树模型鲁棒性的方法,包括GBDTs。\n\n* [通过促进集成多样性提升对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.08846.pdf) (ICML 2019) \u003Cbr\u002F> 以往的工作是通过单独增强每个成员模型,然后直接对预测结果取平均来构建集成防御。而在本文中,作者提出了自适应多样性促进(ADP)方法,通过促进集成多样性进一步提升鲁棒性,这是一种与其他防御方法正交的方法。\n\n* [特征去噪以提升对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.03411.pdf) (CVPR 2019) \u003Cbr\u002F> 本文应用了非局部神经网络,并使用128块GPU进行大规模对抗训练(结合“精确的大批量SGD:1小时内训练ImageNet”的训练技巧),其效果显著优于之前使用50块GPU训练的SOTA方法。\n\n* [通过领域适应提升对抗训练的泛化能力](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1810.00740.pdf) (ICLR 2019) \u003Cbr\u002F> 本工作提出在对抗训练中加入额外的正则化项,以使干净样本和对抗样本的logits分布更加一致。\n\n* [对抗鲁棒特征的谱视图](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8217-a-spectral-view-of-adversarially-robust-features.pdf) (NeurIPS 2018) \u003Cbr\u002F> 给定整个数据集X,使用谱图的特征向量作为鲁棒特征。[[附录](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8217-a-spectral-view-of-adversarially-robust-features-supplemental.zip)]\n\n* [对抗logits配对](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1803.06373.pdf) \u003Cbr\u002F> 通过将干净样本和对抗样本的logits配对来进行对抗训练。\n\n* [深度防御:训练具有更好对抗鲁棒性的DNN](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7324-deep-defense-training-dnns-with-improved-adversarial-robustness.pdf) (NeurIPS 2018) \u003Cbr\u002F> 他们沿用了DeepFool方法中的线性假设。DeepDefense将决策边界从正确分类的样本处推开,同时拉近到错误分类的样本处。\n\n* [最大马氏距离线性判别分析网络](http:\u002F\u002Fproceedings.mlr.press\u002Fv80\u002Fpang18a\u002Fpang18a.pdf) (ICML 2018) \u003Cbr\u002F> 这是我们的一项工作。我们显式地将特征分布建模为最大马氏距离分布(MMD),这种分布在各类之间具有最大间隔,能够带来有保证的鲁棒性。\n\n* [集成对抗训练——攻击与防御](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1705.07204.pdf) (ICLR 2018) \u003Cbr\u002F> 集成对抗训练使用多个预训练模型,在每一批次训练中,随机选择当前训练的模型或预训练模型来构造对抗样本。\n\n* [PixelDefend:利用生成模型理解并防御对抗样本](https:\u002F\u002Farxiv.org\u002Fabs\u002F1710.10766) (ICLR 2018) \u003Cbr\u002F> 本文通过将对抗样本移回训练数据所见的分布来提供防御。\n\n\u003Ca id='General_inference'>\u003C\u002Fa>\n\n\n## 通用防御(推理阶段)\n* [在自然监督下,对抗攻击是可逆的](https:\u002F\u002Farxiv.org\u002Fabs\u002F2103.14222) (ICCV 2021) \u003Cbr\u002F> 本文提出使用对比损失恢复被攻击图像的自然结构,从而提供防御。\n\n* [基于分数的生成模型进行对抗净化](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06041.pdf) (ICML 2021) \u003Cbr\u002F> 本文提出使用基于分数的生成模型(如NCSN)来净化对抗样本。\n\n* [基于自监督的在线对抗净化](https:\u002F\u002Farxiv.org\u002Fabs\u002F2101.09387) (ICLR 2021) \u003Cbr\u002F> 本文提出用不依赖标签的辅助任务(如旋转预测)来训练网络,并通过最小化辅助损失动态净化测试输入。\n\n* [Mixup推理:更好地利用Mixup防御对抗攻击](https:\u002F\u002Fopenreview.net\u002Fforum?id=ByxtC2VtPB) (ICLR 2020) \u003Cbr\u002F> 本文在推理阶段利用Mixup机制来提升鲁棒性。