• [ICLR19]STRUCTURED ADVERSARIAL ATTACK: TOWARDS GENERAL IMPLEMENTATION AND BETTER INTERPRETABILITY - Kaidi Xu, Sijia Liu, Pu Zhao, Pin-Yu Chen, Huan Zhang, Quanfu Fan, Deniz Erdogmus, Yanzhi Wang, Xue Lin
• [ICLR19]THE LIMITATIONS OF ADVERSARIAL TRAINING AND THE BLIND-SPOT ATTACK - Huan Zhang, Hongge Chen, Zhao Song, Duane Boning, Inderjit S. Dhillon, Cho-Jui Hsieh
• [NeurIPS2018]Adversarial Attacks on Stochastic Bandits - Kwang-Sung Jun, Lihong Li, Yuzhe Ma, Xiaojin Zhu
• [NeurIPS2018]ConstructingUnrestrictedAdversarialExamples withGenerativeModels - Yang Song, Rui Shu, Nate Kushman, Stefano Ermon

• [ICLR19]PRIOR CONVICTIONS: BLACK-BOX ADVERSARIAL ATTACKS WITH BANDITS AND PRIORS - Andrew Ilyas, Logan Engstrom, Aleksander Madry
• [arxiv2017]ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without Training Substitute Models. - Pin-Yu Chen, Huan Zhang, Yash Sharma, Jinfeng Yi, Cho-Jui Hsieh
• [arxiv2019]Boundary Attack++: Query-Efficient Decision-Based Adversarial Attack - Jianbo Chen,Michael I. Jordan
• [cvpr19]Efficient Decision-based Black-box Adversarial Attacks on Face Recognition - Yinpeng Dong, Hang Su, Baoyuan Wu, Zhifeng Li, Wei Liu, Tong Zhang, Jun Zhu
• [ECCV2018]Transferable Adversarial Perturbations - Wen Zhou , Xin Hou , YongjunChen, Mengyun Tang, XiangqiHuang, Xiang Gan, and Yong Yang
• [ICLR18] DECISION-BASEDADVERSARIAL ATTACKS: RELIABLE ATTACKS AGAINST BLACK-BOX MACHINE LEARNING MODELS - Wieland Brendel, Jonas Rauber, Matthias Bethge

• [ICLR19]ADEF: AN ITERATIVE ALGORITHM TO CONSTRUCT ADVERSARIAL DEFORMATIONS - Rima Alaifari, Giovanni S. Alberti, Tandri Gauksson
• [CVPR2019]Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses - Jérôme Rony, Luiz G. Hafemann, Luiz S. Oliveira, Ismail Ben Ayed, Robert Sabourin, Eric Granger
• [CVPR2019]Trust Region Based Adversarial Attack on Neural Networks - Zhewei Yao, Amir Gholami, Peng Xu, Kurt Keutzer, Michael W. Mahoney

Currently, the defenses against the adversarial attacks are being developed along three main directions: (for details,read this paper)

1. Using modified training during learning or modified input during testing.
2. Modifying networks, e.g. by adding more layers/subnetworks, changing loss/activation functions etc.
3. Using external models as network add-on when classifying unseen examples.

Figure from "Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey"

• [ICLR19] IMPROVING THE GENERALIZATION OF ADVERSARIAL TRAINING WITH DOMAIN ADAPTATION - Chuanbiao Song, Kun He, Liwei Wang, John E. Hopcroft
• [NeurIps2018]Thwarting Adversarial Examples: An L0-Robust Sparse Fourier Transform - Mitali Bafna, Jack Murtagh, Nikhil Vyas
• [NeurIps2018]Bayesian Adversarial Learning - Nanyang Ye, Zhanxing Zhu
• [arxiv2018]Adversarial Logit Pairing - Harini Kannan, Alexey Kurakin, Ian Goodfellow
• [AAAL2018]Improving the Adversarial Robustness and Interpretability of Deep Neural Networks by Regularizing their Input Gradients - Andrew Slavin Ross, Finale Doshi-Velez
• [ICLR2018]Cascade Adversarial Machine Learning Regularized with a Unified Embedding - Taesik Na, Jong Hwan Ko, Saibal Mukhopadhyay
• [IJCAL2018]Curriculum Adversarial Training - Qi-Zhi Cai, Min Du , Chang Liu , Dawn Song
• [ICLR19]THE LIMITATIONS OF ADVERSARIAL TRAINING AND THE BLIND-SPOT ATTACK - Huan Zhang , Hongge Chen, Zhao Song, Duane Boning, Inderjit Dhillon, Cho-Jui Hsieh
• [AAAL18]Regularizing deep networks using efficient layerwise adversarial training - Swami Sankaranarayanan, Arpit Jain, Rama Chellappa, Ser Nam Lim
• [NeurIps2018]Hessian-based Analysis of Large Batch Training and Robustness to Adversaries - Zhewei Yao1, Amir Gholami1, Qi Lei, Kurt Keutzer, Michael W. Mahoney
• [arxiv2019]Adversarial Training for Free! - Ali Shafahi, Mahyar Najibi, Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S. Davis, Gavin Taylor, Tom Goldstein
• [CVPR2019]Rob-GAN: Generator, Discriminator, and Adversarial Attacker - Xuanqing Liu, Cho-Jui Hsieh
• [ICML2019]Theoretically Principled Trade-off between Robustness and Accuracy - Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P. Xing, Laurent El Ghaoui, Michael I. Jordan
• [arxiv2019]Max-Margin Adversarial (MMA) Training: Direct Input Space Margin Maximization through Adversarial Training - Gavin Weiguang Ding, Yash Sharma, Kry Yik Chau Lui, Ruitong Huang
• [CVPR2019]Robustness via curvature regularization, and vice versa - Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Jonathan Uesato, Pascal Frossard

