1）Towards Large Yet Imperceptible Adversarial Image Perturbations With Perceptual Color Distance  
2）What Machines See Is Not What They Get: Fooling Scene Text Recognition Models With Adversarial Text Images  
3）ColorFool: Semantic Adversarial Colorization  
4）Polishing Decision-Based Adversarial Noise With a Customized Sampling  
5）Single-Step Adversarial Training With Dropout Scheduling  
6）Physically Realizable Adversarial Examples for LiDAR Object Detection  
7）LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud Based Deep Networks  
8）Transferable, Controllable, and Inconspicuous Adversarial Attacks on Person Re-identification With Deep Mis-Ranking  
9）Boosting the Transferability of Adversarial Samples via Attention  
10）One-Shot Adversarial Attacks on Visual Tracking With Dual Attention  
11）Robust Superpixel-Guided Attentional Adversarial Attack  
12）Enhancing Cross-Task Black-Box Transferability of Adversarial Examples With Dispersion Reduction  
13）Adversarial Camouflage: Hiding Physical-World Attacks With Natural Styles  
14）ILFO: Adversarial Attack on Adaptive Neural Networks  
15）DaST: Data-Free Substitute Training for Adversarial Attacks  
16）PhysGAN: Generating Physical-World-Resilient Adversarial Examples for Autonomous Driving  
17）GeoDA: A Geometric Framework for Black-Box Adversarial Attacks  
18）Cooling-Shrinking Attack: Blinding the Tracker With Imperceptible Noises  
19）Towards Transferable Targeted Attack  
20）TBT: Targeted Neural Network Attack With Bit Trojan  
21）Projection & Probability-Driven Black-Box Attack  
22）QEBA: Query-Efficient Boundary-Based Blackbox Attack  

1）Robust Design of Deep Neural Networks Against Adversarial Attacks Based on Lyapunov Theory  
2）One Man's Trash Is Another Man's Treasure: Resisting Adversarial Examples by Adversarial Examples  
3）Achieving Robustness in the Wild via Adversarial Mixing With Disentangled Representations  
4）Adversarial Vertex Mixup: Toward Better Adversarially Robust Generalization  
5）Learn2Perturb: An End-to-End Feature Perturbation Learning to Improve Adversarial Robustness  
6）Defending and Harnessing the Bit-Flip Based Adversarial Weight Attack  
7）Adversarial Examples Improve Image Recognition  
8）Efficient Adversarial Training With Transferable Adversarial Examples  
9）Modeling Biological Immunity to Adversarial Examples  
10）Towards Achieving Adversarial Robustness by Enforcing Feature Consistency Across Bit Planes  
11）A Self-supervised Approach for Adversarial Robustness  
12）Ensemble Generative Cleaning With Feedback Loops for Defending Adversarial Attacks  
13）Detecting Adversarial Samples Using Influence Functions and Nearest Neighbors  
14）When NAS Meets Robustness: In Search of Robust Architectures Against Adversarial Attacks  
15）Enhancing Intrinsic Adversarial Robustness via Feature Pyramid Decoder  
16）Exploiting Joint Robustness to Adversarial Perturbations  
17）Cross-Domain Face Presentation Attack Detection via Multi-Domain Disentangled Representation Learning  

1）Understanding Adversarial Examples From the Mutual Influence of Images and Perturbations  

1）Attack to Explain Deep Representation  

1）Benchmarking Adversarial Robustness on Image Classification  

1）Improving Transferability of Adversarial Examples With Input Diversity  
2）Exact Adversarial Attack to Image Captioning via Structured Output Learning With Latent Variables  
3）Adversarial Attacks Beyond the Image Space  
4）Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses  
5）Curls & Whey: Boosting Black-Box Adversarial Attacks  
6）Feature Space Perturbations Yield More Transferable Adversarial Examples  
7）Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition  
8）Catastrophic Child's Play: Easy to Perform, Hard to Defend Adversarial Attacks  
9）Trust Region Based Adversarial Attack on Neural Networks  