\n\n* [随机变换阵列用于对抗鲁棒防御](http:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_CVPR_2019\u002Fpapers\u002FRaff_Barrage_of_Random_Transforms_for_Adversarially_Robust_Defense_CVPR_2019_paper.pdf) (CVPR 2019) \u003Cbr\u002F> 本文采用一系列不同的随机变换作为现成的防御措施。\n\n* [通过随机化缓解对抗效应](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.01991.pdf) (ICLR 2018) \u003Cbr\u002F> 使用随机缩放和随机填充来扰乱对抗样本,该方法在2017年NeurIPS对抗竞赛的防御赛道中获得第二名。\n\n* [利用输入变换对抗对抗图像](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.00117.pdf) (ICLR 2018) \u003Cbr\u002F> 在输入预处理阶段应用位深降低、JPEG压缩、总方差最小化和图像拼接等方法,以防御对抗攻击。\n\n\u003Ca id='Detection'>\u003C\u002Fa>\n\n## 对抗检测\n* [检测对抗样本几乎与分类它们一样困难](https:\u002F\u002Fproceedings.mlr.press\u002Fv162\u002Ftramer22a.html) (ICML 2022) \u003Cbr\u002F> 本文证明了对抗样本的检测与分类可以相互转化,因此许多先前的检测工作可能夸大了其有效性。\n\n* [类别解耦及其在对抗检测与防御中的应用](https:\u002F\u002Fopenreview.net\u002Fpdf?id=jFMzBeLyTc0) (NeurIPS 2021) \u003Cbr\u002F> 本文提出将类别依赖性和视觉重建进行解耦,并利用这一结果作为对抗检测指标。\n\n* [迈向稳健的对抗样本检测](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7709-towards-robust-detection-of-adversarial-examples.pdf) (NeurIPS 2018) \u003Cbr\u002F> 这是我们的一项工作。我们使用反向交叉熵(RCE)训练网络,该方法可以将正常特征映射到低维流形上,从而使检测器能够更好地区分对抗样本和正常样本。\n\n* [一种简单统一的框架:用于检测分布外样本和对抗攻击](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7947-a-simple-unified-framework-for-detecting-out-of-distribution-samples-and-adversarial-attacks.pdf) (NeurIPS 2018) \u003Cbr\u002F> 在学习到的特征上拟合一个高斯判别分析模型,并使用马氏距离作为检测指标。\n\n* [通过建模深度神经网络的内在特性实现对抗攻击的稳健检测](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8016-robust-detection-of-adversarial-attacks-by-modeling-the-intrinsic-properties-of-deep-neural-networks.pdf) (NeurIPS 2018) \u003Cbr\u002F> 他们对学习到的特征拟合了一个高斯混合模型,并以概率作为检测指标。\n\n* [从伪影中检测对抗样本](https:\u002F\u002Farxiv.org\u002Fabs\u002F1703.00410) \u003Cbr\u002F> 本文在学习到的特征上提出了核密度(K-density)指标来检测对抗样本。\n\n\u003Ca id='认证防御与模型验证'>\u003C\u002Fa>\n## 认证防御与模型验证\n* [迈向更好地理解训练针对对抗样本的可认证鲁棒模型](https:\u002F\u002Fopenreview.net\u002Fpdf?id=b18Az57ioHn) (NeurIPS 2021) \u003Cbr\u002F> 本文系统研究了不同认证防御方法的效率,并发现损失景观的平滑性至关重要。\n\n* [面向语义扰动的神经网络鲁棒性验证](https:\u002F\u002Farxiv.org\u002Fabs\u002F1912.09533) (CVPR 2020) \u003Cbr\u002F> 本文将基于像素级的验证方法推广到语义变换空间。\n\n* [用于神经网络验证的神经网络分支法](https:\u002F\u002Farxiv.org\u002Fabs\u002F1912.01329) (ICLR 2020) \u003Cbr\u002F> 本文使用图神经网络自适应地构建模型验证的分支策略。