• [ICLR19]PEERNETS: EXPLOITING PEER WISDOM AGAINST ADVERSARIAL ATTACKS - Jan Svoboda, Jonathan Masci, Federico Monti, Michael M. Bronstein, Leonidas Guibas
• [ICLR19]TRAINING FOR FASTER ADVERSARIAL ROBUSTNESS VERIFICATION VIA INDUCING RELU STABILITY - Kai Y. Xiao, Vincent Tjeng, Nur Muhammad Shafiullah, Aleksander Madry
• [ICLR19]EVALUATING ROBUSTNESS OF NEURAL NETWORKS WITH MIXED INTEGER PROGRAMMING - Vincent Tjeng, Kai Xiao, Russ Tedrake
• [ICLR19]TOWARDS THE FIRST ADVERSARIALLY ROBUST NEURAL NETWORK MODEL ON MNIST - Lukas Schott, Jonas Rauber, Matthias Bethge, Wieland Brendel
• [NeurIps2018]Efficient Neural Network Robustness Certification with General Activation Functions - Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, Luca Daniel
• [NeurIps2018]Semidefinite relaxations for certifying robustness to adversarial examples - Aditi Raghunathan, Jacob Steinhardt, Percy Liang
• [NeurIps2018]Efficient Formal Safety Analysis of Neural Networks - Shiqi Wang, Kexin Pei, Justin Whitehouse, Junfeng Yang, Suman Jana
• [ICLR18]STOCHASTIC ACTIVATION PRUNING FOR ROBUST ADVERSARIAL DEFENSE - Guneet S. Dhillon, Kamyar Azizzadenesheli, Zachary C. Lipton, Jeremy Bernstein, Jean Kossaifi, Aran Khanna, Anima Anandkumar -[ECCV2018]Towards Robust Neural Networks via Random Self-ensemble - Xuanqing Liu, Minhao Cheng ,Huan Zhang ,Cho-Jui Hsieh

• [NeurIps2018]Towards Robust Detection of Adversarial Examples - Tianyu Pang, Chao Du, Yinpeng Dong, Jun Zhu
• [NeurIps2018]Robust Detection of Adversarial Attacks by Modeling the Intrinsic Properties of Deep Neural Networks - Zhihao Zheng, Pengyu Hong
• [NeurIps2018]Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples - Guanhong Tao, Shiqing Ma, Yingqi Liu, Xiangyu Zhang
• [AAAL2019]Resisting Adversarial Attacks Using Gaussian Mixture Variational Autoencoders - Partha Ghosh, Arpan Losalka, Michael J Black

• [NeurIps2018]Improved Network Robustness with Adversary Critic - Alexander Matyasko, Lap-Pui Chau

• [ICLR19]ROBUSTNESS MAY BE AT ODDS WITH ACCURACY - Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, Aleksander Madry
• [ICLR19]ARE ADVERSARIAL EXAMPLES INEVITABLE? - Ali Shafahi, W. Ronny Huang, Christoph Studer, Soheil Feizi, Tom Goldstein
• [NeurIps2018]Adversarial Examples that Fool both Computer Vision and Time-Limited Humans - Gamaleldin F. Elsayed, Shreya Shankar, Brian Cheung, Nicolas Papernot, Alex Kurakin, Ian Goodfellow, Jascha Sohl-Dickstein
• [airxiv2019]Towards Understanding Adversarial Examples Systematically: Exploring Data Size, Task and Model Factors - Ke Sun, Zhanxing Zhu, Zhouchen Lin
• [airxiv2019]Adversarial Examples Are Not Bugs, They Are Features - Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, Aleksander Madry

• [ICLR19]COMBINATORIAL ATTACKS ON BINARIZED NEURAL NETWORKS - Elias B. Khalil, Amrita Gupta, Bistra Dilkina
• [ICLR19]DEFENSIVE QUANTIZATION: WHEN EFFICIENCY MEETS ROBUSTNESS - Ji Lin, Chuang Gan, Song Han
• [NeurIps2018]Sparse DNNs with Improved Adversarial Robustness - Yiwen Guo, Chao Zhang, Changshui Zhang, Yurong Chen
• [arxiv2018]TO COMPRESS OR NOT TO COMPRESS: UNDERSTANDING THE INTERACTIONS BETWEEN ADVERSARIAL ATTACKS AND NEURAL NETWORK COMPRESSION - Yiren Zhao, Ilia Shumailov, Robert Mullins, Ross Anderson

• [ICLR19]COST-SENSITIVE ROBUSTNESS AGAINST ADVERSARIAL EXAMPLES - Xiao Zhang, David Evans
• [ICLR19]BENCHMARKING NEURAL NETWORK ROBUSTNESS TO COMMON CORRUPTIONS AND PERTURBATIONS - Dan Hendrycks, Thomas G. Dietterich

• Adversarial Robustness - Theory and Practice