1）Feature Denoising for Improving Adversarial Robustness  
2）Parametric Noise Injection: Trainable Randomness to Improve Deep Neural Network Robustness Against Adversarial Attack  
3）Feature Distillation: DNN-Oriented JPEG Compression Against Adversarial Examples  
4）Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks  
5）Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses  
6）What Does It Mean to Learn in Deep Networks? And, How Does One Detect Adversarial Attacks?  
7）Adversarial Defense Through Network Profiling Based Path Extraction  
8）Detection Based Defense Against Adversarial Examples From the Steganalysis Point of View  
9）ComDefend: An Efficient Image Compression Model to Defend Adversarial Examples  
10）ShieldNets: Defending Against Adversarial Attacks Using Probabilistic Adversarial Robustness  
11）Defense Against Adversarial Images Using Web-Scale Nearest-Neighbor Search  
12）Multi-Adversarial Discriminative Deep Domain Generalization for Face Presentation Attack Detection  
13）Defending Against Adversarial Attacks by Randomized Diversification   
14）Rob-GAN: Generator, Discriminator, and Adversarial Attacker  
15）A Kernelized Manifold Mapping to Diminish the Effect of Adversarial Perturbations  
16）Adversarial Defense by Stratified Convolutional Sparse Coding  
17）Adversarial Defense Through Network Profiling Based Path Extraction  
18）Barrage of Random Transforms for Adversarially Robust Defense  

1）What Does It Mean to Learn in Deep Networks? And, How Does One Detect Adversarial Attacks?  
2）Adversarial Defense Through Network Profiling Based Path Extraction  

1）Disentangling Adversarial Robustness and Generalization  

1）On the Design of Black-Box Adversarial Examples by Leveraging Gradient-Free Optimization and Operator Splitting Method  
2）Universal Adversarial Perturbation via Prior Driven Uncertainty Approximation  
3）Sparse and Imperceivable Adversarial Attacks  
4）Enhancing Adversarial Example Transferability With an Intermediate Level Attack  
5）Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers  
6）Physical Adversarial Textures That Fool Visual Object Tracking  
7）The LogBarrier Adversarial Attack: Making Effective Use of Decision Boundary Information  
8）Guessing Smart: Biased Sampling for Efficient Black-Box Adversarial Attacks  
9）Targeted Mismatch Adversarial Attack: Query With a Flower to Retrieve the Tower  
10）Once a MAN: Towards Multi-Target Attack via Learning Multi-Target Adversarial Network Once  
11）Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search  
12）A Geometry-Inspired Decision-Based Attack  
13）Universal Perturbation Attack Against Image Retrieval  
14）FDA: Feature Disruptive Attack  

1）DUP-Net: Denoiser and Upsampler Network for 3D Adversarial Point Clouds Defense  
2）Adversarial Defense via Learning to Generate Diverse Attacks  
3）Adversarial Defense by Restricting the Hidden Space of Deep Neural Networks  
4）Hilbert-Based Generative Defense for Adversarial Examples  
5）Improving Adversarial Robustness via Guided Complement Entropy  
6）Defending Against Universal Perturbations With Shared Adversarial Training  
7）Adversarial Learning With Margin-Based Triplet Embedding Regularization  
8）Bilateral Adversarial Training: Towards Fast Training of More Robust Models Against Adversarial Attacks  
9）CIIDefence: Defeating Adversarial Attacks by Fusing Class-Specific Image Inpainting and Image Denoising  

1）Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors  
2）Adversarial T-shirt! Evading Person Detectors in A Physical World  
3）Regional Homogeneity: Towards Learning Transferable Universal Adversarial Perturbations Against Defenses  
4）AdvPC: Transferable Adversarial Perturbations on 3D Point Clouds  
5）Bias-based Universal Adversarial Patch Attack for Automatic Check-out  
6）Bias-based Universal Adversarial Patch Attack for Automatic Check-out  
7）Adversarial Ranking Attack and Defense  
8）Boosting Decision-based Black-box Adversarial Attacks with Random Sign Flip  
9）Design and Interpretation of Universal Adversarial Patches in Face Detection  
10）APRICOT: A Dataset of Physical Adversarial Attacks on Object Detection  
11）Sparse Adversarial Attack via Perturbation Factorization  
12）Improving the Transferability of Adversarial Examples with Resized-Diverse-Inputs, Diversity-Ensemble and Region Fitting  
13）Improving Query Efficiency of Black-box Adversarial Attack  
14）Efficient Adversarial Attacks for Visual Object Tracking  
15）Inherent Adversarial Robustness of Deep Spiking Neural Networks: Effects of Discrete Input Encoding and Non-Linear Activations  
16）Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks  
17）Yet Another Intermediate-Level Attack  
18）Practical Poisoning Attacks on Neural Networks  
19）Patch-wise Attack for Fooling Deep Neural Network  