\n\n* [迈向稳定高效的可验证鲁棒神经网络训练](https:\u002F\u002Fopenreview.net\u002Fforum?id=Skxuk1rFwB) (ICLR 2020) \u003Cbr\u002F> 本文结合了之前的IBP和CROWN方法。\n\n* [神经网络严格鲁棒性验证的凸松弛障碍](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F9176-a-convex-relaxation-barrier-to-tight-robustness-verification-of-neural-networks.pdf) (NeurIPS 2019) \u003Cbr\u002F> 本文对基于凸松弛的现有鲁棒性验证方法进行了全面研究。\n\n* [随机平滑分类器的严格对抗鲁棒性证书](https:\u002F\u002Fguanghelee.github.io\u002Fpub\u002FLee_etal_neurips19.pdf) (NeurIPS 2019) \u003Cbr\u002F> 本文将随机平滑的鲁棒性证书从L2范数扩展到了L0范数约束。\n\n* [区间边界传播在训练可验证鲁棒模型中的有效性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1810.12715.pdf) (ICCV 2019) \u003Cbr\u002F> 本文提出了基于区间边界传播(IBP)的可扩展验证方法。\n\n* [用混合整数规划评估神经网络的鲁棒性](https:\u002F\u002Farxiv.org\u002Fabs\u002F1711.07356) (ICLR 2019) \u003Cbr\u002F> 本文使用混合整数规划(MIP)方法来解决验证问题。\n\n* [具有通用激活函数的高效神经网络鲁棒性认证](https:\u002F\u002Farxiv.org\u002Fabs\u002F1811.00866) (NeurIPS 2018) \u003Cbr\u002F> 本文提出了一种名为CROWN的验证方法,适用于具有局部线性或二次近似的通用激活函数。\n\n* [分段线性神经网络验证的统一视角](https:\u002F\u002Farxiv.org\u002Fabs\u002F1711.00455) (NeurIPS 2018) \u003Cbr\u002F> 本文为先前的验证方法提供了一个统一框架和实证基准。\n\n* [可证明对抗防御的规模化](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F8060-scaling-provable-adversarial-defenses.pdf) (NeurIPS 2018) \u003Cbr\u002F> 他们增加了三项技巧,以提高之前在ICML会议上提出的方案在CIFAR-10数据集上的可扩展性。\n\n* [通过凸外对抗多面体实现对抗样本的可证明防御](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1711.00851.pdf) (ICML 2018) \u003Cbr\u002F> 他们通过鲁棒优化(借助线性规划),得到了一个点对点的鲁棒性边界,在该边界内不存在任何对抗样本。实验是在MNIST数据集上进行的。\n\n* [迈向ReLU网络认证鲁棒性的快速计算](https:\u002F\u002Farxiv.org\u002Fabs\u002F1804.09699) (ICML 2018) \u003Cbr\u002F> 本文提出了Fast-Lin和Fast-Lip两种方法。\n\n* [评估神经网络鲁棒性:基于极值理论的方法](https:\u002F\u002Farxiv.org\u002Fabs\u002F1801.10578) (ICLR 2018) \u003Cbr\u002F> 本文提出了CLEVER方法,用于估计规范的上界。\n\n* [对抗样本的认证防御](https:\u002F\u002Farxiv.org\u002Fabs\u002F1801.09344) (ICLR 2018) \u003Cbr\u002F> 本文提出了使用半定松弛进行认证训练的方法。\n\n* [深度网络可扩展验证的对偶方法](https:\u002F\u002Farxiv.org\u002Fabs\u002F1803.06567) (UAI 2018) \u003Cbr\u002F> 本文通过求解对偶问题,为验证的主要规范问题提供了上界。\n\n* [Reluplex:一种用于验证深度神经网络的高效SMT求解器](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1702.01135.pdf) (CAV 2017) \u003Cbr\u002F> 本文使用可满足性模理论(SMT)求解器来解决验证问题。\n\n* [神经网络自动化验证:进展、挑战与展望](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.09938.pdf) \u003Cbr\u002F> 本文概述了主要的验证方法,并介绍了将自动化验证与机器学习相结合的前期工作。同时,还对这两个领域未来结合的趋势提出了见解。\n\n\u003Ca id='Theoretical'>\u003C\u002Fa>\n\n## 理论分析\n* [迈向对大规模扰动具有鲁棒性的深度学习模型](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.13370.pdf) \u003Cbr\u002F> 本文证明,针对小规模扰动已具备鲁棒性的模型的权重初始化,有助于训练应对大规模扰动。\n\n* [通过全层间隔改进深度神经网络及鲁棒分类的样本复杂度](https:\u002F\u002Fopenreview.net\u002Fforum?id=HJe_yR4Fwr)(ICLR 2020) \u003Cbr\u002F> 本文将泛化差距与全层间隔联系起来,并提出了一种对抗训练的变体,其中扰动可以施加到网络的每一层。\n\n* [对抗样本不是漏洞,而是特征](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.02175.pdf)(NeurIPS 2019) \u003Cbr\u002F> 他们认为,对抗样本可以直接归因于非鲁棒特征的存在,这些特征具有很高的预测能力,但在局部范围内却非常敏感。\n\n* [神经网络的一阶对抗脆弱性与输入维度](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1802.01421.pdf)(ICML 2019) \u003Cbr\u002F> 本文通过全面的实验研究,展示了对抗脆弱性、梯度范数和输入维度之间的关系。\n\n* [来自计算约束的对抗样本](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.10204.pdf)(ICML 2019) \u003Cbr\u002F> 作者认为,对抗样本的存在可能源于计算约束。\n\n* [对抗样本是噪声环境下测试误差的自然结果](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1901.10513.pdf)(ICML 2019) \u003Cbr\u002F> 本文将一般性噪声鲁棒性与对抗鲁棒性联系起来,并建议对抗防御方法也应在通用噪声条件下进行测试。\n\n* [规避型对手存在下的PAC学习](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1806.01471.pdf)(NeurIPS 2018) \u003Cbr\u002F> 作者从PAC学习框架的角度分析了对抗攻击。\n\n* [任意分类器的对抗脆弱性](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7394-adversarial-vulnerability-for-any-classifier.pdf)(NeurIPS 2018) \u003Cbr\u002F> 对于从光滑生成模型中采样的数据,任意分类器的鲁棒性都存在一个统一的上界。\n\n* [对抗鲁棒性泛化需要更多数据](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F7749-adversarially-robust-generalization-requires-more-data.pdf)(NeurIPS 2018) \u003Cbr\u002F> 本文表明,在两种简单的数据分布模型上,与标准泛化相比,鲁棒泛化所需的样本复杂度要高得多。\n\n* [分类器的鲁棒性:从对抗噪声到随机噪声](http:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F6331-robustness-of-classifiers-from-adversarial-to-random-noise.pdf)(NeurIPS 2016)\n\n\u003Ca id='Empirical'>\u003C\u002Fa>\n\n## 实证分析\n* [CNN的混叠现象与对抗鲁棒性泛化](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs10994-022-06222-8)(ECML 2022)本文通过实证表明,对抗鲁棒模型会学习进行更精确的下采样,因此受下采样伪影(即混叠)的影响显著小于简单的非鲁棒基线模型。\n\n* [从卷积滤波器视角看对抗鲁棒性](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022W\u002FArtOfRobust\u002Fhtml\u002FGavrikov_Adversarial_Robustness_Through_the_Lens_of_Convolutional_Filters_CVPRW_2022_paper.html)(CVPR-W 2022)\u003Cbr\u002F> 本文将大量预训练鲁棒模型的学习到的卷积滤波器与未采用对抗防御措施训练的相同网络进行了对比。作者指出,鲁棒模型形成的卷积滤波器更加正交、多样且稀疏度更低,但随着数据集复杂性的增加,这些差异逐渐缩小。\n\n* [CNN滤波器数据库:对训练后卷积滤波器的实证研究](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fhtml\u002FGavrikov_CNN_Filter_DB_An_Empirical_Investigation_of_Trained_Convolutional_Filters_CVPR_2022_paper.html) (CVPR 2022)\u003Cbr\u002F> 本文对多种CNN中学习到的3×3卷积滤波器进行了实证分析,结果表明鲁棒模型学习到的卷积滤波器稀疏度更低、多样性更高。