1）Regularization with Latent Space Virtual Adversarial Training  
2）Multitask Learning Strengthens Adversarial Robustness  
3）Improved Adversarial Training via Learned Optimizer  
4）Adversarial Ranking Attack and Defense  
5）Open-set Adversarial Defense  
6）Robust Tracking against Adversarial Attacks  
7）Connecting the Dots: Detecting Adversarial Perturbations Using Context Inconsistency  
8）Square Attack: a query-efficient black-box adversarial attack via random search  
9）Adversarial Training with Bi-directional Likelihood Regularization for Visual Classification  
10）Improving Adversarial Robustness by Enforcing Local and Global Compactness  
11）Defense Against Adversarial Attacks via Controlling Gradient Leaking on Embedded Manifolds  
12）Inherent Adversarial Robustness of Deep Spiking Neural Networks: Effects of Discrete Input Encoding and Non-Linear Activations  
13）Manifold Projection for Adversarial Defense on Face Recognition  

1）Adversarial Robustness on In- and Out-Distribution Improves Explainability  

1）Towards More Practical Adversarial Attacks on Graph Neural Networks  
2）Backpropagating Linearly Improves Transferability of Adversarial Examples  
3）Adversarial Attacks on Linear Contextual Bandits  
4）An Efficient Adversarial Attack for Tree Ensembles  
5）GreedyFool: Distortion-Aware Sparse Adversarial Attack  
6）Adversarial Example Games  
7）Targeted Adversarial Perturbations for Monocular Depth Prediction  
8）AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows  
9）Practical No-box Adversarial Attacks against DNNs  
10）On Adaptive Attacks to Adversarial Example Defenses  
11）Guided Adversarial Attack for Evaluating and Enhancing Adversarial Defenses  
12）Adversarial Attacks on Deep Graph Matching  
13）Learning Black-Box Attackers with Transferable Priors and Query Feedback  
14）Adversarial Attacks on Linear Contextual Bandits  
15）GreedyFool: Distortion-Aware Sparse Adversarial Attack  
16）Diversity can be Transferred: Output Diversification for White- and Black-box Attacks  
17）Input-Aware Dynamic Backdoor Attack  
18）Perturbing Across the Feature Hierarchy to Improve Standard and Strict Blackbox Attack Transferability  
19）Attack of the Tails: Yes, You Really Can Backdoor Federated Learning  

1）Once-for-All Adversarial Training: In-Situ Tradeoff between Robustness and Accuracy for Free  
2）On the Trade-off between Adversarial and Backdoor Robustness  
3）Fast Adversarial Robustness Certification of Nearest Prototype Classifiers for Arbitrary Seminorms  
4）Adversarial Weight Perturbation Helps Robust Generalization  
5）GNNGuard: Defending Graph Neural Networks against Adversarial Attacks  
6）Adversarial Distributional Training for Robust Deep Learning  
7）Boosting Adversarial Training with Hypersphere Embedding  
8）Adversarial robustness via robust low rank representations  
9）Dual Manifold Adversarial Robustness: Defense against Lp and non-Lp Adversarial Attacks  
10）Understanding and Improving Fast Adversarial Training  
11）Guided Adversarial Attack for Evaluating and Enhancing Adversarial Defenses  
12）Robust Deep Reinforcement Learning against Adversarial Perturbations on State Observations  
13）Beyond Perturbations: Learning Guarantees with Arbitrary Adversarial Test Examples  
14）Robustness of Bayesian Neural Networks to Gradient-Based Attacks  
15）Election Coding for Distributed Learning: Protecting SignSGD against Byzantine Attacks  
16）(De)Randomized Smoothing for Certifiable Defense against Patch Attacks  
17）Denoised Smoothing: A Provable Defense for Pretrained Classifiers  
18）Certified Defense to Image Transformations via Randomized Smoothing  

1）Adversarial Training is a Form of Data-dependent Operator Norm Regularization  

1）On the Tightness of Semidefinite Relaxations for Certifying Robustness to Adversarial Examples  