\n\n* [PixMix:梦幻般图像全面提升安全性](https:\u002F\u002Farxiv.org\u002Fabs\u002F2112.05135)(CVPR 2022)\u003Cbr\u002F> 本文使用梦幻般的图像作为数据增强手段,以普遍提高模型的鲁棒性(消除基于纹理的混淆因素)。\n\n* [良性过拟合究竟有多“良性”?](https:\u002F\u002Fopenreview.net\u002Fpdf?id=g-wu9TMPODo)(ICLR 2021)\u003Cbr\u002F> 本文指出,对抗脆弱性可能源于不良的数据以及(训练不佳的)模型,尤其是其学习到的表征。\n\n* [揭示针对范数有界对抗样本的对抗训练极限](https:\u002F\u002Farxiv.org\u002Fabs\u002F2010.03593)\u003Cbr\u002F> 本文通过在CIFAR-10数据集上应用大型模型架构、权重移动平均、平滑激活函数及更多训练数据,探索了对抗训练的极限,从而在范数有界约束下实现了当前最优的鲁棒性水平。\n\n* [对抗训练技巧大全](https:\u002F\u002Fopenreview.net\u002Fforum?id=Xb8xvrtB8Ce)(ICLR 2021)\u003Cbr\u002F> 本文对对抗训练中常被忽视的超参数进行了实证研究,结果表明不恰当的设置会显著影响对抗训练模型的性能。\n\n* [神经网络各向异性方向](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.09717.pdf)(NeurIPS 2020)\u003Cbr\u002F> 本文指出,模型架构中存在方向性的归纳偏置,这可以解释模型对某些对抗扰动的反应。\n\n* [紧紧抓住我!判别特征对深度网络边界的影响](https:\u002F\u002Farxiv.org\u002Fabs\u002F2002.06349)(NeurIPS 2020)\u003Cbr\u002F> 本文通过实证表明,决策边界是沿着判别特征构建的,并解释了对抗训练的机制。\n\n* [利用多样化无参数攻击集合可靠评估对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fabs\u002F2003.01690)(ICML 2020)\u003Cbr\u002F> 对现有的一些防御方法进行了全面的实证评估。\n\n* [不会扼杀训练的攻击会让对抗学习更强大](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11242.pdf)(ICML 2020)\u003Cbr\u002F> 本文还提倡在对抗训练过程中进行早停。\n\n* [对抗鲁棒深度学习中的过拟合](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11569.pdf)(ICML 2020)\u003Cbr\u002F> 本文通过充分的实证实验(论文中提供了代码)展示了在训练鲁棒模型时出现过拟合的现象。\n\n* [当NAS遇到鲁棒性:寻找对抗攻击下的鲁棒架构](https:\u002F\u002Farxiv.org\u002Fabs\u002F1911.10695)\u003Cbr\u002F> 本文利用神经架构搜索技术来理解网络架构对抗攻 击的影响,并揭示了设计鲁棒网络架构的一些有用观察。\n\n* [对抗样本有助于提升图像识别能力](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.09665.pdf)\u003Cbr\u002F> 本文指出,为对抗样本配备辅助批归一化层可以提升模型的泛化性能。\n\n* [大规模对抗训练的有趣特性](https:\u002F\u002Fopenreview.net\u002Fforum?id=HyxJhCEFDS¬eId=rJxeamAAKB)(ICLR 2020)\u003Cbr\u002F> 本文研究了批归一化和更深的模型对ImageNet数据集上对抗训练的影响。\n\n* [计算机视觉中模型鲁棒性的傅里叶视角](https:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F9483-a-fourier-perspective-on-model-robustness-in-computer-vision.pdf)(NeurIPS 2019)\u003Cbr\u002F> 本文从傅里叶变换的角度分析了不同类型噪声(包括对抗噪声),并观察到模型鲁棒性与傅里叶频率之间存在一定关系。\n\n* [对抗训练卷积神经网络的解读](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.09797.pdf)(ICML 2019)\u003Cbr\u002F> 本文表明,对抗训练后的模型能够缓解纹理偏差,学习到更具形状偏向的表征。\n\n* [关于评估对抗鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.06705.pdf)\u003Cbr\u002F> 对如何正确评估对抗防御措施的鲁棒性进行了一些分析。