1）Most ReLU Networks Suffer from ℓ2 Adversarial Perturbations  

1）A Game Theoretic Analysis of Additive Adversarial Attacks and Defenses  

1）Functional Adversarial Attacks  
2）Improving Black-box Adversarial Attacks with a Transfer-based Prior  
3）Cross-Domain Transferability of Adversarial Perturbations  
4）Subspace Attack: Exploiting Promising Subspaces for Query-Efficient Black-box Attacks  
5）A Unified Framework for Data Poisoning Attack to Graph-based Semi-supervised Learning  

1）Metric Learning for Adversarial Robustness  
2）A New Defense Against Adversarial Images: Turning a Weakness into a Strength  
3）Defense Against Adversarial Attacks Using Feature Scattering-based Adversarial Training  
4）Adversarial training for free!  
5）Adversarial Training and Robustness for Multiple Perturbations  
6）Error Correcting Output Codes Improve Probability Estimation and Adversarial Robustness of Deep Neural Networks  
7）Provably robust boosted decision stumps and trees against adversarial attacks  
8）Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks  
9）A Little Is Enough: Circumventing Defenses For Distributed Learning  

1）Beyond Perturbations: Learning Guarantees with Arbitrary Adversarial Test Examples  
2）Provable Certificates for Adversarial Examples: Fitting a Ball in the Union of Polytopes  
3）On Relating Explanations and Adversarial Examples  

1）Theoretical Analysis of Adversarial Learning: A Minimax Approach  
2）Convergence of Adversarial Training in Overparametrized Neural Networks  

1）Detecting Overfitting via Adversarial Examples  

1）Stronger and Faster Wasserstein Adversarial Attacks  
2）Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack  
3）Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks  
4）Min-Max Optimization without Gradients: Convergence and Applications to Black Box Evasion and Poisoning Attacks  
5）Dual-Path Distillation: A Unified Framework to Improve Black-Box Attacks  

1）Adversarial Robustness via Runtime Masking and Cleansing  
2）Implicit Euler Skip Connections: Enhancing Adversarial Robustness via Numerical Stability  
3）Towards Understanding the Regularization of Adversarial Robustness on Neural Networks  
4）Randomization matters How to defend against strong adversarial attacks  
5）Second-Order Provable Defenses against Adversarial Attacks  
6）Adversarial Robustness Against the Union of Multiple Threat Models  
7）Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks  

1）Concise Explanations of Neural Networks using Adversarial Training  

1）Adversarial Attacks on Node Embeddings via Graph Poisoning  
2）Adversarial examples from computational constraints  
3）Simple Black-box Adversarial Attacks  
4）NATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks  
5）Adversarial camera stickers: A physical camera-based attack on deep learning systems  
6）Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization  
7）Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition  
8）Wasserstein Adversarial Examples via Projected Sinkhorn Iterations  
9）Data Poisoning Attacks in Multi-Party Learning  

1）Robust Decision Trees Against Adversarial Examples  
2）Are Generative Classifiers More Robust to Adversarial Attacks?  
3）Transferable Adversarial Training: A General Approach to Adapting Deep Classifiers  
4）Improving Adversarial Robustness via Promoting Ensemble Diversity  
5）On the Convergence and Robustness of Adversarial Training  
6）Defending Against Saddle Point Attack in Byzantine-Robust Distributed Learning  

1）Policy-Driven Attack: Learning to Query for Hard-label Black-box Adversarial Examples  
2）A Unified Approach to Interpreting and Boosting Adversarial Transferability  
3）Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits  
4）Effective and Efficient Vote Attack on Capsule Networks  
5）Policy-Driven Attack: Learning to Query for Hard-label Black-box Adversarial Examples  
6）WaNet - Imperceptible Warping-based Backdoor Attack  
7）R-GAP: Recursive Gradient Attack on Privacy  
8）A Panda? No, It's a Sloth: Slowdown Attacks on Adaptive Multi-Exit Neural Network Inference（spotlight）  

1）Improving VAEs' Robustness to Adversarial Attack  
2）Bag of Tricks for Adversarial Training  
3）Perceptual Adversarial Robustness: Defense Against Unseen Threat Models  
4）Stochastic Security: Adversarial Defense Using Long-Run Dynamics of Energy-Based Models  
5）Efficient Certified Defenses Against Patch Attacks on Image Classifiers  
6）Deep Partition Aggregation: Provable Defenses against General Poisoning Attacks  