\n\n* [鲁棒性是否以准确性为代价?——18种深度图像分类模型鲁棒性的综合研究](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_ECCV_2018\u002Fhtml\u002FDong_Su_Is_Robustness_the_ECCV_2018_paper.html)\u003Cbr\u002F> 本文通过实证研究了在ImageNet数据集上训练的不同模型架构对鲁棒性和准确性的影响。\n\n* [对抗样本防御:弱防御的集成并不强](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1706.04701.pdf)\u003Cbr\u002F> 本文测试了现有的基于检测的防御措施的集成方案,并指出这些集成防御仍可能被白盒攻击所绕过。\n\n\u003Ca id='Beyond_Safety'>\u003C\u002Fa>\n\n## 超越安全性\n* [鲁棒模型的过度自信程度更低](https:\u002F\u002Fopenreview.net\u002Fforum?id=5K3uopkizS) (NeurIPS 2022) \u003Cbr\u002F> 本文分析了鲁棒CNN的(过)自信问题,得出结论:即使在干净数据上,鲁棒模型对其决策的过度自信也显著降低。此外,作者还提供了一个包含多种使用或未使用对抗防御训练的CNN模型库。\n\n* [通过分布平滑改进自回归建模](https:\u002F\u002Fopenreview.net\u002Fforum?id=rJA5Pz7lHKb) (ICLR 2021) \u003Cbr\u002F> 本文将随机化平滑的思想应用于自回归生成建模,即先建模一个平滑的数据分布,再对采样得到的数据进行去噪。\n\n* [通过对抗增强防御图像退化](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.01086.pdf) \u003Cbr\u002F> 本文提出AdversarialAugment方法,在训练过程中对抗性地生成退化后的增强图像。\n\n* [对抗训练在应对常见图像退化方面的有效性研究](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.02325.pdf) \u003Cbr\u002F> 本文研究如何利用对抗训练(包括Lp范数对抗训练和感知对抗训练的松弛形式)来提升模型在常见图像退化数据集(CIFAR-10-C \u002F ImageNet-100-C)上的性能。\n\n\n* [非对抗性样本:设计用于鲁棒视觉的对象](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.12235.pdf) (NeurIPS 2021) \u003Cbr\u002F> 本文将对抗性样本的弱点转化为优势,提出利用非对抗性样本来提升模型性能和鲁棒性。\n\n* [基于对抗训练的自监督学习](https:\u002F\u002Fgithub.com\u002FP2333\u002FPapers-of-Robust-ML) ([1](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002F1f1baa5b8edac74eb4eaa329f14a0361-Abstract.html), [2](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002Fc68c9c8258ea7d85472dd6fd0015f047-Abstract.html), [3](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002Fba7e36c43aff315c00ec2b8625e3b719-Abstract.html)) (NeurIPS 2020) \u003Cbr\u002F> 这三篇论文致力于将对抗训练机制嵌入到基于对比学习的自监督学习中。它们表明,对抗训练机制能够促进学习到更有意义的表征。\n\n* [具有对抗鲁棒性的ImageNet模型是否能更好地迁移?](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2020\u002Fhash\u002F24357dd085d2c4b1a88a7e0692e60294-Abstract.html) (NeurIPS 2020) \u003Cbr\u002F> 本文表明,具有对抗鲁棒性的模型在迁移学习中表现更好,这有助于使学习过程更加关注语义特征。\n\n* [对抗性样本可提升图像识别性能](https:\u002F\u002Fcs.jhu.edu\u002F~alanlab\u002FPubs20\u002Fxie2020adversarial.pdf) (CVPR 2020) \u003Cbr\u002F> 本文将对抗训练视为传统分类任务的一种正则化策略,并在不使用额外数据的情况下,在ImageNet上实现了当前最佳的干净数据性能。\n\n\u003Ca id='Seminal_work'>\u003C\u002Fa>\n## 开创性工作\n* [机器学习安全领域的未解难题](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.13916.pdf) \u003Cbr\u002F> 一份关于可信机器学习未来研究的全面路线图。