1）LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition  

1）Adversarial Training and Provable Defenses: Bridging the Gap（oral）  
2）Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets（spotlight）  
3）Fooling Detection Alone is Not Enough: Adversarial Attack against Multiple Object Tracking  
4）Adversarial Policies: Attacking Deep Reinforcement Learning  
5）Black-Box Adversarial Attack with Transferable Model-based Embedding  
6）Sign-OPT: A Query-Efficient Hard-label Adversarial Attack  
7）Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks  
8）BayesOpt Adversarial Attack  
9）BREAKING CERTIFIED DEFENSES: SEMANTIC ADVERSARIAL EXAMPLES WITH SPOOFED ROBUSTNESS CERTIFICATES  
10）A Target-Agnostic Attack on Deep Models: Exploiting Security Vulnerabilities of Transfer Learning  
11）Sign Bits Are All You Need for Black-Box Attacks  
12）Sign-OPT: A Query-Efficient Hard-label Adversarial Attack  
13）DBA: Distributed Backdoor Attacks against Federated Learning  
14）Query-efficient Meta Attack to Deep Neural Networks  

1）Optimal Strategies Against Generative Attacks（oral）  
2）Enhancing Adversarial Defense by k-Winners-Take-All （spotlight）  
3）Defending Against Physically Realizable Attacks on Image Classification （spotlight）  
4）Enhancing Transformation-Based Defenses Against Adversarial Attacks with a Distribution Classifier  
5）Implicit Bias of Gradient Descent based Adversarial Training on Separable Data  
6）Mixup Inference: Better Exploiting Mixup to Defend Adversarial Attacks  
7）Robust Local Features for Improving the Generalization of Adversarial Training  
8）Detecting and Diagnosing Adversarial Images with Class-Conditional Capsule Reconstructions  
9）GAT: Generative Adversarial Training for Adversarial Example Detection and Robust Classification  
10）Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing  
11）Adversarially robust transfer learning  
12）Fast is better than free: Revisiting adversarial training  
13）Biologically inspired sleep algorithm for increased generalization and adversarial robustness in deep neural networks  
14）Jacobian Adversarially Regularized Networks for Robustness  
15）Certified Defenses for Adversarial Patches  
16）Adversarial AutoAugment  
17）Provable robustness against all adversarial lp-perturbations for p≥1  
18）EMPIR: Ensembles of Mixed Precision Deep Networks for Increased Robustness Against Adversarial Attacks  
19）MMA Training: Direct Input Space Margin Maximization through Adversarial Training  
20）Robust anomaly detection and backdoor attack detection via differential privacy  
21）Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks  

1）Estimating counterfactual treatment outcomes over time through adversarially balanced representations（spotlight）  

1）Intriguing Properties of Adversarial Training at Scale  

1）Prior Convictions: Black-box Adversarial Attacks with Bandits and Priors  
2）Adversarial Attacks on Graph Neural Networks via Meta Learning  
3）ADef: an Iterative Algorithm to Construct Adversarial Deformations  
4）Adversarial Reprogramming of Neural Networks  
5）Combinatorial Attacks on Binarized Neural Networks  
6）Query-Efficient Hard-label Black-box Attack: An Optimization-based Approach  

1）Training for Faster Adversarial Robustness Verification via Inducing ReLU Stability  
2）Cost-Sensitive Robustness against Adversarial Examples  
3）The Limitations of Adversarial Training and the Blind-Spot Attack  
4）Generalizable Adversarial Training via Spectral Normalization  
5）Towards the first adversarially robust neural network model on MNIST  
6）A Direct Approach to Robust Deep Learning Using Adversarial Networks  
7）CAMOU: Learning Physical Vehicle Camouflages to Adversarially Attack Detectors in the Wild  
8）PeerNets: Exploiting Peer Wisdom Against Adversarial Attacks  
9）Adv-BNN: Improved Adversarial Defense through Robust Bayesian Neural Network  

1）Excessive Invariance Causes Adversarial Vulnerability  

1）Structured Adversarial Attack: Towards General Implementation and Better Interpretability  

1）Are adversarial examples inevitable?