\n\n* [迈向抗对抗攻击的深度学习模型](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1706.06083.pdf) (ICLR 2018) \u003Cbr\u002F> 本文提出了投影梯度下降(PGD)攻击以及基于PGD的对抗训练方法。\n\n* [对抗性样本难以被检测:绕过十种检测方法](https:\u002F\u002Fdl.acm.org\u002Fcitation.cfm?Id=3140444) (AISec 17) \u003Cbr\u002F> 本文首次为基于检测的方法设计了不同的自适应攻击。\n\n* [解释并利用对抗性样本](https:\u002F\u002Farxiv.org\u002Fabs\u002F1412.6572) (ICLR 2015) \u003Cbr\u002F> 本文提出了快速梯度符号法(FGSM),并建立了对抗训练的框架。\n\n* [神经网络的有趣特性](https:\u002F\u002Farxiv.org\u002Fabs\u002F1312.6199) (ICLR 2014) \u003Cbr\u002F> 本文首次在深度学习领域引入了对抗性样本的概念,并提供了一种基于L-BFGS的攻击方法。\n\n\u003Ca id='Benchmark_Datasets'>\u003C\u002Fa>\n## 基准数据集\n* [RobustBench:标准化的对抗鲁棒性基准](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.09670.pdf) \u003Cbr\u002F> 一个包含50多个模型的标准鲁棒性基准,配套有[模型库](https:\u002F\u002Fgithub.com\u002FRobustBench\u002Frobustbench)。\n\n* [自然对抗性样本](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1907.07174.pdf) \u003Cbr\u002F> ImageNet-A数据集。\n\n* [神经网络对常见退化与扰动的鲁棒性基准测试](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1903.12261.pdf) (ICLR 2019) \u003Cbr\u002F> ImageNet-C数据集。\n\n* [在ImageNet上训练的CNN倾向于依赖纹理;增加形状偏好可提高准确性和鲁棒性](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.12231.pdf) (ICLR 2018) \u003Cbr\u002F> 本文通过实证证明,基于形状的特征能够带来更鲁棒的模型。他们还提供了Styled-ImageNet数据集。","# Papers-of-Robust-ML 快速上手指南\n\n`Papers-of-Robust-ML` 并非一个可安装的软件库或框架,而是一个**精选的鲁棒机器学习(特别是防御方向)学术论文清单**。它旨在帮助研究者和开发者快速追踪该领域的最新进展、经典方法和基准数据集。\n\n因此,本指南将指导你如何获取、浏览并利用这份资源来辅助你的研究与开发工作。\n\n## 环境准备\n\n由于这是一个文档类资源,无需特定的系统环境或复杂的依赖库。你只需要:\n\n* **操作系统**:任意支持现代浏览器的系统(Windows, macOS, Linux)。\n* **前置依赖**:\n * Git(用于克隆仓库)\n * Markdown 阅读器(可选,GitHub 网页版可直接预览)\n * 学术文献下载工具(如浏览器插件或机构账号权限,用于阅读论文全文)\n\n## 安装步骤(获取资源)\n\n你可以通过以下两种方式获取该论文清单:\n\n### 方式一:在线浏览(推荐)\n直接访问 GitHub 仓库页面,利用目录导航快速查找感兴趣的论文类别。\n* 地址:https:\u002F\u002Fgithub.com\u002FHuanranChen\u002FPapers-of-Robust-ML (注:此处为示例地址,实际请以源仓库为准)\n\n### 方式二:本地克隆\n如果你希望离线阅读或贡献内容,可以使用 Git 克隆仓库。\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FYourTargetRepo\u002FPapers-of-Robust-ML.git\ncd Papers-of-Robust-ML\n```\n\n*(注:如果在国内访问 GitHub 速度较慢,建议使用国内镜像源或配置加速代理)*\n\n## 基本使用\n\n该项目的核心用法是**按类别检索论文**并**阅读原文**。以下是使用流程:\n\n### 1. 浏览分类目录\n打开 `README.md` 文件,根据研究需求点击以下分类链接跳转:\n\n* **General Defenses (training phase)**: 训练阶段的通用防御方法(如对抗训练、数据增强等)。\n* **General Defenses (inference phase)**: 推理阶段的通用防御方法(如输入净化、重构等)。\n* **Adversarial Detection**: 对抗样本检测技术。\n* **Certified Defense and Model Verification**: 可证明的防御与模型验证。\n* **Theoretical \u002F Empirical Analysis**: 理论与实证分析。\n* **Benchmark Datasets**: 基准数据集。\n\n### 2. 获取论文详情\n在对应分类下,你会看到论文标题、发表会议(如 ICML, NeurIPS, CVPR)及简短的核心贡献描述。\n\n**示例:查找训练阶段的最优对抗训练方法**\n1. 定位到 `## General Defenses (training phase)` 章节。\n2. 阅读条目,例如:\n > *[Better Diffusion Models Further Improve Adversarial Training](link) (ICML 2023)*\n > 该文主张使用更好的扩散模型(如 EDM)替代 DDPM 来提升对抗训练效果,在 CIFAR-10\u002F100 上达到了 SOTA。\n3. 点击标题链接直接下载 PDF 或跳转至 arXiv 页面。\n\n### 3. 贡献新论文(可选)\n如果你发现了未收录的高质量论文(发表于顶会或 arXiv),欢迎提交 Pull Request:\n\n```bash\n# 1. Fork 仓库\n# 2. 克隆你的 Fork\ngit clone https:\u002F\u002Fgithub.com\u002FYOUR_USERNAME\u002FPapers-of-Robust-ML.git\n\n# 3. 编辑 README.md,在对应分类下添加论文信息\n# 格式参考:\n# * [论文标题](链接) (会议\u002F年份) \u003Cbr\u002F> 简要贡献描述\n\n# 4. 提交更改\ngit add README.md\ngit commit -m \"Add new paper: [Paper Title]\"\ngit push origin main\n\n# 5. 在 GitHub 上发起 Pull Request\n```\n\n通过这种方式,你可以持续更新自己的知识库,并与社区共享最新的鲁棒性防御研究成果。","某自动驾驶初创公司的算法团队正致力于提升感知模型在对抗攻击下的鲁棒性,以应对恶意干扰导致的识别失效风险。\n\n### 没有 Papers-of-Robust-ML 时\n- **文献检索如大海捞针**:面对 ICML、NeurIPS 等顶会每年涌现的数十篇新论文,研究员难以快速筛选出真正具有洞察力的防御方案,大量时间耗费在无效阅读上。\n- **技术选型缺乏依据**:在尝试解决“灾难性过拟合”或平衡“准确率与鲁棒性”时,因不了解如 FrequencyLowCut Pooling 或 SCORE 目标函数等前沿进展,只能重复造轮子或使用过时方法。\n- **复现基准模糊**:缺乏统一的权威列表来追踪 SOTA(最先进)性能,难以判断当前模型在 CIFAR-10\u002F100 等基准数据集上的表现是否已达行业领先水平。\n\n### 使用 Papers-of-Robust-ML 后\n- **精准锁定核心成果**:团队直接利用其分类目录(如训练阶段防御、理论分析),迅速定位到能提升扩散模型鲁棒性或防止过拟合的关键论文,研发效率显著提升。\n- **快速落地前沿策略**:参考列表中关于数据增强修正及生成式代理分布的最新研究,成功优化了训练流程,在不增加额外数据的前提下大幅增强了模型抗攻击能力。\n- **对标行业最高标准**:依托工具提供的 RobustBench 关联信息,团队能够实时验证模型性能是否达到最新 SOTA,确保技术方案始终处于竞争前沿。\n\nPapers-of-Robust-ML 通过 curated(精选)的学术资源地图,将研究人员从繁杂的文献海洋中解放出来,使其能专注于高价值的算法创新与落地。","https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002FP2333_Papers-of-Robust-ML_771703d9.png","P2333","Tianyu Pang","https:\u002F\u002Foss.gittoolsai.com\u002Favatars\u002FP2333_d98f1634.jpg","Machine Learning\r\n","Tencent Hunyuan","Singapore","tianyupang3@gmail.com","TianyuPang1","https:\u002F\u002Fp2333.github.io\u002F","https:\u002F\u002Fgithub.com\u002FP2333",null,562,53,"2026-03-20T05:45:46","","未说明",{"notes":94,"python":92,"dependencies":95},"该项目是一个鲁棒机器学习(主要是防御方向)的论文列表合集,并非可执行的软件工具或代码库。README 中列出的内容均为相关学术论文的标题、链接及简介,因此不存在具体的操作系统、硬件配置、Python 版本或依赖库的安装需求。用户仅需通过浏览器或 PDF 阅读器访问提供的论文链接即可。",[],[18],"2026-03-27T02:49:30.150509","2026-04-20T07:16:14.600407",[],[]]